The Reserve Bank of India has reported a consistent rise in banking fraud involving mule accounts β accounts opened using real or stolen identities for the sole purpose of receiving and forwarding fraudulent funds. In FY2025, over 9.42 lakh SIM cards linked to cyber fraud were blocked by Indian authorities. The devices behind those SIM cards were often used to operate mule accounts at scale. For banks, NBFCs, payment apps, and wallets, mule accounts pose a compounding risk: they pass standard KYC checks but exist solely to launder proceeds of fraud. Account takeover fraud β where existing legitimate accounts are seized through SIM swap, phishing, or credential stuffing β creates a parallel exposure. Together, these two attack vectors account for a significant share of India’s digital banking fraud losses.
Table of Contents
- What Is a Mule Account and How Does the Network Operate
- Mule Account Detection: Signals at Onboarding
- Post-Onboarding Mule Account Detection: Behavioural Signals
- Account Takeover Fraud in India: How It Happens
- Account Takeover Detection: Device, Session, and Behavioural Signals
- RBI and NPCI Guidance on Mule and Takeover Fraud
- Key Takeaways
- Frequently Asked Questions
- Conclusion
What Is a Mule Account and How Does the Network Operate
A mule account is a bank or wallet account used to receive and transfer money obtained through fraud. The account may be opened by a knowing participant (a recruited mule who is compensated for allowing their account to be used) or an unknowing one (a victim of identity theft whose credentials were used without their knowledge to open an account they do not control).
In India’s organised fraud ecosystem, mule accounts function as nodes in a layering network: stolen funds from a cyber fraud β a vishing call, an OTP scam, a UPI phishing β are transferred into a mule account, then moved quickly through one or two more accounts before being cashed out, often through prepaid cards, cryptocurrency, or merchant accounts. The speed of movement is the key characteristic: funds typically leave a mule account within minutes to hours of receipt, before the victim or the originating bank can initiate a recall.
The NPCI’s transaction recall mechanism and the RBI’s framework for mule account identification have put pressure on financial institutions to identify and freeze suspected mule accounts more quickly. Still, the detection challenge remains difficult because mule accounts often have identity verification processes.
Mule Account Detection: Signals at Onboarding
The onboarding signals most predictive of mule account risk fall into four categories. The first is device and phone number signals. A device that has been used to onboard multiple accounts in a short period β even across different financial institutions β is a strong mule indicator. Onboarding risk signals, or those that have been associated with multiple recent account openings, are a high-risk signal. SIM swap history β whether the SIM linked to the onboarding number has been swapped recently β is particularly significant, since SIM swaps are used both to take over existing accounts and to create new ones under controlled phone numbers.
The second category is identity signal clustering. A cluster of onboarding attempts using the same Aadhaar number across different name variants, or the same device with different identity documents presented, indicates systematic mule factory activity rather than individual account opening.
The third is address and location anomalies. An address that has been associated with a very high number of previously opened accounts β particularly accounts that later exhibited suspicious behaviour β is a risk signal. A geolocation at onboarding that is inconsistent with the claimed address on the identity document is a secondary indicator.
The fourth is application velocity. In mule factory operations, batches of digital onboarding workflows. A financial institution that monitors its own onboarding velocity β detecting when a cluster of applications with similar device characteristics or address patterns arrives β can identify factory-style mule creation before accounts are activated.
Post-Onboarding Mule Account Detection: Behavioural Signals
Because mule accounts often pass onboarding checks, continuous financial monitoring for detection. The transaction patterns characteristic of mule accounts are distinctive: immediate and large inbound transactions shortly after account activation (particularly from unusual counterparties), followed immediately by outbound transfers or withdrawals. The account balance approaches zero very rapidly after each inbound transaction.
The counterparty patterns also matter. Mule accounts typically receive funds from victims they have no prior relationship with, and transfer funds to other accounts in the mule network β accounts that themselves have unusual transaction patterns. Financial behaviour analysis β looking at the network of counterparties connected to an account, not just the account’s own transaction pattern β is significantly more effective at detecting mule networks than account-level monitoring alone.
Additional behavioural signals: no use of the account for routine financial activity (bill payments, salary credits, recurring transfers) that characterises genuine accounts; access from devices or IPs inconsistent with the account holder’s claimed profile; and UPI or IMPS transaction patterns that match known mule layering typologies (many equal-value transfers in rapid succession, or transfers timed to avoid banking hours).
Account Takeover Fraud in India: How It Happens
Account takeover (ATO) fraud involves a fraudster gaining control of a legitimate customer’s existing account β without the customer’s knowledge or consent. In India, the primary mechanisms are: SIM swap fraud (persuading a telecom operator to issue a new SIM for the victim’s number, giving the fraudster control of OTPs and two-factor authentication); fraud risk assessment (using credentials leaked from other data breaches to attempt login at financial platforms where the same credentials were reused); and vishing (calling the victim under a pretext to obtain OTP or security information).
Once an account is taken over, the typical fraud pattern involves an immediate change of registered mobile number (to prevent the legitimate owner receiving alerts), transfer of available balance, and application for any pre-approved loan or credit facility linked to the account. Pre-approved credit draws β where a lender has already approved a credit line available on demand β are particularly attractive to account takeover fraudsters because the disbursement can happen within minutes.
