惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
罗磊的独立博客
H
Help Net Security
I
Intezer
G
Google Developers Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Troy Hunt's Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News and Events Feed by Topic
J
Java Code Geeks
S
Security Affairs
T
The Blog of Author Tim Ferriss
Recent Commits to openclaw:main
Recent Commits to openclaw:main
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
The GitHub Blog
The GitHub Blog
F
Full Disclosure
N
News and Events Feed by Topic
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs
腾讯CDC
人人都是产品经理
人人都是产品经理
M
MIT News - Artificial intelligence
Blog — PlanetScale
Blog — PlanetScale
T
Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
MongoDB | Blog
MongoDB | Blog
博客园 - 【当耐特】
L
LINUX DO - 最新话题
Google Online Security Blog
Google Online Security Blog
S
Schneier on Security
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
P
Proofpoint News Feed
Project Zero
Project Zero
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 叶小钗

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
The Money Mule Solution: What Every Scam Has in Common
Conor Hoy · 2026-04-28 · via Recorded Future

Scams have become one of the most damaging and difficult-to-detect ways for criminals to extract funds from victims and financial institutions alike. The Global Anti-Scam Alliance estimated global scam losses reached nearly $450 billion in 2025, but CYBERA Co-founder Claudio Staub puts the real figure closer to $1 trillion, accounting for how significantly scams go unreported.

Unlike card fraud or account takeover, scams, particularly authorized push payment (APP) fraud, don’t require a breach — they require convincing a victim to execute the payment themselves. That distinction matters enormously for how fraud teams are equipped to respond. The specific tactics criminals use are deliberately unstable. From romance scams to fraudulent job offers, the playbook shifts constantly, shaped by what's working, what's been exposed, and what tools are newly available.

Predictably, AI and deepfake technology have made it faster and cheaper to produce convincing scam content at scale, from instantly crafting believable personas to standing up brand impersonation sites in minutes. This has lowered the barrier to entry for creating effective scam operations, raising both the volume and quality of attempts hitting customers.

When asked how AI has changed the nature of scams today, Staub outlined that scammers have become “much more sophisticated in crafting fake emails, going as far as deepfakes where they pretend to be the CEO in a Teams conversation, for example.”

Fraud teams that focus on specific scam variants will always be chasing last year's threat. The question is whether there's a more stable place to intervene.

The most traceable element of any scam isn't the tactic. It's the mule account.

Every scam, regardless of how it's constructed, needs the same thing at the end: somewhere for the money to go. Without that exit point, the scam has no economic payoff.

As Staub explains, “Ultimately, the entire purpose of scamming people is for the criminals to exfiltrate funds. So, they always need to have infrastructure that allows them to cash out these proceeds.”

These bank accounts criminals use to receive and move stolen funds are known as money mules accounts, and they’re recruited through a range of methods. Witting mules are often financially vulnerable individuals, offered a cut of proceeds to receive and forward funds. Unwitting mules are account holders deceived into participating under false pretenses. In both cases, the account typically shows no suspicious activity until it's too late.

That last point is where the detection problem becomes acute. Transaction monitoring and behavioral analysis are built to catch anomalies. Mule accounts are designed to look normal, and they often do, right up until scammed funds arrive and are moved out. By that point, the victim has already lost their money.

The data confirms how persistent this blind spot is.

CYBERA, whose mule intelligence is now available as an add-on to Recorded Future's Payment Fraud Intelligence, collected more than 16,000 confirmed mule accounts across 72 different countries in the second half of 2025.

According to CYBERA’s H2 2025 Mule Intelligence Report, 28% of the accounts they observed across multiple engagements remained active for 30 days or more after they were first identified. In fact, one account appeared in 25 separate engagements between September and December. Critically, this persistence wasn't concentrated at specific institution types or in specific geographies. Long-lifespan accounts appeared across banks of different sizes and geographies. The pattern points to a systemic gap in detection and follow-up, not an isolated failure.

CYBERA’s H2 2025 report also found that regional banking infrastructure shapes where mule accounts land. In Europe, 51% of identified mule accounts sit at neobanks and fintechs, reflecting the low-friction onboarding and fast payment rails those platforms offer. Outside Europe, major banks dominate at 69%, because victims are more likely to send funds to accounts at familiar institutions. Criminals adapt to where detection is weakest and fund movement is fastest.

Catching mule accounts requires a different kind of signal.

Because mule accounts behave normally by design, fraud teams often cannot reliably identify them from transaction history alone. The signal has to come from somewhere else — specifically, from intelligence about the scam operation itself, collected before a payment is ever sent.

CYBERA's approach is to go directly to the source. Their system uses agentic personas to engage with active scammers at scale, extracting confirmed mule account details from those communications before funds are transferred. The accounts are verified through direct engagement, not inferred through probabilistic scoring, and delivered with the evidence trail from the engagement itself.

“We’re not guessing that this could be a scam–we actually know,” said Staub of CYBERA’s approach. “We know that an account detected through our method is used in connection with a scam, and we back it up.”

That distinction matters operationally. A verified mule account, backed by documented scammer communications, gives financial institutions the context to act with confidence, whether that means placing controls on an account their own customer holds or screening an outbound payment before it reaches a known mule.

This is what intelligence-led fraud prevention looks like for scams.

Recorded Future's Payment Fraud Intelligence is built on a core premise: the most valuable fraud signals are the ones that arrive before harm occurs. This means giving customers the most complete view possible of the pre-transaction signals that enable payment fraud.

Payment Fraud Intelligence tracks card compromise from the point of theft to the point of use. It identifies infected and scam merchants before payment data is harvested, monitors dark web carding shops to surface which cards require heightened attention, and analyzes checker services where stolen cards are tested immediately before fraud attempts, giving teams a clear signal of which records are active and likely to be used soon. Money Mule Intelligence extends that same logic into the APP and scam domain.

The regulatory environment is adding urgency. The UK's Payment Systems Regulator now mandates that banks reimburse most APP fraud victims. The US, Canada, and Australia are each developing their own regulatory responses. The direction of travel is clear: institutions will be expected to do more to prevent scam losses, not just absorb them.

Scam tactics will keep changing. The widespread availability of AI tools in the criminal ecosystem guarantees that the volume and quality of social engineering attempts will continue to increase. Fraud teams cannot win by tracking every new variant.

But the infrastructure that makes scams profitable is more stable than the scams themselves. Mule accounts are where the scam economy is most exposed, and where intelligence-led intervention has the most leverage. The institutions best positioned to reduce APP fraud losses are the ones that stop waiting for the transaction signal and start working from confirmed intelligence about where the money is going before it gets there.