November 19, 2021

One of the more common ways cybercriminals cash out access to bank accounts involves draining the victim’s funds via Zelle, a “peer-to-peer” (P2P) payment service used by many financial institutions that allows customers to quickly send cash to friends and family. Naturally, a great deal of phishing schemes that precede these bank account takeovers begin with a spoofed text message from the target’s bank warning about a suspicious Zelle transfer. What follows is a deep dive into how this increasingly clever Zelle fraud scam typically works, and what victims can do about it.

Last week’s story warned that scammers are blasting out text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text. Here’s what one of those scam messages looks like:

Anyone who responds “yes,” “no” or at all will very soon after receive a phone call from a scammer pretending to be from the financial institution’s fraud department. The caller’s number will be spoofed so that it appears to be coming from the victim’s bank.

To “verify the identity” of the customer, the fraudster asks for their online banking username, and then tells the customer to read back a passcode sent via text or email. In reality, the fraudster initiates a transaction — such as the “forgot password” feature on the financial institution’s site — which is what generates the authentication passcode delivered to the member.

Ken Otsuka is a senior risk consultant at CUNA Mutual Group, an insurance company that provides financial services to credit unions. Otsuka said a phone fraudster typically will say something like, “Before I get into the details, I need to verify that I’m speaking to the right person. What’s your username?”

“In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'”

The fraudster then uses the code to complete the password reset process, and then changes the victim’s online banking password. The fraudster then uses Zelle to transfer the victim’s funds to others.

An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password.

Otsuka said in far too many account takeover cases, the victim has never even heard of Zelle, nor did they realize they could move money that way.

“The thing is, many credit unions offer it by default as part of online banking,” Otsuka said. “Members don’t have to request to use Zelle. It’s just there, and with a lot of members targeted in these scams, although they’d legitimately enrolled in online banking, they’d never used Zelle before.” [Curious if your financial institution uses Zelle? Check out their partner list here].

Otsuka said credit unions offering other peer-to-peer banking products have also been targeted, but that fraudsters prefer to target Zelle due to the speed of the payments.

“The fraud losses can escalate quickly due to the sheer number of members that can be targeted on a single day over the course of consecutive days,” Otsuka said.

To combat this scam Zelle introduced out-of-band authentication with transaction details. This involves sending the member a text containing the details of a Zelle transfer – payee and dollar amount – that is initiated by the member. The member must authorize the transfer by replying to the text.

Unfortunately, Otsuka said, the scammers are defeating this layered security control as well.

“The fraudsters follow the same tactics except they may keep the members on the phone after getting their username and 2-step authentication passcode to login to the accounts,” he said. “The fraudster tells the member they will receive a text containing details of a Zelle transfer and the member must authorize the transaction under the guise that it is for reversing the fraudulent debit card transaction(s).”

In this scenario, the fraudster actually enters a Zelle transfer that triggers the following text to the member, which the member is asked to authorize: For example:

“Send $200 Zelle payment to Boris Badenov? Reply YES to send, NO to cancel. ABC Credit Union . STOP to end all messages.”

“My team has consulted with several credit unions that rolled Zelle out or are planning to introduce Zelle,” Otsuka said. “We found that several credit unions were hit with the scam the same month they rolled it out.”

The upshot of all this is that many financial institutions will claim they’re not required to reimburse the customer for financial losses related to these voice phishing schemes. Bob Sullivan, a veteran journalist who writes about fraud and consumer issues, says in many cases banks are giving customers incorrect and self-serving opinions after the thefts.

“Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a recent Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”

“If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. “If a consumer initiates the transfer under false pretenses, the case for redress is more weak.”

Sullivan notes that the Consumer Financial Protection Bureau (CFPB) recently announced it was conducting a probe into companies operating payments systems in the United States, with a special focus on platforms that offer fast, person-to-person payments.

“Consumers expect certain assurances when dealing with companies that move their money,” the CFPB said in its Oct. 21 notice. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law. The orders seek to understand the robustness with which payment platforms prioritize consumer protection under law.”

