Scams have become one of the most damaging and difficult-to-detect ways for criminals to extract funds from victims and financial institutions alike. The Global Anti-Scam Alliance estimated global scam losses reached nearly $450 billion in 2025, but CYBERA Co-founder Claudio Staub puts the real figure closer to $1 trillion, accounting for how significantly scams go unreported.

Unlike card fraud or account takeover, scams, particularly authorized push payment (APP) fraud, don’t require a breach — they require convincing a victim to execute the payment themselves. That distinction matters enormously for how fraud teams are equipped to respond. The specific tactics criminals use are deliberately unstable. From romance scams to fraudulent job offers, the playbook shifts constantly, shaped by what's working, what's been exposed, and what tools are newly available.

Predictably, AI and deepfake technology have made it faster and cheaper to produce convincing scam content at scale, from instantly crafting believable personas to standing up brand impersonation sites in minutes. This has lowered the barrier to entry for creating effective scam operations, raising both the volume and quality of attempts hitting customers.

When asked how AI has changed the nature of scams today, Staub outlined that scammers have become “much more sophisticated in crafting fake emails, going as far as deepfakes where they pretend to be the CEO in a Teams conversation, for example.”

Fraud teams that focus on specific scam variants will always be chasing last year's threat. The question is whether there's a more stable place to intervene.

The most traceable element of any scam isn't the tactic. It's the mule account.

Every scam, regardless of how it's constructed, needs the same thing at the end: somewhere for the money to go. Without that exit point, the scam has no economic payoff.

As Staub explains, “Ultimately, the entire purpose of scamming people is for the criminals to exfiltrate funds. So, they always need to have infrastructure that allows them to cash out these proceeds.”

These bank accounts criminals use to receive and move stolen funds are known as money mules accounts, and they’re recruited through a range of methods. Witting mules are often financially vulnerable individuals, offered a cut of proceeds to receive and forward funds. Unwitting mules are account holders deceived into participating under false pretenses. In both cases, the account typically shows no suspicious activity until it's too late.

That last point is where the detection problem becomes acute. Transaction monitoring and behavioral analysis are built to catch anomalies. Mule accounts are designed to look normal, and they often do, right up until scammed funds arrive and are moved out. By that point, the victim has already lost their money.

The data confirms how persistent this blind spot is.

CYBERA, whose mule intelligence is now available as an add-on to Recorded Future's Payment Fraud Intelligence, collected more than 16,000 confirmed mule accounts across 72 different countries in the second half of 2025.

According to CYBERA’s H2 2025 Mule Intelligence Report, 28% of the accounts they observed across multiple engagements remained active for 30 days or more after they were first identified. In fact, one account appeared in 25 separate engagements between September and December. Critically, this persistence wasn't concentrated at specific institution types or in specific geographies. Long-lifespan accounts appeared across banks of different sizes and geographies. The pattern points to a systemic gap in detection and follow-up, not an isolated failure.

CYBERA’s H2 2025 report also found that regional banking infrastructure shapes where mule accounts land. In Europe, 51% of identified mule accounts sit at neobanks and fintechs, reflecting the low-friction onboarding and fast payment rails those platforms offer. Outside Europe, major banks dominate at 69%, because victims are more likely to send funds to accounts at familiar institutions. Criminals adapt to where detection is weakest and fund movement is fastest.

Catching mule accounts requires a different kind of signal.

Because mule accounts behave normally by design, fraud teams often cannot reliably identify them from transaction history alone. The signal has to come from somewhere else — specifically, from intelligence about the scam operation itself, collected before a payment is ever sent.

CYBERA's approach is to go directly to the source. Their system uses agentic personas to engage with active scammers at scale, extracting confirmed mule account details from those communications before funds are transferred. The accounts are verified through direct engagement, not inferred through probabilistic scoring, and delivered with the evidence trail from the engagement itself.

“We’re not guessing that this could be a scam–we actually know,” said Staub of CYBERA’s approach. “We know that an account detected through our method is used in connection with a scam, and we back it up.”

That distinction matters operationally. A verified mule account, backed by documented scammer communications, gives financial institutions the context to act with confidence, whether that means placing controls on an account their own customer holds or screening an outbound payment before it reaches a known mule.

This is what intelligence-led fraud prevention looks like for scams.

Recorded Future's Payment Fraud Intelligence is built on a core premise: the most valuable fraud signals are the ones that arrive before harm occurs. This means giving customers the most complete view possible of the pre-transaction signals that enable payment fraud.

Payment Fraud Intelligence tracks card compromise from the point of theft to the point of use. It identifies infected and scam merchants before payment data is harvested, monitors dark web carding shops to surface which cards require heightened attention, and analyzes checker services where stolen cards are tested immediately before fraud attempts, giving teams a clear signal of which records are active and likely to be used soon. Money Mule Intelligence extends that same logic into the APP and scam domain.

The regulatory environment is adding urgency. The UK's Payment Systems Regulator now mandates that banks reimburse most APP fraud victims. The US, Canada, and Australia are each developing their own regulatory responses. The direction of travel is clear: institutions will be expected to do more to prevent scam losses, not just absorb them.

Scam tactics will keep changing. The widespread availability of AI tools in the criminal ecosystem guarantees that the volume and quality of social engineering attempts will continue to increase. Fraud teams cannot win by tracking every new variant.

But the infrastructure that makes scams profitable is more stable than the scams themselves. Mule accounts are where the scam economy is most exposed, and where intelligence-led intervention has the most leverage. The institutions best positioned to reduce APP fraud losses are the ones that stop waiting for the transaction signal and start working from confirmed intelligence about where the money is going before it gets there.