Have Fraudsters Found the Keys to Unlock Zelle?

Zelle, the revolutionary new app that allows you to send and receive money directly from your bank, launched with much fanfare earlier this month.  The app was launched as a partnership between EWS and the largest banks here in the US to kill Venmo.   The standalone app allows you to connect both your bank account and debit card to send funds.

Unlike Venmo which requires users to cash out their balances at the end of the day, the app promises “instant access to your funds” which can be appealing when you need your money right away.

This instant access is both appealing and scary at the same time.  As a consumer, it means I can get my funds right now.  But so can the fraudsters.

Fraudoption Is Always High With Instant Payments

As we know, fraudsters are always the first to adopt new technology around faster payments.  I call that phenomenon – Fraudoption (Fraud + Adoption).   How quickly fraudsters adopt the technology is determined how quickly they can figure it out, and then how quickly can they get paid.

If the Reddit chat boards are any indication of fraudsters activity, it appears that there are signs they might be having some success.

In the last 24 hours, multiple messages have appeared where fraudsters are communicating about Zelle.

Zelle is a Money Machine Right Now.. Spartanfox

The messages appear to indicate that fraudsters are looking for “bank drops” which are accounts that are opened with fraudulent credentials.  These bank drops enable the fraudsters to receive money from stolen accounts.  They essentially act as mule accounts which can be used by fraudsters to gain access to funds.

And it appears that there are quite a few fraudsters willing to split proceeds either through Bitcoin or wire transfers.

Since the app allows consumers to link their bank accounts as well as debit card accounts, it’s unclear where fraudsters have found the exposure point.  I tried to test the enrollment process with my own Zelle app which I downloaded here – Zelle Pay.    I was unable to hook up any of my accounts to the app at the time.

Instant Payments are Never 100% Secure

If in fact, it took less than 2 weeks for fraudsters to turn yet another instant payment service into a “money machine” it just goes to show that fast money always equal fast fraud.  This has happened time and time again and no secure payment system is impenetrable against fraud.  Even Apple Pay launched with problems a couple of years ago.

You cannot rely on technology alone to prevent fraud.  Keep your eyes on the fraud, and always remember Fraudsters are always the first to adopt convenience.

I will certainly be monitoring this and see what develops.

Update **October 7th **

I read a post from Reddit yesterday that sheds more light on the method fraudsters were using to expose Zelle.  It also appears that Zelle has closed down that loophole.

In a Post Called “Is the Zelle Method Burnt?”,   it appears that fraudsters were taking advantage of a loophole which allowed them to register a phone number and receive the activation code that wasn’t associated with the debit card.  Fraudsters could enter their own number and it wasn’t checked.

That loophole appears to have been closed.  So the fraudsters are moving on.  What’s next?  Venmo?  Square?

 

Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California

  • Andy Herman

    I just got hacked by someone using Zelle, they called me pretending to be Wells Fargo fraud prevention, told me someone changed my password and login, and that I needed to verify myself by repeating a code sent to my phone, I did and little did I know I authorized a payment using Zelle and they stole $2,500!! Some how they got my bank info I am still not sure yet, but now my account locked and I got tricked 🙁

    Be careful there is a team doing this and it has been happening to people a few months now. Don’t make a dumb mistake and read a Zelle authorize key to someone on the phone!

  • Hi Andy, I am sorry to hear that your money was stolen like this. I have a question, were you refunded the $2500 or did you have to take the loss?

  • Harlow Slo

    This exact thing just happened you me 3 days ago for the exact same amount~ $2500. I zipped it over to the bank and they tried to send me another code to get another $2500. The banker heard them on the phone! Strange thing is though, when calling the number back, the actually originated at the Wells Fargo Fraud and Prevention division!!! Inside job?? Changing banks, can’t trust Wells Fargo anymore. Not just because of this but because they backed the South Dakota pipelines so this was just motivation.

  • Frank McKenna

    Harlow. I am sorry to hear of your troubles. Sometimes fraudsters spoof the phone numbers to make it look like they are calling from the bank. There is software out there where they can do just that and it can give people a false sense of security that the call is coming from the bank itself.

