1 min read
The Different Roles of Money Mules in Fraud Operations
Money mule activity is often treated as a single category of risk. An account is flagged as a “mule,” controls are applied, and the case moves...
3 min read
Acoru : Jul 2, 2026 9:58:22 AM
Most fraud prevention systems fire when the money moves. By then, the trajectory that led to the transfer had been building for weeks. The customer about to hit send has been drifting, being coached, or preparing an account the whole time. The transaction monitor saw none of it.
Fraud plays out as a lifecycle. Prevention that only fires at the last stage documents losses. It does not stop them. Under Nacha Phase 2 (effective June 22, 2026), UK PSR 50/50 liability and PS23/4, every receiving bank now carries account-level obligations that transaction scoring alone cannot meet.
Financial loss is the last chapter of a longer story. Risk develops earlier, evolves through gradual shifts in account activity and counterparty exposure, and only becomes visible when the money moves. Four stages carry the arc.
For genuine customers, the start of a relationship. For fraud actors and recruited intermediaries, the start of positioning. Onboarding surfaces early signals (identity-verification friction, unusual device patterns, timing anomalies, cross-channel inconsistencies) that set the baseline for how subsequent activity should be interpreted.
Legitimate customers develop stable rhythms. When those rhythms shift (more new beneficiaries, expanding transfer networks, shortening intervals between interactions), that movement matters. No single change is fraud. Together, they show direction: organic growth or grooming.
A customer starts acting under a third party's instructions. A previously neutral account begins facilitating transfers for others. These transitions rarely happen abruptly. They arrive as sequences of new contacts, altered communication patterns, and expanding payment relationships.
Large transfers. Structured dispersal. Rapid outbound movement. This is where traditional controls activate, and where every earlier stage would have been cheaper to act on.
Transaction monitoring is designed to answer a narrow but important question: does this specific payment carry elevated risk right now? Necessary work. It stops measurable loss every day. It is also a fraction of the risk picture.
Many modern fraud patterns develop gradually across other parts of the customer journey.
A groomed victim may show incremental increases in transfer frequency over weeks. A mule account may begin with low-value inbound transfers before consolidating larger sums. A compromised customer may exhibit subtle account drift that remains statistically plausible when viewed transaction by transaction.
Nacha calls this category False Pretenses. Business side: BEC, vendor impersonation, payroll redirection. Consumer side: romance, investment, and impersonation scams. In every case, the customer authorizes the payment. It looks normal at the transaction layer. The signal lives in the receiving account.
The right question shifts from "Is this payment suspicious?" to "What risk state is this account operating in?"
Acoru's Continuous Account Intelligence answers the second question. The Large Account Model reads the full sequence of account events (logins, profile changes, beneficiary additions, transfers, call-center contacts) the way a language model reads a sentence. A limit change, followed by a new beneficiary, followed by a micro-transfer, reads as one risk narrative, not three unrelated events.
Acoru continuously classifies first-party and counterparty accounts as Regular, Victim, or Mule (complicit, witting, unwitting). The unwitting mule is the case transaction-scoring platforms miss entirely: the account looks legitimate, and the customer authorized the activity. Acoru detects it by reading the sequence, not the single payment.

Persistent risk states enable proportionate controls. An account that has gradually accumulated risk indicators may warrant stepped-up authentication, delayed settlement, or a beneficiary cooling-off period. An account showing structural mule coordination warrants stronger intervention. Not blunt thresholds. Calibrated friction aligned with the trajectory.
Acoru’s AI Workforce runs continuously in the background, detecting emerging patterns across the account portfolio, raising alerts and recommending remediation. The Acoru AI Assistant sits alongside the analyst, answering questions in plain language and pulling relevant events into a single view. Every action ties back to observable account behavior, so model governance and examiner expectations hold under a risk-based standard.
Deployed as a Fraud Intelligence Hub on-prem or in a private cloud, Acoru reads existing feeds (transaction monitoring, online fraud detection, device intelligence, channel signals, enrichment sources) without replacing them. All customer data and all fraud decisions stay inside the bank.
For receiving banks facing Nacha Phase 2, PSR 50/50 and PS23/4, that is audit-defensible evidence grounded in observable account behavior, delivered before a transaction is initiated. Reduced scam losses. Reduced reimbursement exposure. Customer protection when it matters most.
Fraud in Latin America is moving fast, and the institutions keeping pace are the ones rethinking how they detect, share, and act on intelligence. If the challenges discussed in this episode sound familiar, we would be glad to show you how Acoru works in practice.
1 min read
Money mule activity is often treated as a single category of risk. An account is flagged as a “mule,” controls are applied, and the case moves...
1 min read
Fraud tactics have always adapted to whatever communication channels carry the most authority, whether that’s email, SMS, etc. Now, synthetic voice...
1 min read
Twenty years of fighting financial fraud leaves you with a particular kind of pattern recognition. In this episode of Fraud Signals, Richard, Acoru's...