persona-logo
Published March 02, 2026
Last updated March 03, 2026

Why traditional fraud detection tools struggle to catch identity mules

Traditional fraud detection tools might miss the risk signals and connections that can help you stop identity mule attacks.
Louis DeNicola
Louis DeNicola
5 min
Key takeaways
Traditional fraud detection tools and setups might miss the connections or signals you need to detect identity mule rings and attacks.
Since identity mules are real people who work with bad actors, you can't catch them with liveness or database checks. Fraud fighters need to find patterns between accounts and devices that connect mules, bad actors, and suspicious activity.
Some fraudsters combine identity mules' legitimate selfies with fake documents. Organizations unfamiliar with deepfake injections or identity mules will struggle even more against the blended techniques.

Traditional detection methods and point solutions often focus on fraud detection at a single point. Identity platforms and orchestration layers help fraud fighters detect patterns and stop scaling attacks. But there’s a growing fraud vector called identity muling that’s particularly difficult for some fraud systems to detect. 

Below, we’ll explore how identity muling works, what it looks like from a fraud fighter’s perspective, and what you can do to protect your organization.

Bad actors recruit identity mules to commit second-party fraud

Identity mules are people who willingly share aspects of their identity, such as their official documents or their faces, with bad actors. They might do this by verifying their identity when creating a new account, or by sharing pictures of their ID and videos of their face. 

Bad actors often pay identity mules around $5 to $20 for the exchange, similar to how fraudsters might hire a shipping or money mule. The identity mules don’t necessarily know they’re helping someone commit fraud. And even when they suspect something is amiss, they might accept the money out of necessity or because they feel like it’s a victimless crime. 

From a fraud-prevention perspective, the result is the same regardless of intent. A real person contributes part of their identity to support a fraud scheme.

Why bad actors use identity mules for IDV

Fraudsters often need to pass identity verification (IDV) checks to create monetizable accounts at fintechs, online marketplaces, and other high-value targets. But they’re unwilling or unable to use their own identity because they don’t want crimes traced back to them, their identity is already “burned,” and they can’t scale attacks using one identity.   

High-tech approaches, such as injecting AI-generated faces or documents into verifications, are popular vectors that will continue to pose a threat. However, organizations that invest and focus on fraud prevention can detect and block most AI-driven attacks.

When organizations focus on blocking AI-driven fraud, some fraudsters naturally look for a low-tech alternative. It’s similar to how fraudsters reverted to mail theft and check fraud, but these groups use real people and documents to commit identity fraud. 

Fraudsters also frequently combine attack methods and vectors. For example, they might ask a mule to take a selfie and upload fake or stolen personal information to create a synthetic identity mule

Organizations unfamiliar with the individual fraud vectors, such as deepfake injections or identity mules, will struggle even more against these blended techniques.

How to automate and scale identity mule detection 

Fraudsters often recruit multiple identity mules to scale attacks, and the systems or tools they use can be a weakness. For example, you might see verification attempts with: 

  • People taking selfies from the same office or street corner 

  • The same table or surface below documents 

  • Repeated IP addresses or other geolocation markers

  • Identical devices during account creation or subsequent logins

  • Document templates with different headshots 

undefined

We generated these images with AI to represent the selfies we see when a fraud ring uses identity mules. The fraudsters often have the mules take selfies in the same location, such as an office or warehouse.

Blog
Read more about identity mules and how to detect them
Read now

What fraud fighters need to do is zoom out and combine technical sophistication with old-school pattern recognition. Consider the following tactics: 

Stack risk signals to improve detection 

Automating decisions based on one or two risk signals can lead to false positives. But stacking risk signals that correlate with fraud rings and identity muling can separate suspicious and legitimate users. Stacking signals can also increase precision and recall, particularly when the signals don’t correlate with one another. 

The specifics will depend on your environment and capabilities, but some of the signals we recommend checking during account creation and subsequent logins are:

  • VPN, Tor, or proxy use

  • Shared IP addresses

  • Shared browser or device fingerprints

  • Device is located in a high-risk area

  • Device is associated with multiple accounts 

  • Multiple devices access the same account 

  • Impossible travel between logins 

  • Behavior changes across logins

  • Account credentials change immediately after creation

Some of these are similar to monitoring for account takeovers, since the fraudsters are effectively taking over the mule’s account. 

Add real-time link analysis to verifications 

Link analysis allows you to uncover connections between users and spot environment-wide patterns.

You might already have systems in place to determine if a device is associated with multiple accounts. But with link analysis, you can quickly spot connections that are multiple “hops” away. It’s an important distinction that allows you to connect a fraud ring to multiple identity mules via a fraud leader or broker.  

Using link analysis to investigate rings is helpful, but if you have access to real-time link analysis you can add it as a conditional step or risk signal during verification. Some organizations automatically decline attempts from users who are connected to a large number of accounts via a shared device.

undefined

This is a real result from Persona's Graph showing a fraudster connected to a device shared by fraudsters on the left and an IP address shared by identity mules on the right.

Guide
Get The fraud leader's guide to link analysis to see how you can detect and stop identity mules.
Download now

How Persona stops identity mule rings

Persona’s verified identity platform helps you connect and analyze risk signals from pre-onboarding to manual review. The no-code and highly configurable Flow Editor allows anyone on your team to build and review branded, risk-adjusted verification flows.

Fraud fighters can use Persona’s platform to gather risk signals, investigate fraud and mule rings, and automatically decline or route suspicious users. 

  • Investigate and intercept fraud rings with Persona’s link analysis tool Graph. It can help you uncover connections between accounts in real time based on different properties, including IP address, device fingerprint, and user-submitted images.

  • Create Dynamic Flows that automatically add or reduce friction based on passive signals, verification checks, and real-time link analysis results. 

  • Run selfie verification checks and stack signals to detect deepfakes and injection attacks, including when fraudsters inject recordings from identity mules.

  • Use database checks to verify information from government IDs, and Document AI to confirm the authenticity of supplemental documents.

Contact us for a demo, or to see how we can tailor an identity mule solution for your environment.

undefined

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Louis DeNicola
Louis DeNicola
Louis DeNicola is a content marketing manager at Persona who focuses on fraud and identity. You can often find him at the climbing gym, in the kitchen (cooking or snacking), or relaxing with his wife and cat in West Oakland.
Continue reading