Webinar recap: mule account handovers in 2026, what the data tells banks

In a recent webinar moderated by payments strategist Duane Jeffrey, we brought together Andre Farias, CEO and co-founder of Incognia, and Dave Laramie, Head of Group Fraud at Danske Bank, to discuss newly published research on mule account handovers.

The discussion was based on a survey of over 500 fraud and risk professionals across the US and Europe, making it directly relevant to anyone working in fraud prevention, compliance, or payments risk. The findings suggest the industry may be systematically misidentifying who the victim actually is, with significant consequences for how institutions respond.

 

The webinar recording is available now

Why mule account handovers are increasing across banking and payments

The numbers are bad, and the two experts already sensed that before the survey confirmed it. Eight in ten fraud professionals reported more mule account handover activity in the past year. Nearly two-thirds had cases with cross-border involvement. But the figure that kept coming up in discussion was 72%, the share of respondents saying that in at least half their cases, the account holder hadn't volunteered. They'd been pressured. A romance scam, a fake job, an investment opportunity that turned out to be neither.

This is what makes the handover problem different from a recruited mule. Laramie put it plainly: by the time a fraudster takes over, the account is spotless. It was opened legitimately, used normally, and handed over by someone who didn't fully understand what they were handing over. The criminal doesn't break in. They're given the keys.

Why financial institutions struggle to detect mule account handovers

Only 16% of institutions caught handovers before anything suspicious had happened. Everyone else was reacting to transactions already in motion, or money already gone.

When a handover was suspected, just over half of institutions defaulted to restricting the account. It's an understandable move. It slows the cash-out, and it creates a moment to talk to the customer. But as the panel spent some time unpacking, that response was designed for a different kind of mule, one who knew exactly what they were doing. In most handover cases, the account holder is a victim. Locking them out doesn't fix anything. It just adds another problem to the one they already have.

Farias was blunt about why this keeps happening: most institutions haven't built a separate lane for coerced victims. The same playbook runs regardless of how the account was compromised, regardless of whether the person on the other end is a criminal or someone who got manipulated on a dating app.

Mule fraud detection: the problem with device and location signals

Here's the contradiction buried in the data: device identity and location were the most widely used signals for detecting mule activity. They were also the top two causes of false positives, flagged by 28% and 24% of respondents, respectively.

Farias wasn't surprised. IP-based location is easy to spoof; a VPN or proxy takes care of it. GPS isn't much better, given how straightforward it is to run a fake GPS app or flip a device into developer mode. And most device ID implementations fall apart the moment someone reinstalls an app, resets their phone, or clears their cookies. One physical device can show up as dozens of different identities in the span of a week.

So the architecture is right in theory. The inputs are just too unreliable to act on.

The fix the speakers converged on isn't simply better signals,  it's continuity. Right now, onboarding and authentication operate as separate worlds at most institutions: different teams, different tech stacks, different data. What Farias described instead is a thread that runs from account opening through every subsequent login. The device used to open the account is checked against whether it resides near the address on file. When a new device appears, the same check runs. A device change paired with a completely different location profile is suspicious. A device change where the new device frequents the same neighbourhood isn't.

That approach also surfaces things that individual transaction monitoring misses entirely. One institution, using persistent cross-session location intelligence, found a single address from which 200 devices were accessing over 4,000 separate accounts. That pattern was invisible until someone looked across sessions.

Better fraud data matters more than better AI models

Seventy-eight percent of respondents called improving handover detection a high or top priority for the next 12 months. Half planned to invest in AI and machine learning to get there.

Farias had a cautious take on that. Not because AI is the wrong tool, but because the data it would run on isn't ready. Layering more sophisticated models on top of signals that are already unstable and easily manipulated won't move the needle. The underlying data quality must come first, or the investment goes nowhere useful.

On regulation, both speakers agreed: waiting for formal guidance isn't a viable strategy. The threat isn't waiting. And without better signals already in place, institutions can't even accurately measure how big their problem actually is. Laramie pointed to the trajectory of APP fraud liability under the UK's PSR framework, and the direction of PSD3 across the EU, as signs that regulators are moving toward shared accountability. The compliance case for acting now is building, whether or not specific detection methods have been formally endorsed.

How banks can improve cross-border mule fraud prevention

The end of the discussion kept returning to cross-border data sharing and how broken it still is.

Laramie acknowledged that mechanisms exist, such as the Nordic Financial CERT, frameworks developing under the EU's Anti-Money Laundering Authority, and consortium models in the UK. But the sharing that actually happens isn't joined-up, and it rarely crosses borders cleanly. That matters because fraud itself is increasingly cross-border. Institutions reporting the steepest rises in mule activity were nearly twice as likely to have confirmed cross-border involvement in their cases.

Real-time payments sharpen the problem. Farias pointed to UPI in India and Pix in Brazil (where Pix volumes now exceed the combined total of debit, credit, and cash transactions) as markets where faster rails brought faster mule activity alongside them. Frictionless settlement is good for customers and convenient for criminals. Laramie was less convinced that instant payments are genuinely new as a risk driver, but agreed the controls have to keep up with the rails.

The honest summary of where the industry sits: plans are in place, budgets are being allocated, and most of the investment is heading toward more sophisticated modelling. Whether that modelling will be built on data solid enough to support it is a different question, and probably the more important one.

About the author

Vlad is a Senior Editor at The Paypers, working in the Banking & Fintech team. He uses his research, content, and people skills for all activities revolving around Open Banking and Open Finance. Vlad has a degree in Biology and Molecular Genetics and an extensive background in creative writing. You can reach out to him on LinkedIn.