Here’s how hackers are using Zelle to raid bank accounts; and why victim was out $1,800 until I wrote to the bank

Stealing money using Zelle is apparently as easy as adding a phone number to a consumer’s checking account, and then telling the bank to “Zelle” money to a hacker-controlled account — at least in some cases.

When following up my story earlier this week about consumers who don’t even use Zelle get hit by Zelle fraud, a bank official told me that’s how it’s done. Criminals — potentially using stolen online banking credentials or credential stuffing attacks — add a cell phone they control to the user’s profile, then send money to the hacker’s account.

Zelle fraud emergency kit and FAQ

(UPDATE 4/29/19: Zelle has confirmed to me that consumers who are victims of this fraud are entitled to Reg E protection.. That means banks should not be denying disputes, and should be refunding consumers’ money. See full statement below. ) 

After the hacker’s mobile number is added to the bank account, the banks’ confirmation code to verify the transaction is misdirected to that fraudulent number, and the hacker confirms the transaction. So once the account is compromised, a fraudster is able to transfer money out of the account, I was told.

To be clear: Even consumers who don’t use Zelle can be victims of the crime. Many wouldn’t even know to look for money being Zelle’d out of their accounts. Worse yet, at least some victims who do complain are being told — erroneously — that they aren’t entitled to dispute the fraud.

So take this as a warning: If you have a checking account, scour it for potential Zelle fraud. If you get a message that a phone number has been added to your account, call your bank right away. And if the bank tells you that you can’t dispute the charge, keep trying. Cite this article, if you can.

When $1,800 was stolen from Eric Beckerle’s Bank of America account two weeks ago, he figured getting it back would be relatively painless. But when he used the bank’s normal dispute process, his claim was denied, and he was told he’d be out the $1,800.

By the time I found his Twitter complaints, Beckerle has smartly requested that the bank re-open its investigation.  I contacted Bank of America on Tuesday to learn more about Beckerle’s situation, and the next morning, his $1,800 had been returned.

“Thanks again for bringing this to our attention,” said BofA spokesperson Betty Riess. “We reached out to the customer and, based on our additional research and information confirmed by the customer, we determined that the account was compromised. We apologized for the delay in resolving the claim and have credited the customer’s account for the $1,800.”

Other consumers are complaining online that they are having trouble disputing Zelle charges, perhaps because banks have been deluged with complaints about the more “traditional” form of Zelle fraud: when Zelle users are suckered into sending money themselves to criminals. (In a typical scenario, a victim uses Zelle to pay an online stranger for concert tickets, but the tickets are never delivered). In that situation, Zelle and its member banks say, consumers are not entitled to refunds.  Financial institutions say that kind of incident is akin to handing cash to a criminal, and it’s not reversible.

But if a consumers’ money is stolen because a criminal hacked into their online bank accounts and added a fraudulent mobile number, that fraud should be covered by the banks’ standard dispute process. That’s more akin to a phishing attack followed by an online transfer, a scenario that the Federal Reserve has said in the past is covered by Regulation E, which entitles consumers to fraud protection.

UPDATE: Statement from Early Warning, the network operator of Zelle

“In a case where a consumer’s bank account or debit card is compromised, or a Zelle payment is made from a consumer’s account and not authorized by that consumer, consumers have rights under the Electronic Funds Transfer Act (also known as “Reg E”). Those consumers should contact their bank to determine an appropriate resolution.”

Read my story from earlier this week on this new kind of Zelle fraud.

 

 

 

 

 

Earlier this week,

Criminals can steal money from your checking

About Bob Sullivan 1364 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

8 Comments

  1. Forgive me if I missed this in the article.
    This seems somewhat similar to the problem that the US Social Security Administration’s insecure web account signup process had a couple of years ago, where a proactive step to reduce the risk was to sign up for the account ourselves, as only one account could be created per Social Security Number.
    Is there a similar step that consumers can take against Zelle fraud? If we set up Zelle directly on our bank’s own website, does that stop these fraudulent accounts from being associated with our bank account?

    I tried to search for “Can one bank account be used with two Zelle accounts” but I found no answers. (My assumption is that, if one bank account canNOT be used with two Zelle accounts, and if the legitimate owner of a bank account does set up Zelle either with Zelle itself or with their bank directly, then that should be protective).

    thanks.

  2. I had a Zelle transfer out of my Bank if America account for $800 that I did not authorize. I have provided copies of police reports, talked with the bank fraud department and advocacy representatives and have gottne nothin but frustration. I filed a complaint with CFPB amen still nothing. Can you help me? I don’t know where else to turn. Thank you.

