International students and non-permanent residents have been targeted by fraudsters for access to their accounts, according to a report by the Fintel Alliance, a public-private partnership led by AUSTRAC.
The mules can receive between $200 and $500 for use of their accounts, or may receive a commission of up to 10 per cent on the funds received into accounts they operate.
Access to Australian bank accounts is being traded via several Facebook groups.Credit: Facebook
This week, this masthead was able to find several Facebook groups offering Australian bank accounts to “buy, rent or sell”.
In one of the online advertisements, an anonymous Facebook user claimed they were offering upfront payments of $350 to buy access to Bendigo or Up bank accounts, $200 for a National Australia Bank account or $150 for a Westpac, St George, Ubank, Bank of Melbourne or HSBC account.
Brewer, AUSTRAC’s Fintel Alliance national manager, said advertisements were being detected seeking bank accounts to buy in different languages, and warned those considering taking part in the trade.
“It can be a crime, and it’s not a victimless crime, because this money has come from something that has a victim, so someone’s been hurt to get this money to then move through your account.”
Another Facebook user claims to offer money in exchange for access to Australian accounts.Credit: Facebook
The Australian Federal Police warned that those convicted of participating in “muling” cash can face anywhere from 12 months to life in prison.
Digital bank Ubank, owned by NAB, is one of several Australian banks that promote the ability to open an account within minutes. Last year, a retiree in her 70s discovered that fraudsters had opened two Ubank accounts in her name without the bank viewing any identification documents belonging to her.
The third party provided the woman’s name, date of birth, address and Medicare card details, but the bank did not require or obtain a copy or record of the actual Medicare card, according to information provided to the Australian Financial Complaints Authority (ACFA).
You can join Ubank in minutes, according to the bank’s website.
Anne, who did not want her last name used because of concerns about her privacy, discovered the identity theft when a “beautiful pale blue card” from Ubank arrived in the mail in late February last year.
She said she was shocked to discover that it had been possible to open an account without any physical documentation confirming her identity.
“This all happened only with the Medicare number. I did not lose the card. I’m appalled that Ubank could get away with such a lack of ID-checking. They received no photo ID, and the banking code didn’t help me as a consumer.”
Loading
Anne complained to AFCA, alleging that the bank had not provided her with satisfactory answers to her questions. AFCA found in favour of the bank, finding that it “appropriately responded to the complaint … once aware of the fraud”.
However, AFCA could not consider Ubank’s conduct in opening the fraudulent accounts in the first place, as it falls out of the organisation’s jurisdiction. This is set to change next year as a result of new federal laws which could put banks receiving stolen funds on the hook for compensation.
“Currently – and until the change comes into effect in March 2026 – AFCA can only consider the actions of the bank that has the direct customer relationship with the person or entity who has lodged a complaint, so that’s the ‘sending’ bank,” an AFCA spokesperson said.
Ubank head of fraud Jacob Donohue described Anne’s case as “an unfortunate example of identity theft, where personal information was compromised outside of the banking channel and used by a criminal without the customer’s knowledge”.
There is no evidence the accounts opened in Anne’s name were used for any scam transactions.
Ubank no longer allows Medicare cards as the single identity document to onboard customers, but it does still allow customers to open accounts using a driver’s licence or passport, without requiring a copy of the physical document.
This masthead was able to set up multiple accounts with Australian digital banks without providing any photo identification.
All of Australia’s major brick-and-mortar bank brands now require at least one biometric check (such as facial recognition) for new customers opening accounts online, as part of the Australian Banking Association’s Scam-Safe Accord. The change was introduced due to recognition that gangs of scammers were opening bank accounts using driver’s licence and passport numbers stolen in major data breaches.
Dan Halpin, whose company Cybertrace specialises in cyberfraud investigations, said he was concerned about several Australian banks that allowed customers to open accounts online using driver’s licence details without requiring a physical copy of the licence.
Loading
“While this approach streamlines the onboarding process, it raises concerns about the ease with which identity fraud can occur, especially considering recent data breaches involving major Australian companies,” Halpin said. “Higher-level technology such as biometrics needs to be employed during the account opening process.”
Of the major banks, NAB and its subsidiaries, which include Ubank, closed the largest number of mule accounts in the 2024 financial year, shutting down 5669.
The Commonwealth Bank closed almost 3000 accounts linked to fraud or scams over the same period, while Westpac closed 2200, a sharp annual rise that they attributed to improved detection capabilities, which drove a 29 per cent decrease in customer scam losses.
Ken Gamble, executive chairman of cybercrime investigation firm IFW Global, said Australian bank accounts remained a critical component of many scams.
“Victims are very nervous about paying money overseas these days, but they’re very happy to pay it into an Australian account, so it gives credibility to the relevant scam … and it lends credibility because it’s a major bank, and banks are trusted.”
He said he was aware of cases in which student money mules had been paid thousands to set up fraudulent corporate bank accounts, which have become more valuable as banks roll out account name verification technology.
In one case detailed by federal authorities, $300,000 stolen from a Melbourne woman in a bank-impersonation scam was transferred into 11 mule accounts, and then withdrawn from ATMs soon after.
Investigators established that most of the mule accounts used in the swindle belonged to Indian students who had opened the accounts using their legitimate identification details. However, the students had already returned to India when the stolen money was withdrawn, indicating someone else had control of the accounts.
Read the full article here
