Have Fraudsters Found the Keys to Unlock Zelle?

Zelle, the revolutionary new app that allows you to send and receive money directly from your bank, launched with much fanfare earlier this month.  The app was launched as a partnership between EWS and the largest banks here in the US to kill Venmo.   The standalone app allows you to connect both your bank account and debit card to send funds.

Unlike Venmo which requires users to cash out their balances at the end of the day, the app promises “instant access to your funds” which can be appealing when you need your money right away.

This instant access is both appealing and scary at the same time.  As a consumer, it means I can get my funds right now.  But so can the fraudsters.

Fraudoption Is Always High With Instant Payments

As we know, fraudsters are always the first to adopt new technology around faster payments.  I call that phenomenon – Fraudoption (Fraud + Adoption).   How quickly fraudsters adopt the technology is determined how quickly they can figure it out, and then how quickly can they get paid.

If the Reddit chat boards are any indication of fraudsters activity, it appears that there are signs they might be having some success.

In the last 24 hours, multiple messages have appeared where fraudsters are communicating about Zelle.

Zelle is a Money Machine Right Now.. Spartanfox

The messages appear to indicate that fraudsters are looking for “bank drops” which are accounts that are opened with fraudulent credentials.  These bank drops enable the fraudsters to receive money from stolen accounts.  They essentially act as mule accounts which can be used by fraudsters to gain access to funds.

And it appears that there are quite a few fraudsters willing to split proceeds either through Bitcoin or wire transfers.

Since the app allows consumers to link their bank accounts as well as debit card accounts, it’s unclear where fraudsters have found the exposure point.  I tried to test the enrollment process with my own Zelle app which I downloaded here – Zelle Pay.    I was unable to hook up any of my accounts to the app at the time.

Instant Payments are Never 100% Secure

If in fact, it took less than 2 weeks for fraudsters to turn yet another instant payment service into a “money machine” it just goes to show that fast money always equal fast fraud.  This has happened time and time again and no secure payment system is impenetrable against fraud.  Even Apple Pay launched with problems a couple of years ago.

You cannot rely on technology alone to prevent fraud.  Keep your eyes on the fraud, and always remember Fraudsters are always the first to adopt convenience.

I will certainly be monitoring this and see what develops.

Update **October 7th **

I read a post from Reddit yesterday that sheds more light on the method fraudsters were using to expose Zelle.  It also appears that Zelle has closed down that loophole.

In a Post Called “Is the Zelle Method Burnt?”,   it appears that fraudsters were taking advantage of a loophole which allowed them to register a phone number and receive the activation code that wasn’t associated with the debit card.  Fraudsters could enter their own number and it wasn’t checked.

That loophole appears to have been closed.  So the fraudsters are moving on.  What’s next?  Venmo?  Square?


Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California

  • Andy Herman

    I just got hacked by someone using Zelle, they called me pretending to be Wells Fargo fraud prevention, told me someone changed my password and login, and that I needed to verify myself by repeating a code sent to my phone, I did and little did I know I authorized a payment using Zelle and they stole $2,500!! Some how they got my bank info I am still not sure yet, but now my account locked and I got tricked 🙁

    Be careful there is a team doing this and it has been happening to people a few months now. Don’t make a dumb mistake and read a Zelle authorize key to someone on the phone!

  • Hi Andy, I am sorry to hear that your money was stolen like this. I have a question, were you refunded the $2500 or did you have to take the loss?

  • Harlow Slo

    This exact thing just happened you me 3 days ago for the exact same amount~ $2500. I zipped it over to the bank and they tried to send me another code to get another $2500. The banker heard them on the phone! Strange thing is though, when calling the number back, the actually originated at the Wells Fargo Fraud and Prevention division!!! Inside job?? Changing banks, can’t trust Wells Fargo anymore. Not just because of this but because they backed the South Dakota pipelines so this was just motivation.

  • Frank McKenna

    Harlow. I am sorry to hear of your troubles. Sometimes fraudsters spoof the phone numbers to make it look like they are calling from the bank. There is software out there where they can do just that and it can give people a false sense of security that the call is coming from the bank itself.