Intended to allow traditional brick-and-mortar banks to compete with online-only payment platforms and wallets, Zelle is automatically available to account holders at most of the biggest bank chains in the United States. Unsurprisingly, that has made it a prime target for criminals. Zelle fraud has become rampant, and attacks frequently begin with a fake notification of a suspicious transaction that appears to be coming from the bank itself.
Zelle fraud allows quick access to bank accounts
Zelle is a shared service funded by some of the biggest banks in the US: Bank of America, Capital One, JPMorgan Chase, US Bank and Wells Fargo among them. Customers of these banks can generally register for the service from within their online banking accounts, facilitating direct transfers to and from them.
Zelle urges its users to only transfer money with parties that are known to them, given that the service has no form of fraud protection. However, the service was meant to allow banks to compete directly with platforms such as PayPal and it is not uncommon for people to use it that way for purchases. This has created a thriving market for Zelle fraud.
Access to a target’s Zelle account allows the attacker to fund it with potentially thousands of dollars a day (and tens of thousands of dollars per month) before hitting the bank limit. Those funds are drained directly from checking and savings accounts, and victims sometimes have little recourse once compromised.
Saryu Nayyar, CEO of Gurucul, notes that the attack is best countered by a policy of simply never giving out account information over the phone and independently verifying any calls or messages that seem to come from your bank: “Social engineering represents one of the most common ways of obtaining personal information. The answer is to never, ever give out such information. While that’s easy to say, it’s hard to put into practice if someone is talking to you on the phone. But Zelle users need to resist the impulse to do so.”
Zelle fraud frequently begins with a phony security message
Ironically, the most popular form of Zelle fraud opens with a fake notification that makes account holders believe they may have been a victim of Zelle fraud.
Scammers have been observed using spam techniques, blindly sending out thousands of text messages at a time to potential account holders. The messages appear to come from a legitimate bank and ask the recipient if they recently made a large Zelle purchase of some sort that has been flagged as suspicious.
Those that respond to the message soon receive a follow-up phone call, with a social engineering scammer on the other end pretending to be from the fraud department of the recipient’s bank (and often even going so far as to spoof the bank’s legitimate phone number). The purpose of this ruse is to intercept the target’s two-factor authentication code, which the scammer is able to generate to the victim’s device using the bank website. The Zelle fraudster then gets the victim to read the code over the phone, and then uses it to change the username and login to a new email address and promptly drain the account via Zelle payments to their own bank.
More important to the scam is hitting upon the right bank; victims have reported that they had not even heard of Zelle prior to the scam message, but went along with it anyway as it appeared to be coming from their actual bank. While most bank customers do not use Zelle (the company estimates that over 100 million account holders now have access to it, but various independent estimates of monthly active users indicate as few as 20 million are actually using it), many American bank customers have likely at least seen the name associated with their online accounts or in a promotional email from their bank.
This has obviously left many people upset. Banks are using the dodge of labelling Zelle a “third party company” that customers can “opt to do business with,” but also hold ownership stakes in it (via a shared company called Early Warning Systems LLC) and promote it through their own channels as a user account feature. Rajiv Pimplaskar, CRO of Veridium, sees the high success rate of Zelle attacks as an indictment of the state of banks’ anti-fraud teams as it is a matter of individual security: “The proliferation of P2P (Peer To Peer) and PSPs (Payment Service Providers) is the result of the payment industry-wide shift to online, which offers more flexibility and choice for customers but is also facilitating growth channels for money laundering and fraud. Consumer fraud is rapidly adapting towards transactions, with fraudsters developing insidious new ways to target vulnerable individuals. The expanded attack surface is also stressing the fault lines and gaps in the banking systems traditional AML systems (Anti Money Laundering) and customer authentication methods.
There is some legal debate over whether these banks actually can wash their hands of any responsibility for Zelle fraud. Some analysts are arguing that any electronic transfers of this nature are automatically protected by the Electronic Fund Transfer Act, which also puts caps on damages consumers can take from credit card fraud. The bank argument against this perspective is that the Zelle fraud does not constitute an “unauthorized transaction” under the terms of this law if the consumer agrees to and initiates it, a position that certainly will not make them any more popular with customers who have been victimized. In an email to reporters at Toms Guide, the Consumer Financial Protection Bureau appeared to support the view that the Electronic Fund Transfer Act applies to Zelle fraud due to banks being forbidden from citing consumer negligence as an excuse. However, they are only obligated to open an investigation into the matter, though the law says that if a debit card was used in the transaction the consumer is limited to $50 maximum in liability if the bank was contacted within two days of the incident.