  • Griffin Griffiniv

    We only got hacked for $750 so far from the Zelle application. Suntrust apparently switched to the service a month and a half ago. The hack against our account took the form of 30 transactions for $25 each. Sucks since they timed it to be over the New Years weekend when SunTrust is on vacation and you can’t talk to anyone to fix. I would not trust any bank that uses Zelle at this point.

  • friedalovesbread

    I had not heard of Zelle until 3 days ago, when my TMobile mobile number was ported to another provider without authorization and while my phone was rendered “inactive” due to the port, I did not get any notifications of a Zelle transfer via email through my bank. (Wells Fargo). My phone number is only attached to my Chase account, which *automatically* enrolled me in Zelle. By the time I got my phone operative via the TMobile store 90 minutes later, I discovered the fraudulent Zelle transfer. Contacted Wells Fargo and they said they tried to call me (“This number is no longer in service”) when they saw the Zelle request, but allowed it to go through. $1,000 gone in less than 5 minutes.
    Wells Fargo claims to be aware of the problem and is now limiting the number of Zelle transactions that can be made. This application needs to be scrapped ASAP.

  • friedalovesbread

    I discovered that many banks use Zelle, as they are competing with Venmo. If your bank uses Zelle, you may be automatically enrolled, as I was with Chase. If so, you will need to deactivate your Zelle account manually. I am waiting my 10 days through Wells Fargo to see if I can get my money back.

  • Gabriel Lither

    The exact same thing happened to me a few days ago. T mobile ported to metro PCS. It was a pain to get my number back. And now I have a new bank account. I don’t have my 1000$ back yet. What did you hear from Wells Fargo? They are my bank too.

  • friedalovesbread

    I have restricted access to my account and added another teir of security. It’s only been 3 business days and they tell me that it will take up to 10 business days to investigate and return my funds. I’m sorry this happened to you, too. It’s aggravating.

  • Gabriel Lither

    They pretty much told me the same thing. T-mobile tried to say I must have given out my PIN, but I know I didn’t, And WF told me they have seen hundreds of similar incidents over the last month. I only switched to T-mobile six weeks ago.

  • friedalovesbread

    I think it’s a breach with both WF and TMobile. I’ve been with Tmobile for over 20 years, when they used to be Voicestream and never had any problems till now. Ultimately, WF still authorized the transaction to go through, so they are mostly to blame, in my oponion.
    Tmobile uses the last 4 of your social, and I highly recommend you call and change it to another 4-6 digit PIN and add Port Validation to your cell phone lines to prevent your number from being ported in the future.

  • Gabriel Lither

    Thanks, I did that, so my line should be a little more secure. Unfortunately, when I called the bank today they told me every case takes ten business days. So I have over a week until I should get my money back. And it is a hassle getting new accounts and direct deposit, etc.
    BTW, love your user name. Who doesn’t love bread?

  • The exact same thing happened to me, I was at home and I didn’t bother to think if I had service as I was on wifi, the next thing I know I get a email notification saying that I registered for zelle and minutes later I get another email saying that I sent $1,000 to someone name Theon Johnson, I tried to call my bank but I couldn’t get through to anyone… Long story short I get in contact with my bank to dispute the transaction and I was told 3 days then 4 days then 10 days, basically giving me the run around.

    I spent almost hour and a half to 2 hours trying to prove who I am in the Tmobile store just to get my phone number back, and I asked them why was my number ported out because I had password protection on my account and no one bothered to ask for the correction information.

    The bank Fifth Third bank is denying my claim even though I presented evidence that I didn’t do this…. This is why I hate fucking banks because they don’t honor what they are suppose to do. They acted clueless to the fact that this has never happened before, if all the other banks know chances are they do also. I’m treated like some thief by them even when I proved that it wasn’t me that done this…

    Word of advice people DO NOT DO BUSINESS WITH FIFTH THIRD BANK !!