Fraud Prevention

Detecting money mule accounts at onboarding

A money mule account is usually opened with a genuine identity document, which is exactly why document verification alone struggles to catch it. The mule is often a real person, recruited to receive and quickly move funds on behalf of a fraud ring, or an existing customer whose account has been taken over for the same purpose. A phone-based signal layer, carrier, number type and active status today, adds a check that does not depend on the document being fake.

Why document verification alone misses mule accounts

Classic identity fraud uses a fabricated or stolen document, which is precisely what document verification is built to catch. A money mule account frequently uses neither. Recruitment typically happens through social media adverts or messaging apps promising easy money for "helping move funds", and the recruit opens the account using their own, entirely genuine, passport or driving licence. The document check passes because there is nothing false to detect.

What changes at the point of mule recruitment is often the phone number: a fraud ring commonly supplies or requires a fresh number for the account, separate from the number the recruit uses personally, to keep the mule activity contained and harder to trace back. That number frequently has a different profile from an ordinary long-standing personal line.

Where phone signals help at onboarding

Number type screening

Disposable, non-fixed VoIP numbers require no identity verification to obtain and are disproportionately used for mule recruitment specifically because they can be issued quickly and discarded after use. Flagging non-fixed VoIP at onboarding is a cheap first filter that does not depend on the identity document at all.

Carrier and country consistency

A phone number served by an unexpected carrier, or registered in a different country from the one on the identity document, is worth a second look. It is not proof of anything by itself, but it is a low-cost signal to combine with other onboarding checks. See the carrier lookup API for the full field set.

Active status at onboarding and before first payout

Confirming the number is genuinely reachable, not just formatted correctly, is useful both at account opening and again before the account's first large incoming payment is released. See phone number validation for KYC for how this fits an onboarding decision.

Cross-application number reuse

Mule recruitment tends to run at scale: the same handler often manages several mule accounts across different platforms or the same platform. Telebase returns the facts for a single number on a single query; the pattern-matching across applications, such as the same number or number range appearing on multiple recent sign-ups, is logic your own fraud stack builds on top of that data, not something Telebase infers on your behalf.

The account-takeover variant: unwitting mules

Not every mule volunteers. In some cases, a genuine, long-standing customer's account is taken over, commonly via a SIM swap, and used to receive and move illicit funds without the account holder's knowledge until they notice unfamiliar activity. This variant looks different at onboarding, since the account is old and the original KYC was clean; the useful check sits later, at the point a large or unusual incoming payment triggers a review, where a recent SIM swap is a strong indicator that the account is not being operated by its owner. See telecom signals in an account takeover prevention stack for the fuller pattern.

Signals available today

Live in every response

SIM swap detection is launching. Early access is open now.

The simSwap field is present in every response today and returns UNKNOWN in GB, DE, NL and FR while carrier registration completes. This signal is most relevant to the unwitting-mule, account-takeover variant above, where a recent swap on an existing account is a strong review trigger. See the SIM swap detection API.

Handling the phone numbers involved in a mule review carries its own data protection obligations. See GDPR-compliant telecom data for KYC for how Telebase's data handling fits a fraud review workflow.

$0.03 per query. No contract. No minimum spend. Billed via Paddle.
Request early access