  3. We don’t use Zelle and just found out our checking account has been robbed of over 2400 dollars in less than two weeks. Our bank will reimburse but they have to eat it because there is no way to go after these hackers. How do we find out who these are and have them prosecuted? We have two names that the money is going to and supposedly in Arizona.

  4. I just noticed $499.00 gone from my NC State Employees’ Credit Union checking account July 21, 2019. It was a Zelle transfer. I didn’t even know what Zelle was until my bank said I can’t dispute it and told me to contact Zelle. I know in my heart this can’t be correct because this is fraudulent activity and my account was compromised. I called Zelle and they confirmed I don’t have and never have had an account with them, but told me to call my bank and file a claim. I called the bank back and raised hell and finally the young man said he’ll file a claim! I think they’re stonewalling us. They need to figure out better security protocol.This is absolutely not my fault and I need my money. No one has contacted me yet, but he said if I don’t hear anything that is good news, that the amount will be credited. It’s disturbing that they are adamant about saying I can’t dispute the fraud one moment, but then they just give in when I get righteously angry! He read aloud the lawyer memo that they have to parrot. They know they’re going to be eat it I guess, but it’s not my fault. I better get a refund. I’m worried this will happen again now. I’m worried about other people! This is crazy!

  5. I had someone attempt to take $799 out of my checking account. The way they did it was to pirate(take over)my phone and add it to their device. They could then send a money transfer knowing nothing but a phone number. I call Bank of America and told them to deactivate Zelle from my account and was informed that it is built into my account and I have no choice but to have it. I did some more digging and found out that if I do not have a phone number connected to my account that they could not attempt transfers so easily.

  6. A couple years ago my account at BOA was broken into through Zelle, removed all my money. Research convinced me I wouldn’t get my money back. It was actually through my email, that’s what the trace said. I had no problem getting the money back. Two days later my Target account was broken into, both breaches were traced, very easily, back to the same thief, the police refused to take a report.

  7. MY DAUGHTER IN LAW – WHO IS 18 – JUST HAD $200 STOLEN FROM HER ACCOUNT VIA ZELLE – IT WAS 3 DIFFERENT TRANSACTIONS IN THREE DIFFERENT STATES – SHE NEVER RECV’D ANY KIND OF NOTIFICATION EITHER – SHE FILED A POLICE REPORT – NOW WELLS FARGO IS GIVING HER THE RUN AROUND CLAIMING THE CASE IS CLOSED BUT WONT TELL HER THE DECISION – THEY STATE SHE WILL READ IT IN THE LETTER THEY SENT – BUT ITS NOW BEEN A WEEK SINCE THEY CLOSED IT AND STILL NO LETTER. SHE CALLED BACK AGAIN AND THE PERSON ON THE PHONE HAD THE NERVE TO TELL HER “ITS ONLY $200” LIKE SHE SHOULDN’T CARE BECAUSE OF THE AMOUNT – SHES A COLLEGE STUDENT WORKING PART TIME TO PAY FOR CLASSES AND TUITION AND RENT- SHE WAS GOING TO USE THAT MONEY TO PAY FOR HER PSYCH CLASS AND NOW SHE DOESN’T HAVE ENOUGH AND THEY ARE THREATENING TO DROP HER FROM THE CLASS BECAUSE SHE CAN’T PAY THE FULL AMOUNT- PLUS THAT WILL CHANGE HER CREDITS SHES ENROLLED IN WHICH WILL CAUSE HER TO LOOSE HER SCHOLARSHIP THAT PAYS FOR A PORTION OF HER SCHOOLING – WHAT CAN WE DO? I MEAN I KNOW ITS $200 BUT THATS HER $200 SHE WORKS PART TIME AND GOES TO SCHOOL FULL TIME SO SHE DOESN’T HAVE A LOT OF MONEY – ANY ADVICE OR HELP WOULD BE GREATLY APPRECIATED

  8. In August 2019, Almost same fraud happen to my Bank of America account, thieve first add their contact no. in my BofA online account which I timely notice and removed that, than I changed my login ID, password and email. after couple of hours some how thieve get into my Tmobile account, call customer care and put forwarding on my calls, than after they reset my online account by sending verification code to forwarded no., add Zelle recipient and transfer $2000. I open the claim almost same time as I was near to the branch but Fraud and Claim department denied my Claim telling that as per their record they send verification code to my authorized number which was forwarding that time. they need letter from T-mobile to mention that my all calls and text were forwarding that time.
    I have contacted T-mobile and they refused to provide any such letter while told me Bank should contact to Tmobile directly for verification, while Bank has refused to directly contact Tmobile. I have already filed Identity theft and police report and sent to BofA but still they denied my claim.

    Any advice or suggestion on this matter will be greatly appreciated.

    Thanks

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.