Anyone interested in letting the CFPB know about a fraud scam that abused a P2P payment platform like Zelle, Cashapp, or Venmo, for example, should send an email describing the incident to BigTechPaymentsInquiry@cfpb.gov. Be sure to include Docket No. CFPB-2021-0017 in the subject line of the message.

In the meantime, remember the mantra: Hang up, Look Up, and Call Back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.


67 thoughts on “The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back

  1. ReadandShare

    I will commit this to memory: No matter how convincing…ALWAYS HANG UP… and call the bank back myself.

    Reply
      1. Joe

        I would always suggest calling back. I had a friend that got a similar message as the above and when he called the known number for his bank, he found out the text was legit. After he asked why they would send such a phishy text, they reversed transaction and did all the new card/creds stuff. If he had ignored it he would have been out like $500 with the possibility of more since nothing would have changed.

        Reply
    1. Kitkat

      Do NOT Google the number you want to call. Only trust the number on the back of a debit/credit card, bill or statement. There are too many fraudulent phone numbers that trick victims into thinking they have the correct number.

      Reply
  2. Robert L Omer

    “If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds,” Sullivan said. Capital One Bank disagrees with Sullivan’s position. On 3 occasions they made unauthorized Zelle transfers from my account. I complained to CFPB. The response I got was “Capital One Bank did nothing wrong.” Bottomline, I am out hundreds of dollars.

    Reply
    1. JPA

      Did you go to the link in the article that documented the quoted claims? The language there seemed quite clear to me. Perhaps the threat of legal action might make Capitol One cough up the money

      Reply
      1. Bernie Ecklestone

        If YOU didn’t authorize a payment OR if payments were done under false pretenses then the ENTIRE TRANSACTION(S) IS * FRAUD*! AND ILLEGAL!
        I don’t care how *they* “interpret” it!

        Reply
    2. Alexander Darr

      Attorney here (not legal advice).

      The journalist is spot on about Regulatory protections

      *BUT*

      Please be aware that there is a short deadline required for Regulatory disputes (approximately 60 days). That could have an effect on your claim. Time is of the essence.

      And depending on how soon you notify the institution before the deadline, you can be stuck losing up to $500.

      Again, please just know time is of the essence and you want to reach to an experienced attorney ASAP if you suffer fraud.

      Reply
      1. Kitkat

        True fraud yes, scammed no. Banks do not have to take a loss if the customer gives remote access, account information, verifies a code etc. If the customer plays a part in it then it is a scam.

        Reply
        1. Elizabeth

          That’s not actually true. If you didn’t authorize you as a consumer are not on the hook – it’s the banks problem for not keeping the account secure. It’s different for businesses where the test is different. If a business gives out or allows someone to intercept their credentials used to secure the interface, the business is on the hook.

          Reply
    3. Greg rice

      idiot for falling for the attack. Who is not to say it was not a conspiracy between you and your brother in law to defraud the bank. Caveat emptor.

      Reply
      1. Phil

        It’s not helpful to criticise someone who lives in a society that is always pushing for the law abiding & legitimate consumer to always follow the rules and to always trust authority

        Reply
      2. Frank

        Greg rice. The only idiot I clearly see is the one insulting victims of fraud. You are a weak person. I bet you used to wet the bed and cry when you got in trouble aa a kid…..or still do. Either way I hope you get robbed and brutally assaulted, so I can kick you while youre down. Chump

        Reply
    4. PDCLarry

      I’m afraid your experience reconfirms what I have always known about Capital One.

      Reply
      1. Alex

        It really makes you interpret their slogan, “what’s in your wallet”, differently.

        Reply
    5. Matt

      How long ago was this? CFPB was neutered under previous administration but is supposed to see renewed investment. They’re supposed to be staffing up, etc. Oddly enough, there have only been 18 enforcement actions in 2021 though, which is lower than the previous year by a long shot.

