The Silent Gatekeepers: Banks and the Fight Against Cyber Fraud in India

The CyberDiplomat

6 min read
Share
The Silent Gatekeepers: Banks and the Fight Against Cyber Fraud in India

In the shadow of every cyber fraud, there is a bank account. And increasingly, banks are being asked to be the last line of defence.

A System Exploited From Within

On May 29, 2026, Chandigarh's cybercrime police arrested two men — Salman Ansari and Bheem Saroj — for operating what investigators call "mule accounts": bank accounts deliberately opened to receive, park, and pass on stolen money from fraud victims spread across Delhi, Mumbai, Tamil Nadu, Goa, and Gujarat. The case, part of Operation Mule Hunt, offered a rare window into how cyber fraud networks exploit the very infrastructure of legitimate banking.

The mechanics were almost mundane in their simplicity. Saroj opened a fresh account. Ansari withdrew the funds via cheque and handed cash to the fraud network. Both earned a commission. The fraud victims were scattered across states; the money vanished through a Chandigarh branch. Nobody at the bank, apparently, noticed in time.

Cases like this one raise an uncomfortable question: what exactly are banks supposed to do — and what can they do — when their own systems are turned into plumbing for criminal enterprises?

Understanding the Mule Account Problem

A mule account is not a sophisticated cyberattack. It requires no malware, no hacking, no data breach. It exploits a simple vulnerability: the trust placed in a legitimately opened bank account.

Fraudsters recruit "mules" — often financially desperate individuals — to open or hand over accounts. Once the stolen money arrives, it is rapidly moved, withdrawn as cash, or layered through multiple accounts across different banks and states, making recovery nearly impossible. By the time a victim files a complaint on the National Cyber Crime Reporting Portal (NCRP), the money has already moved two or three accounts away.

The Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs has flagged thousands of such accounts in recent years, passing leads to state police. But flagging accounts after the fact is not the same as preventing the fraud.

The Bank's Dual Role: Victim and Vehicle

Banks occupy an uncomfortable dual position in the cyber fraud ecosystem. They are, in one sense, victims — their systems are exploited, their brand is used in phishing attacks, and their customers suffer losses that sometimes trigger regulatory action against the banks themselves. At the same time, banks are the vehicles through which fraud money flows. Without a bank account at each end of the transaction, most cyber fraud would simply not work.

This duality creates a corresponding dual obligation: banks must protect their customers from fraud, and they must ensure their infrastructure is not weaponised against other people's customers.

Indian banking regulation has evolved to reflect this. The Reserve Bank of India's guidelines on customer protection in unauthorised electronic transactions place significant responsibility on banks when fraud occurs through their systems. But regulation has been slower to mandate proactive fraud detection — the kind that flags a suspicious account before it receives stolen money, not after.

What Banks Can Do: The Technology Toolkit

Modern banks have powerful tools available for fraud detection that, when properly deployed, can intercept mule activity far earlier in the process.

Transaction monitoring systems analyse patterns in real time — flagging accounts that receive large sums from multiple unknown sources and then rapidly withdraw or transfer cash, which is the exact signature of a mule account. Rule-based systems catch obvious patterns; increasingly, machine learning models can catch subtler ones.

Know Your Customer (KYC) and account behaviour analytics compare how a customer actually uses their account against the profile provided at onboarding. A salaried professional whose account suddenly starts processing lakhs of rupees in pass-through transactions is an anomaly that should trigger review.

Network analytics are particularly powerful against organised fraud rings. Because mule accounts operate in clusters — money flows from Account A to B to C — graph-based analysis can map the web of accounts connected to a known fraud case and flag related accounts proactively.

Device and IP intelligence, used in digital banking, can identify when a mobile banking session is being controlled by a third party, or when account access patterns suggest the legitimate owner is no longer in control.

Velocity checks — limits on how quickly money can move through an account — are a blunt but effective tool that several banks have deployed, particularly for new accounts.

The technology exists. The question is whether it is deployed at scale, and whether banks are adequately incentivised to use it.