Account Takeover Detection: Device, Session, and Behavioural Signals
Account takeover detection requires monitoring signals that indicate a session is not being conducted by the legitimate account holder. The most reliable signals are device change β a login from a device that has not previously accessed the account, particularly if followed by a contact detail change or a high-value transaction; session behaviour β login timing, transaction velocity, and navigation pattern inconsistent with the account holder’s established behaviour profile; and geolocation β access from a location inconsistent with the holder’s prior access pattern.
Device intelligence plays a central role: a device fingerprint that has been associated with prior ATO events across the financial system β shared across institutions through fraud network databases β is a strong risk signal that should trigger step-up authentication before allowing any sensitive account action.
For UPI-based platforms, SIM swap detection β checking whether the SIM linked to the registered mobile number has been recently swapped β before processing high-value transactions is a specific and effective ATO control. The NPCI and individual banks have implemented SIM swap lookups at the payment authorisation layer, but not all platforms have integrated this check.
RBI and NPCI Guidance on Mule and Takeover Fraud
The RBI has issued multiple advisories on mule account risk and the obligations of financial institutions to monitor and report suspected mule activity. The Integrated Ombudsman Scheme requires banks to resolve customer complaints about fraudulent transactions within defined timelines, creating a regulatory incentive to have effective detection and recall mechanisms in place.
The NPCI operates a transaction fraud monitoring system for UPI that flags high-risk transactions for additional verification. It has also published typology guidance for mule account detection β including the rapid account activation to first significant transaction pattern and the equal-value rapid transfer signature of layering operations.
For financial institutions, the regulatory expectation is clear: mule account detection should be embedded in both the onboarding workflow and the post-activation monitoring system. Institutions that detect mule accounts only after customer complaints β rather than through proactive monitoring β face both reputational risk and regulatory scrutiny under the cyber fraud response framework the RBI published in 2024.
Industry Collaboration in Mule Account Detection: Shared Intelligence
One of the structural limitations of individual financial institution fraud detection is siloed data. A mule account operator who has been flagged and closed by one bank can immediately open an account at another bank using the same or slightly modified credentials β because the second bank has no access to the first bank’s fraud detection findings. Addressing this structural gap requires industry-level data sharing.
Several initiatives in India are building the shared intelligence infrastructure required for effective mule account detection at scale. The NPCI’s transaction fraud monitoring system shares suspicious transaction patterns across member banks and payment systems. The Indian Banks’ Association (IBA) facilitates fraud data sharing through the Banking Community Fraud Intelligence Platform. The RBI’s Financial Crime Intelligence Unit (FCIU) coordinates intelligence sharing on systemic fraud patterns.
For NBFCs and fintechs, participation in industry fraud consortiums β where confirmed fraud event data is shared in near-real-time with other members β is increasingly valuable. A device fingerprint associated with a confirmed mule account at one lender becomes a risk signal at every other lender who has access to the shared database. The network effect of shared fraud intelligence grows as more institutions participate.
The data governance framework for fraud intelligence sharing must be carefully designed: shared data must be limited to confirmed fraud signals (not suspected or pending cases), must be accompanied by appropriate data security obligations on all recipients, and must comply with the DPDP Act’s requirements for lawful data sharing β including whether sharing is covered by legitimate use or requires specific legal basis documentation.
Key Takeaways
- Mule accounts pass standard KYC because they use genuine documents β detection requires device, phone number, address, and application velocity signals in addition to identity verification.
- Post-onboarding transaction monitoring is essential: mule accounts show immediate large inbound credits followed by rapid near-zero-balance outbound transfers, a pattern invisible at onboarding.
- Account takeover fraud primarily occurs via SIM swap, phishing, and credential stuffing β detection requires device fingerprint monitoring, session behaviour analysis, and SIM swap lookup.
- Graph-based transaction monitoring β examining the counterparty network, not just account-level patterns β is significantly more effective at detecting mule networks.
- SIM swap detection before high-value UPI or IMPS transactions is a specific and effective account takeover control that not all platforms have integrated.
Frequently Asked Questions
Q: What is a mule account in banking?
A mule account is a bank or digital wallet account used to receive and forward fraudulent funds. It may be opened by a knowing participant (a recruited mule) or through identity theft. Mule accounts often pass KYC because they use genuine identity documents, making post-onboarding behavioural monitoring essential for detection.
Q: How do you detect mule accounts at onboarding?
Mule account detection at onboarding looks for: devices previously used for multiple recent account openings, phone numbers registered within the past 30 days or recently swapped, identity signal clustering (same device with different documents), address anomalies (high account density at the registered address), and application velocity patterns suggesting factory-style account creation.
Q: What is account takeover fraud and how does it happen in India?
Account takeover (ATO) fraud occurs when a fraudster gains control of a legitimate customer’s account without their consent. In India, the primary methods are SIM swap fraud, phishing, credential stuffing (using data from breaches at other platforms), and vishing. Once control is established, the fraudster changes contact details, transfers funds, and may apply for pre-approved credit before the account holder realises what has happened.
Conclusion
Mule accounts and account takeover fraud are not separate problems β they are interconnected. Funds stolen through account takeover are laundered through mule networks. The detection systems that catch mule accounts feed intelligence into the prevention systems that stop account takeover. Financial institutions that invest in both onboarding-level risk signals and automated financial data analysis are building a detection system that is harder to circumvent as fraud techniques evolve.
