Fraud on Zelle

Zelle is rife with fraud:

Zelle’s immediacy has also made it a favorite of fraudsters. Other types of bank transfers or transactions involving payment cards typically take at least a day to clear. But once crooks scare or trick victims into handing over money via Zelle, they can siphon away thousands of dollars in seconds. There’s no way for customers—and in many cases, the banks themselves—to retrieve the money.

[…]

It’s not clear who is legally liable for such losses. Banks say that returning money to defrauded customers is not their responsibility, since the federal law covering electronic transfers—known in the industry as Regulation E —requires them to cover only “unauthorized” transactions, and the fairly common scam that Mr. Faunce fell prey to tricks people into making the transfers themselves. Victims say because they were duped into sending the money, the transaction is unauthorized. Regulatory guidance has so far been murky.

When swindled customers, already upset to find themselves on the hook, search for other means of redress, many are enraged to find out that Zelle is owned and operated by banks.

[…]

The Zelle network is operated by Early Warning Services, a company created and owned by seven banks: Bank of America, Capital One, JPMorgan Chase, PNC, Truist, U.S. Bank and Wells Fargo. Early Warning, based in Scottsdale, Ariz., manages the system’s technical infrastructure. But the 1,425 banks and credit unions that use Zelle can customize the app and add their own security settings.

Tags: banking, fraud, scams

Posted on March 9, 2022 at 6:00 AM • 20 Comments

Comments

marc • March 9, 2022 7:48 AM

Article did not make it clear how the phone number of a victim ends up assigned to the Zelle account of the bad guy. Can anyone explain that part?

Jorn • March 9, 2022 8:41 AM

In Europe, the European Central Bank created an instance payment network which makes transfers in seconds and better designed from a security point of view. It is supported by most of the European banks often without extra costs.
https://www.ecb.europa.eu/paym/integration/retail/instant_payments/html/index.en.html

Maybe something FED could copy?

Winter • March 9, 2022 8:55 AM

Whenever I have been in the US, the antiquated and consumer unfriendly financial sector horrified me. I understand that people from Asia have the same response.

Why do people put up with it?

Ted • March 9, 2022 8:59 AM

@marc

It sounds like the victim did not have a phone number assigned to his Zelle account.

And so the thief could set up a Zelle account with the victim’s phone number. Getting some of this info is probably trivial, especially for thieves. So then when the victim sent money to “himself” via his phone number, it went to the thief’s account.

I have to wonder about MFA on the initial Zelle setup. Did this happen? Someone correct me if I’m wrong or missed anything.

Should we be expecting more of this? The banks, or Zelle, better figure something out here.

Me • March 9, 2022 10:26 AM

@Winter

You want to regulate the banks? What are you some sort of commie/liberal/leftest?

Sigh…

And sadly that works.

Winter • March 9, 2022 10:44 AM

@me
“You want to regulate the banks?”

I know. The freedom of consumers to be fleeced, deceived, and abused should never be curtailed

Highly Regulated • March 9, 2022 10:58 AM

Are we pretending banks are unregulated or even close to unregulated? @Me @Winter

Winter • March 9, 2022 12:14 PM

@Highly Regulated
“Are we pretending banks are unregulated or even close to unregulated?”

Illustrative response. Why should a consumer of a retail bank be conserned about the level of regulation if this regulation does not protect her against financial abuse and unnecessary financial risks, like identity theft and false transactions?

In general,the US regulation seems to be more conserned about protecting the interests of the bank owners than the losses of the small consumers using it’s services.

John Brown • March 9, 2022 12:32 PM

@Highly Regulated yeah, clearly it’s unfair that banks can’t issue their own currency or just completely make up money to lend out of thin air rather than having the fed do it. That needs fixing. I bet you have some interesting views on the age of consent too.

tim • March 9, 2022 3:03 PM

I have to wonder about MFA on the initial Zelle setup. Did this happen? Someone correct me if I’m wrong or missed anything.

The user experience of Zelle depends entirely on the bank. I have MFA with my bank. My husband doesn’t with his. Zelle is how he contributes to our mortgage every month and it works well for that purpose.