      Reply
    6. Kitkat

      True fraud is if the fraudster gains access to your account without your knowledge, assistance or consent. Otherwise it’s considered a scam and financial institutions do not have to take scams to loss.

      Reply
    1. NCLawman

      Zelle is a product by Early Warning. Fi-Serv sells access and their “risk management” around it.

      Reply
    2. nclawman

      Zelle is a Early Warning Product– FiServ just sells access and their “risk Management” wrapper around it.

      Reply
    3. Banker

      Mention of FiServ in this context is warranted. FiServ is a core service provider to many banks, credit unions, and other financial institutions (“FI,” hence the brand FIServ). A core service provider manages every detail of every FI account. The FI itself doesn’t know how much money you have. FiServ knows — and your FI uses FiServ to look it up, or to change it. Core providers routinely manipul… umm… “convince” financial institutions to enable many unnecessary affiliate products (such as Zelle) for all FI customers. We, as FI customers, may never know that Zelle exists; likely will never know that it is linked to our accounts; and — unless we read disclaimers that few people do — certainly will never know that “FiServ” has our data. Your (anonymous) core provider has significant financial incentives to press management at your FI to make your accounts vulnerable to this scam. Here they are, boasting of their success: “We’ve turned Zelle on for 500 financial institutions, and will have more running on Zelle than the rest of the industry.”

      https://www.forbes.com/sites/ronshevlin/2021/11/22/can-banks-relationship-with-fis-fiserv-and-jack-henry-be-fixed/

      Reply
      1. Whoever

        Banker, if I were you I would stop using that ID. I’m a true banker, running a Fiserv core, and I know more about Zelle than apparently most of the commenters on this page, including and especially, you. Signing up for Zelle is optional with any Fiserv core and the experience is quite paper-laden and lengthy. Someone or some team in your organization went through that process. Just because you are a janitor at NASA doesn’t make you an astronaut. I suggest you have a similar relationship with your employer.

        Reply
    1. RBH-Banker

      “Early Warning Services, LLC” which is owned by 7 of the largest banks in US (B of A, BB&T/Truist, Capitol One, JP Morgan Chase, PNC Bank, U.S.Bank and Wells Fargo) owns Zelle

      Reply
      1. leon stansfield

        Finserv is just another way for bhats and thieves or the gooberment to steal your money.
        Who cares about a platform if you have money management and self discipline.

        The technoratty are not untouchable.. they just think they are like Goldman gang who build financial debt scams.

        Reply
    1. Phil

      You could disable it in your online account. But then the scammer will just re-enable it. In my case, I didn’t know about Zelle until I tried paying someone out of state for a title they had listed on craigslist. I had to enable the Zelle feature before it would work, but that would only be a few extra steps for a scammer to get through. And then the payment was stopped due to a fraud alert, so I decided maybe the CL ad really was too flaky to continue with. The seller had claimed that he was opposed to the way banks charge fees and that Zelle was the only method of payment that he would accept. I had at first asked if Paypal would work. No telling but that there might have been an ‘escalation’ on the sellers part if I had ignored the fraud alert

      Reply
    2. Kitkat

      The feature may be there automatically but you have to actually sign up for active service with Zelle.

      Reply
  3. M L

    Proof again that US banks’ 2FA solutions are inadequate and that banks’ are not doing enough protect customer assets.
    Brian, thanks for this article.

    Reply
    1. M

      THIS^

      Please, at the very least, just let me use the Auth-app of my choosing. Or even better my hardware key.

      Reply
  4. Dopey-o

    What happens if the victim texts back “yes”? If i understand correctly, without my username, scammer is unable to progress?
    However, this is a good reason not to use one’s email address as a login name, amirite?

