惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

MyScale Blog
MyScale Blog
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
N
News and Events Feed by Topic
Recent Announcements
Recent Announcements
D
Docker
M
MIT News - Artificial intelligence
L
LangChain Blog
I
InfoQ
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
P
Proofpoint News Feed
博客园_首页
MongoDB | Blog
MongoDB | Blog
美团技术团队
S
Schneier on Security
G
GRAHAM CLULEY
月光博客
月光博客
有赞技术团队
有赞技术团队
Vercel News
Vercel News
Scott Helme
Scott Helme
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Recorded Future
Recorded Future
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
Attack and Defense Labs
Attack and Defense Labs
Google Online Security Blog
Google Online Security Blog
Simon Willison's Weblog
Simon Willison's Weblog
量子位
S
Security @ Cisco Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
Visual Studio Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
NISL@THU
NISL@THU
N
Netflix TechBlog - Medium
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Spread Privacy
Spread Privacy
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
小众软件
小众软件
罗磊的独立博客
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threatpost
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security Affairs
Cloudbric
Cloudbric
爱范儿
爱范儿
H
Heimdal Security Blog
PCI Perspectives
PCI Perspectives

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
The Money Mule Solution: What Every Scam Has in Common
Conor Hoy · 2026-04-28 · via Recorded Future

Scams have become one of the most damaging and difficult-to-detect ways for criminals to extract funds from victims and financial institutions alike. The Global Anti-Scam Alliance estimated global scam losses reached nearly $450 billion in 2025, but CYBERA Co-founder Claudio Staub puts the real figure closer to $1 trillion, accounting for how significantly scams go unreported.

Unlike card fraud or account takeover, scams, particularly authorized push payment (APP) fraud, don’t require a breach — they require convincing a victim to execute the payment themselves. That distinction matters enormously for how fraud teams are equipped to respond. The specific tactics criminals use are deliberately unstable. From romance scams to fraudulent job offers, the playbook shifts constantly, shaped by what's working, what's been exposed, and what tools are newly available.

Predictably, AI and deepfake technology have made it faster and cheaper to produce convincing scam content at scale, from instantly crafting believable personas to standing up brand impersonation sites in minutes. This has lowered the barrier to entry for creating effective scam operations, raising both the volume and quality of attempts hitting customers.

When asked how AI has changed the nature of scams today, Staub outlined that scammers have become “much more sophisticated in crafting fake emails, going as far as deepfakes where they pretend to be the CEO in a Teams conversation, for example.”

Fraud teams that focus on specific scam variants will always be chasing last year's threat. The question is whether there's a more stable place to intervene.

The most traceable element of any scam isn't the tactic. It's the mule account.

Every scam, regardless of how it's constructed, needs the same thing at the end: somewhere for the money to go. Without that exit point, the scam has no economic payoff.

As Staub explains, “Ultimately, the entire purpose of scamming people is for the criminals to exfiltrate funds. So, they always need to have infrastructure that allows them to cash out these proceeds.”

These bank accounts criminals use to receive and move stolen funds are known as money mules accounts, and they’re recruited through a range of methods. Witting mules are often financially vulnerable individuals, offered a cut of proceeds to receive and forward funds. Unwitting mules are account holders deceived into participating under false pretenses. In both cases, the account typically shows no suspicious activity until it's too late.

That last point is where the detection problem becomes acute. Transaction monitoring and behavioral analysis are built to catch anomalies. Mule accounts are designed to look normal, and they often do, right up until scammed funds arrive and are moved out. By that point, the victim has already lost their money.

The data confirms how persistent this blind spot is.

CYBERA, whose mule intelligence is now available as an add-on to Recorded Future's Payment Fraud Intelligence, collected more than 16,000 confirmed mule accounts across 72 different countries in the second half of 2025.

According to CYBERA’s H2 2025 Mule Intelligence Report, 28% of the accounts they observed across multiple engagements remained active for 30 days or more after they were first identified. In fact, one account appeared in 25 separate engagements between September and December. Critically, this persistence wasn't concentrated at specific institution types or in specific geographies. Long-lifespan accounts appeared across banks of different sizes and geographies. The pattern points to a systemic gap in detection and follow-up, not an isolated failure.

CYBERA’s H2 2025 report also found that regional banking infrastructure shapes where mule accounts land. In Europe, 51% of identified mule accounts sit at neobanks and fintechs, reflecting the low-friction onboarding and fast payment rails those platforms offer. Outside Europe, major banks dominate at 69%, because victims are more likely to send funds to accounts at familiar institutions. Criminals adapt to where detection is weakest and fund movement is fastest.

Catching mule accounts requires a different kind of signal.

Because mule accounts behave normally by design, fraud teams often cannot reliably identify them from transaction history alone. The signal has to come from somewhere else — specifically, from intelligence about the scam operation itself, collected before a payment is ever sent.

CYBERA's approach is to go directly to the source. Their system uses agentic personas to engage with active scammers at scale, extracting confirmed mule account details from those communications before funds are transferred. The accounts are verified through direct engagement, not inferred through probabilistic scoring, and delivered with the evidence trail from the engagement itself.

“We’re not guessing that this could be a scam–we actually know,” said Staub of CYBERA’s approach. “We know that an account detected through our method is used in connection with a scam, and we back it up.”

That distinction matters operationally. A verified mule account, backed by documented scammer communications, gives financial institutions the context to act with confidence, whether that means placing controls on an account their own customer holds or screening an outbound payment before it reaches a known mule.

This is what intelligence-led fraud prevention looks like for scams.

Recorded Future's Payment Fraud Intelligence is built on a core premise: the most valuable fraud signals are the ones that arrive before harm occurs. This means giving customers the most complete view possible of the pre-transaction signals that enable payment fraud.

Payment Fraud Intelligence tracks card compromise from the point of theft to the point of use. It identifies infected and scam merchants before payment data is harvested, monitors dark web carding shops to surface which cards require heightened attention, and analyzes checker services where stolen cards are tested immediately before fraud attempts, giving teams a clear signal of which records are active and likely to be used soon. Money Mule Intelligence extends that same logic into the APP and scam domain.

The regulatory environment is adding urgency. The UK's Payment Systems Regulator now mandates that banks reimburse most APP fraud victims. The US, Canada, and Australia are each developing their own regulatory responses. The direction of travel is clear: institutions will be expected to do more to prevent scam losses, not just absorb them.

Scam tactics will keep changing. The widespread availability of AI tools in the criminal ecosystem guarantees that the volume and quality of social engineering attempts will continue to increase. Fraud teams cannot win by tracking every new variant.

But the infrastructure that makes scams profitable is more stable than the scams themselves. Mule accounts are where the scam economy is most exposed, and where intelligence-led intervention has the most leverage. The institutions best positioned to reduce APP fraud losses are the ones that stop waiting for the transaction signal and start working from confirmed intelligence about where the money is going before it gets there.