Since its a paywalled article (and I’m not sending NYT a dime until they fix their unsubscribe process) does it go into paypal, Venmo, or Apple Pay? All have a certain amount of fraud associated with them.

John • March 9, 2022 3:22 PM

hmm…

Banks hacking their own customers?

John

Ted • March 9, 2022 5:42 PM

@tim

You may be able to read the article if you block cookies on your browser. @Clive told me this. Thanks @Clive!

It’s curious that banks are responding variably to these fraud scenarios. From what I’m reading, some people are able to get their money refunded if they really leverage publicity and push for a favorable interpretation of Regulation E. How stressful.

One of the fraud victims in this story gave the authentication codes to the thief over the phone. But it seems like this was for the transaction. Not sure about the original phone number setup. Going on a limb to say this person was probably not a regular reader of security and fraud bulletins. I’m sure many, many people aren’t.

An Experian article says that Zelle money transfers move directly from one bank account to another. Apparently a lot of money is transferred through Zelle – to the tune of $490 billion last year. The NYT article said it’s unknown how much fraud happens through Zelle because banks aren’t required to report it.

Glad you all have had a good experience.

Kingo • March 9, 2022 5:44 PM

Sorry but all the cases in this article were user error. Lock your phone. Never Zelle someone you don’t know. A transfer is, by definition, authorized if you or your phone did it. If you don’t accept that, don’t use Zelle.

Ted • March 9, 2022 5:59 PM

@tim

For the record, I think banks bear a greater responsibility to protect customers here.

mow • March 9, 2022 9:02 PM

@Ted
Must’ve been for the account setup. Why would the thief need authentication codes for the transaction when the victim confirms that in his app?

Ted • March 9, 2022 10:43 PM

@mow

Oh gosh that’s a good question. Unfortunately, I haven’t used Zelle so I’m not familiar with the nitty-gritty of how it works. As @tim and the NYT’s article pointed out, banks can customize the app and add different security settings. The article is missing lots of detail here, but I think it would be good to know more too.

The article adds that the Consumer Financial Protection Bureau is aware of the problem and is considering how best to address it. So hopefully, they’ll investigate and issue good guidance.

Honestly, I thought financial institutions were a little more fraud-aware and customer-friendly than this. If so many people are experiencing a problem, it seems feckless and negligent for banks to shirk more responsibility. I would love to be a fly on the wall in these conversations.

MK • March 10, 2022 12:50 AM

Thanks for that report. I had Zelle on my phone because one shop wanted me to use it to pay them. Unfortunately, my bank is not part of the Zelle network. Fortunately, tht limits my transfers to the daily limit of my ATM card. Unfortunately, that wasn’t enoubh. Fortunately, I just removed Zellle from my phone and deleted the account.

tfb • March 10, 2022 2:50 AM

Other types of bank transfers or transactions involving payment cards typically take at least a day to clear.

They do? Not in parts of the world where bank regulators are competent they don’t, not since people realised in 2007-2008 that having transactions taking hours or days to clear means that everyone is exposed to far more counterparty risk than they need to be. In those parts of the world small transactions clear essentially instantly. In the UK this is called ‘faster payments’, and it started sometime in 2008.

David Leppik • March 10, 2022 4:40 PM

“Early Warning Services.” Quite the ironic name.

billy jack • March 15, 2022 5:55 AM

One potential problem would be for those like me who do not use on-line banking. I used to be happy that to use on-line banking at my bank I would have needed to go to the bank where nearly everyone knows me and fill out the forms in person in front of them. Since then, the bank has merged with a bank that was having some problems in a large city and it is no longer necessary for someone to go to the bank to set up on-line access to an account. I do not think that it would take much for someone else to create a login to get to my bank account, enable Zelle, and empty out my account.

So it is time to create an on-line banking username and password for myself to keep someone else from doing it for me. Naturally with a password that would take many thousands of years to brute force.

Fraud on Zelle

Comments

Leave a comment Cancel reply