    Reply
    1. Just a guy

      Tell me you didn’t read the article without telling me you didn’t read the article. Both of your statements/questions are clearly addressed in the article.
      1- they call you regardless of what you answer
      2 – they ask for your username to initiate the password reset process and get you to read them the one time code sent as a result

      Reply
  5. Bernie ecklestone

    A side note: Zelle DOES cap transaction amounts (I can’t accept rental payments from some properties because $2k is too much (from one person)

    Sadly they don’t limit the number of transactions.

    Reply
    1. Beeker25

      Depends on the bank, one bank I have it can be up to $2500 and another only $500. If I want to transfer a larger amount, I have to use the transfer option not Zelle. If you still want to go through the Zelle route, you have to split the amount and it will take up to the number of limit per day.

      Reply
      1. Kitkat

        It depends on the type of bank account associated with the Zelle account on what the limit is.

        Reply
  6. Lautaro Barrera

    Many banks use to notify customers about any new Zelle recipient, limit the amount allowed to be send to new recipients, or requires (in addition to enter a one time code) put some other piece of PII. That, I think, makes Zelle security enough for any person with a minimum of concern in security

    Reply
    1. Phil

      That’s exactly the sort of ‘professional point of view’ that scammers rely on. However, when you say: ‘many’, just what percentage of financial institutions do you think that is?

      Reply
    1. Moike

      Although SMS can often be defeated as a security measure, they don’t normally steal by SIM swapping in the Zelle fraud. The trick would be nearly as effective with a scammer telling you “To stop this transaction, place your finger on your hardware security key now”.

      Reply
      1. G.Scott H.

        SMS vulnerabilities go beyond SIM swapping. SMS barely raises the bar over username and password authentication. In this instance it highlights other bad uses of SMS , spoofed fraud notifications which then actually leads to fraud. SMS has no means of validating the sender. Email has alot more metadata which could be used to validate a message source. Unfortunately, most people would have trouble doing so.

        Your example of placing a finger on a hardware key would not grant a scammer access, it does not by secure design support remotely authenticating a remote alternative session. All that could result from your example is the potential victim accessing their own account, not much use to a scammer.

        Reply
  7. Jenny

    Thanks again Brian, I’ve shared this with friends and family. This info is invaluable!

    Reply
  8. BarryH

    It’s my understanding that business accounts are not protected by Regulation E like personal accounts are.

    Reply
  9. Ren

    Thank God for the CFPB and Senator Warren! Think about that the next time they want to dismantle it.

    Reply
  10. Steve Goddard

    SME from Featurespace here; Psychologically we are disarmed by being contacted by two different methods referencing each other, and this builds trust in our heads, teamed with talk of a payment method we know nothing about, we are primed for the fraudster to take advantage of.

    Reply
  11. Gavin

    The only issue I’d take in the the advice “Hang up, Look Up, and Call Back” is the word “Back.” The whole point is to NOT call back the party that called you (the scammers pretending to be your bank). So while that should be obvious as it comes after the “Look Up” part, I can still see how it might go wrong in the heat of the moment.

    1) Victim gets a call, spoofed as a legitimate institution. Something about fraud.
    2) Victim remembers this advice, hangs up, and checks the number of their bank.
    3) It matches what the phone screen said, so they go to call history and “call back” the party that just called them.

    Would that record in call history connect them to the scammer, or to the real bank (because Caller ID was spoofed)? I don’t know the answer to that, but if feels like a risk in the advice to me.

    I don’t know how to make it quite so catchy, but the intended message is:

    Hang Up, Look Up, and Manually Dial The Real Number

    Obviously that’s why I’m not in marketing.

    Reply
    1. G.Scott H.

      The “call back” in your step three would go to the number seen in the call history. So if the scammer spoofed the bank’s number then the call back would be to the bank and not the scammer.

      Reply
  12. DeAnna Muhonen

    We are able to turn Zelle off on a global basis and only open it up when a customer requests it. We also send them a fraud prevention letter with things to watch out for.