The Incentive Problem

Here is the uncomfortable truth: mule accounts are often opened at the bank's own branches, by people presenting valid KYC documents. The fraud, from the bank's perspective, is not immediately visible. The account holder is a legitimate customer. The incoming funds look like ordinary transfers. The bank has collected its account maintenance fees and moved on.

The cost of the fraud — the emotional and financial devastation visited on the victim — is borne almost entirely outside the bank's balance sheet. This creates a classic market failure: the bank lacks a direct financial incentive to invest heavily in detecting fraud that harms people who bank elsewhere.

Regulatory intervention is the natural corrective. In the United Kingdom, banks are now required under the Authorised Push Payment (APP) fraud reimbursement rules to compensate victims of fraud that moves through their systems — including the receiving bank, not just the sending bank. This change fundamentally altered the calculus: banks that host mule accounts now face direct financial liability, and investment in mule detection rose sharply as a result.

India has not yet gone this far. Regulatory pressure has focused on the sending bank's obligation to the victim, not the receiving bank's role in the ecosystem. A policy shift in this direction could dramatically change how seriously banks take mule account detection.

The RBI's Evolving Framework

The Reserve Bank of India has progressively tightened the screws. The creation of a centralised fraud registry, requirements for faster reporting of fraud cases, and guidance on transaction monitoring are all steps in the right direction. The integration of banks with the I4C's ecosystem — which allows cybercrime leads to be shared with financial institutions in near real-time — is perhaps the most important development of recent years.

The Chandigarh case itself illustrates how this coordination can work: I4C flagged the accounts to Chandigarh police, who made the arrests. What remains unclear is why those accounts were not frozen faster once the flag was raised, and whether the victims' money was recovered.

Faster account freezing is an area where the framework can improve. The current process involves police obtaining court orders or invoking specific provisions — a sequence that takes days or weeks, during which money has already left the country or been converted to cash. A streamlined mechanism for banks to provisionally freeze flagged accounts pending verification, similar to what exists in Singapore's banking code, would close this window.

Customer Education: The Underrated Weapon

Technology and regulation address the systemic dimension. But many cyber frauds begin with a human failure — a victim who transfers money believing they are talking to a bank official, a courier, or a government officer.

Banks are uniquely positioned to run sustained, contextual customer education. Unlike government campaigns, which are generic and easily ignored, banks have a direct relationship with each customer. A message that arrives in a banking app the moment a user is about to make an unusual transfer carries far more weight than a newspaper advertisement.

Several banks in India have begun deploying real-time warnings — pop-ups that appear when a customer is about to transfer money to an account flagged as high-risk, or when the transaction pattern matches known fraud typologies. These nudges are simple, low-cost, and evidence suggests they work.

What is needed is standardisation: the RBI should require all scheduled commercial banks to deploy such warnings, not leave it to individual initiative.

The Path Forward

The Chandigarh mule account case is not exceptional. It is representative of thousands of cases filed on the NCRP every month. What makes it instructive is the clarity it provides about the chain of complicity: the fraudsters who ran the scheme, the mules who provided cover, and the gaps in the banking system that made it all possible.

Closing those gaps requires action on several fronts simultaneously. Banks need to invest in and deploy the fraud detection tools that already exist. Regulators need to align financial incentives — making banks that host mule accounts bear a share of the cost. The I4C's coordination role needs to be deepened, with faster information sharing and faster freeze mechanisms. And customers need better, more contextual warnings at the moment of transaction.

India's cyber fraud problem is not unsolvable. It is a coordination failure, an incentive problem, and a technology deployment lag — all of which are fixable. The question is whether the urgency felt by fraud victims, which is acute and immediate, will translate into the sustained institutional attention the problem demands.

The arrests in Chandigarh are a start. But mule hunters should not have to wait for tips from a central portal to find accounts that sophisticated analytics could have flagged weeks earlier. Banks are the gatekeepers of the financial system. It is time they were equipped — and required — to act like it.

This article draws on the Tribune India report dated May 31, 2026, reporting on Operation Mule Hunt, Chandigarh.

Read more