Cyber-enabled Fraud

Cyber-enabled Fraud (CEF)

Cyber-enabled fraud has emerged as a significant, globally sprawling organized crime, showing a steep increase in both the number of incidents and their worldwide reach. This type of crime inflicts severe financial damage, affects individuals, businesses, and entire economies, and undermines confidence in digital infrastructures. Its cross-border character, characterized by the swift movement of illicit funds across various regions, underscores its international significance.


  • CEF is an expanding transnational crime, often involving structured syndicates specialized in areas like money laundering.
  • These syndicates can be decentralized across jurisdictions, complicating investigations.
  • Links exist between CEF syndicates and other crimes, including human trafficking and activities related to DPRK’s illicit cyber activities.

Money Laundering in CEF

  • Money laundering (ML) in CEF involves groups and enablers using money mules, shell companies, or legitimate businesses.
  • ML networks span various financial institutions, including banks and virtual asset service providers (VASPs).
  • Criminals use diverse ML techniques, including cash, trade-based laundering, and unlicensed services.

Technology’s Role in CEF

  • Digital advancements increase the scale and speed of CEF activities.
  • Techniques include exploiting victim psychology and leveraging technology for faster laundering.
  • CEF syndicates use remote online account opening, social media, and new digital products to facilitate their crimes.

Jurisdictional Response to CEF

  • Effective responses require:
    • Increased victim reporting and enhanced suspicious transaction monitoring.
    • Analysis of large data inflows to address CEF.
    • Strong domestic coordination to combat and prevent CEF and ML.
  • ML often occurs in different locations from the predicate offenses, across multiple jurisdictions.
  • International collaboration is essential, utilizing mechanisms like INTERPOL’s I-GRIP and the Egmont Group BEC Project for rapid cooperation.

Risk Flags and Anti-Fraud Measures

  • The report includes risk indicators and anti-fraud requirements and controls for public and private sectors to detect and prevent CEF and ML.

ML Techniques and Typologies

Professional ML Groups and Enablers

  • In laundering CEF proceeds, criminals utilize professional ML groups and third-party enablers like lawyers, accountants, and bankers.
  • These groups may be part of the CEF syndicate or operate independently under a „crime-as-a-service“ model.

Networks of Accounts

  • CEF proceeds are quickly laundered through complex networks spanning multiple borders and financial institutions.
  • The complexity varies with the criminal group’s sophistication.

Involvement of Individuals and Legal Entities

  • Individual money mules are recruited through job offers, advertisements, and social media, by mule ‚herders.‘
  • Money mules may be complicit, deceived, or negligent and are difficult to trace back to the mule herders.
  • Shell companies controlled by CEF criminals through strawmen or nominee directors, often using virtual business addresses.
  • Legitimate companies can be tricked or willingly receive CEF proceeds, adding a layer of legitimacy to conceal illicit activities.

Differences in CEF Money Mules

  • Recruitment: CEF mules are more likely recruited online, exploiting economic conditions or using fake job offers.
  • Usage of Accounts: CEF-linked mules use accounts at financial institutions for rapid electronic transfers, requiring some tech proficiency.

Differing Locations for CEF and Laundering

  • The site of CEF (victim’s location) often differs from where laundering occurs, involving international money mule networks.
  • To avoid detection, criminals test transactions with small amounts before transferring larger sums.

First Layer Account Types

  • The type of initial account for receiving CEF-proceeds varies with the fraud type.
  • Shift observed from using individual to corporate accounts in BEC fraud to reduce detection risk.

Establishment and Use of Accounts

  • Once established, accounts are quickly used to enter the ML network, with funds rapidly layered through various domestic and foreign accounts.
  • Money mules or strawmen control these accounts, sometimes giving direct control to CEF syndicates.
  • Professional enablers aid in legitimizing these transactions.

Evasion Techniques

  • CEF syndicates use smurfing, account hopping, and conversion to other financial assets (e-money, pre-paid cards, VAs) to remain anonymous.
  • These techniques delay detection and complicate cross-border financial data access for law enforcement.
  • Money mules might use their accounts only briefly, making detection harder.

Other ML Techniques

  • Cash withdrawals and movement, often international, are common, as are purchases of valuables for later resale.
  • Trade/service-based ML involves false invoicing and buying marketable goods for resale.
  • Unlicensed remitters and VASPs in jurisdictions with lax AML/CFT controls are exploited.
  • For VA transactions, anonymity-enhancing techniques include unhosted wallets, peer-to-peer transactions, and use of privacy coins or DeFi services.

Red Flags

Transaction Patterns

  • Unusual transactions soon after account opening, not aligning with account purpose.
  • Immediate large cash withdrawals or transfers after receiving funds, to empty the account.
  • Frequent large transactions misaligned with the account holder’s economic profile, like sudden international transfers or large foreign ATM withdrawals.
  • Transactions to/from high-risk money laundering countries.
  • Regular large transactions with new companies, not matching the beneficiary’s activities.
  • Small initial payments to a beneficiary, quickly followed by larger payments.
  • Regular round value amount purchases, possibly indicating gift card buys.

Customer Transaction Instructions and Remarks

  • Additional payment requests following a successful payment to a new account.
  • Transaction instructions in a different language or style than usual.
  • Instructions marked as “Urgent”, “Secret”, or “Confidential”.
  • Poorly formatted transaction justification messages.
  • Payments directed to a known beneficiary but with different account details.
  • Inconsistencies between the transaction description’s beneficiary and the account holder’s name.
  • Transactions by inexperienced investors to companies in high-risk areas, often for investment reasons.
  • Incongruent counterparties, suggesting cover for international fund movement.
  • Transactions with device time zone mismatches.

Suspicion in Account Holder’s Profile

  • Failure to pass Customer Due Diligence (CDD) checks.
  • Unfamiliarity with or indirect involvement in fund movements.
  • Frequent name changes using foreign expressions.
  • Inadequate knowledge or inconsistent explanations about transactions, suggesting mule involvement.

Suspicion in Account User’s Identity

  • Attempts to conceal identity or use of altered identification.
  • Frequent changes in contact details post-account opening.
  • Email addresses mismatching the account holder’s name or similar across accounts.
  • Irregularities in online behavior or shared credentials.
  • Account activity from high-risk jurisdictions or via VPNs.
  • Multiple IP addresses or devices for a single account, or a single device for multiple accounts.
  • Remote desktop access suggesting hidden device/location.
  • Excessively fast keystrokes indicating potential bot control.

Adverse Information on the Account Holder

  • Negative news or reports related to scams, mules, or identity takeovers.
  • Wire transfer recall requests or fraud alerts.
  • Adverse information from Financial Intelligence Units (FIUs) or Law Enforcement Agencies (LEAs).

Virtual Asset (VA) Transactions

  • Large or frequent small VA transactions to suspicious addresses or darknet sites.
  • Excessive use of Bitcoin ATM limits.
  • Lack of origin proof for VAs or converted crypto-assets.
  • VA transfers to wallets linked to illegal dark web activities.
  • Transactions involving multiple anonymous VAs.
  • Unexplained VA activity from peer-to-peer platform wallets.


  • Account number and holder name mismatches.
  • User observed receiving instructions during transactions.
  • Beneficiary companies offering unauthorised trading/investment services.