    Reply
  13. Brian McMullan

    Zelle was a BRILLIANT way for the “big 7” banks to both jettison their own independent P2P programs/apps AND generate non-interest income by licensing Zelle to regional and community banks and credit unions. It served THOSE purposes extremely well; but from a consumer protection perspective there are better options. Zelle is licensed (eg billed) based on asset size / number of customers; not just those who actually use Zelle – probably why Zelle is almost always enabled by default: turns “this thing is super expensive and not so many transactions” into “look at how many customers have it!” on the exec reports.

    Reply
  14. Cee

    Would yall say that zelle is safer than vrnmo,cashapp,etc? I don’t use either. But I see where different bank push or endorse zelle now.

    Reply
  15. Hannah

    At my FI Zelle is behind our Bill Pay service. Bill Pay enrollment asks for out of pocket (soft credit pull) questions. You would not be able to use Zelle until you’ve then verified your account by waiting 2 business days for trial deposits. If you’re already enrolled in Bill Pay you would then need to enroll in Zelle, however there are no identity verifications besides a text code to verify the phone number. Having the initial Zelle enrollment behind another service with higher identify verification requirements is helpful, but SMS verifications are definitely not strong enough for transfers.
    As our security measurements evolve so will scammers. I think educations is the key here. It is imperative for FIs to educate their customers (and non customers) about these, and all types of scams.

    Reply
  16. edy

    if i get a call from an unknown # not registered to my phone, i always answer the phone and say… hello police department. after that, they hang up

    Reply
    1. RK

      Probably random. Targeting the largest US bank would give the highest percentage of “hits”.

      Reply
  17. Evelyn Mazzella

    I am currently a victim of Zelle fraud. Someone transferred themselves $4725 from my business account to themselves. I posted the incident on twitter and was contacted by someone at Chase and they refunded me the money. However, now they are asking for the money back. I didn’t authorize the transaction. Chase is not being helpful at all to let me know how they came to the conclusion that I sent the money. They have told me to contact zelle but according to zelle Chase is responsible. Not sure where to turn and what my rights are. Chase is making me the thief instead of the victim.

    Reply
  18. LargeMoose

    One part of preventing this kind of fraud is securing ones comms. I encourage anyone who isn’t already doing it to use a VOIP phone system that allows you to set up whitelists and blacklists. I use Anveo, and they have been reliable for years. I even ported my old 212 area number to them, and I can use that number from anywhere in the world now. Setting up the VOIP does require some technical ability though, and Anveo is mostly targeted at service providers. There may be other, more consumer-friendly carriers.

    Anveo has a very nice system for generating filters to direct incoming and outgoing calls, so I set one up that allows incoming callers on my whitelist to ring the phone. Unknown callers get sent directly to voicemail, and my wife and I get email notifications with audio attachmed if they leave a message. The few spammers that leave messages get added to a blacklist: Thereafter any calls from that number get a “This number is no longer in service” message, followed by a hangup. We get very few spam calls, and none of them are ringing the phone.

    As for the cell phone, I use the Android “Do Not Disturb” settings to restrict calls to those from my contact list. I’m not sure if a spoofed number would get through though, and I don’t know if SMS is also filtered via this system.

    Unfortunately, the people who most need protecting are the least likely to be able to set up protections. Those of us who can must try to help those who can’t. So far, the major carriers, and the government don’t seem too motivated to make comms more secure.

    Reply
  19. Dan

    Brian,

    I think these scams could be prevented if banks required enhanced identity verification (e.g., in-person branch visit) for certain high-risk activities when performed in the 72 hour window following a successful “forgot password” reset. The idea is to buy some time to allow the victim and/or bank to recognize the fraud attempt.

    Each time a customer attempts to send money via Zelle, the bank should check for previous successful transfers for that sender-recipient combination. If this is the first transfer, then classify it as “high-risk”. Other high-risk activities include adding a new recipient for funds transfer or editing an existing recipient’s info (where allowed). A “low risk” activity would be a payment to a recipient who had been successfully paid before the password reset.

    This concept is similar to the “account age / seasoning check” that a bank performs on new accounts.

    – Dan

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *