Here’s how hackers are using Zelle to raid bank accounts; and why victim was out $1,800 until I wrote to the bank

Stealing money using Zelle is apparently as easy as adding a phone number to a consumer’s checking account, and then telling the bank to “Zelle” money to a hacker-controlled account — at least in some cases.

When following up my story earlier this week about consumers who don’t even use Zelle get hit by Zelle fraud, a bank official told me that’s how it’s done. Criminals — potentially using stolen online banking credentials or credential stuffing attacks — add a cell phone they control to the user’s profile, then send money to the hacker’s account.

(UPDATE 4/29/19: Zelle has confirmed to me that consumers who are victims of this fraud are entitled to Reg E protection.. That means banks should not be denying disputes, and should be refunding consumers’ money. See full statement below. ) 

After the hacker’s mobile number is added to the bank account, the banks’ confirmation code to verify the transaction is misdirected to that fraudulent number, and the hacker confirms the transaction. So once the account is compromised, a fraudster is able to transfer money out of the account, I was told.

To be clear: Even consumers who don’t use Zelle can be victims of the crime. Many wouldn’t even know to look for money being Zelle’d out of their accounts. Worse yet, at least some victims who do complain are being told — erroneously — that they aren’t entitled to dispute the fraud.

So take this as a warning: If you have a checking account, scour it for potential Zelle fraud. If you get a message that a phone number has been added to your account, call your bank right away. And if the bank tells you that you can’t dispute the charge, keep trying. Cite this article, if you can.

When $1,800 was stolen from Eric Beckerle’s Bank of America account two weeks ago, he figured getting it back would be relatively painless. But when he used the bank’s normal dispute process, his claim was denied, and he was told he’d be out the $1,800.

By the time I found his Twitter complaints, Beckerle has smartly requested that the bank re-open its investigation.  I contacted Bank of America on Tuesday to learn more about Beckerle’s situation, and the next morning, his $1,800 had been returned.

“Thanks again for bringing this to our attention,” said BofA spokesperson Betty Riess. “We reached out to the customer and, based on our additional research and information confirmed by the customer, we determined that the account was compromised. We apologized for the delay in resolving the claim and have credited the customer’s account for the $1,800.”

Other consumers are complaining online that they are having trouble disputing Zelle charges, perhaps because banks have been deluged with complaints about the more “traditional” form of Zelle fraud: when Zelle users are suckered into sending money themselves to criminals. (In a typical scenario, a victim uses Zelle to pay an online stranger for concert tickets, but the tickets are never delivered). In that situation, Zelle and its member banks say, consumers are not entitled to refunds.  Financial institutions say that kind of incident is akin to handing cash to a criminal, and it’s not reversible.

But if a consumers’ money is stolen because a criminal hacked into their online bank accounts and added a fraudulent mobile number, that fraud should be covered by the banks’ standard dispute process. That’s more akin to a phishing attack followed by an online transfer, a scenario that the Federal Reserve has said in the past is covered by Regulation E, which entitles consumers to fraud protection.

UPDATE: Statement from Early Warning, the network operator of Zelle

“In a case where a consumer’s bank account or debit card is compromised, or a Zelle payment is made from a consumer’s account and not authorized by that consumer, consumers have rights under the Electronic Funds Transfer Act (also known as “Reg E”). Those consumers should contact their bank to determine an appropriate resolution.”

Read my story from earlier this week on this new kind of Zelle fraud.

 

 

 

 

 

Earlier this week,

Criminals can steal money from your checking

About Bob Sullivan 1348 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

6 Comments

  1. Forgive me if I missed this in the article.
    This seems somewhat similar to the problem that the US Social Security Administration’s insecure web account signup process had a couple of years ago, where a proactive step to reduce the risk was to sign up for the account ourselves, as only one account could be created per Social Security Number.
    Is there a similar step that consumers can take against Zelle fraud? If we set up Zelle directly on our bank’s own website, does that stop these fraudulent accounts from being associated with our bank account?

    I tried to search for “Can one bank account be used with two Zelle accounts” but I found no answers. (My assumption is that, if one bank account canNOT be used with two Zelle accounts, and if the legitimate owner of a bank account does set up Zelle either with Zelle itself or with their bank directly, then that should be protective).

    thanks.

  2. I had a Zelle transfer out of my Bank if America account for $800 that I did not authorize. I have provided copies of police reports, talked with the bank fraud department and advocacy representatives and have gottne nothin but frustration. I filed a complaint with CFPB amen still nothing. Can you help me? I don’t know where else to turn. Thank you.

  3. We don’t use Zelle and just found out our checking account has been robbed of over 2400 dollars in less than two weeks. Our bank will reimburse but they have to eat it because there is no way to go after these hackers. How do we find out who these are and have them prosecuted? We have two names that the money is going to and supposedly in Arizona.

  4. I just noticed $499.00 gone from my NC State Employees’ Credit Union checking account July 21, 2019. It was a Zelle transfer. I didn’t even know what Zelle was until my bank said I can’t dispute it and told me to contact Zelle. I know in my heart this can’t be correct because this is fraudulent activity and my account was compromised. I called Zelle and they confirmed I don’t have and never have had an account with them, but told me to call my bank and file a claim. I called the bank back and raised hell and finally the young man said he’ll file a claim! I think they’re stonewalling us. They need to figure out better security protocol.This is absolutely not my fault and I need my money. No one has contacted me yet, but he said if I don’t hear anything that is good news, that the amount will be credited. It’s disturbing that they are adamant about saying I can’t dispute the fraud one moment, but then they just give in when I get righteously angry! He read aloud the lawyer memo that they have to parrot. They know they’re going to be eat it I guess, but it’s not my fault. I better get a refund. I’m worried this will happen again now. I’m worried about other people! This is crazy!

  5. I had someone attempt to take $799 out of my checking account. The way they did it was to pirate(take over)my phone and add it to their device. They could then send a money transfer knowing nothing but a phone number. I call Bank of America and told them to deactivate Zelle from my account and was informed that it is built into my account and I have no choice but to have it. I did some more digging and found out that if I do not have a phone number connected to my account that they could not attempt transfers so easily.

  6. A couple years ago my account at BOA was broken into through Zelle, removed all my money. Research convinced me I wouldn’t get my money back. It was actually through my email, that’s what the trace said. I had no problem getting the money back. Two days later my Target account was broken into, both breaches were traced, very easily, back to the same thief, the police refused to take a report.

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.