Here’s how hackers are using Zelle to raid bank accounts; and why victim was out $1,800 until I wrote to the bank

Stealing money using Zelle is apparently as easy as adding a phone number to a consumer’s checking account, and then telling the bank to “Zelle” money to a hacker-controlled account — at least in some cases.

When following up my story earlier this week about consumers who don’t even use Zelle get hit by Zelle fraud, a bank official told me that’s how it’s done. Criminals — potentially using stolen online banking credentials or credential stuffing attacks — add a cell phone they control to the user’s profile, then send money to the hacker’s account.

(UPDATE 4/29/19: Zelle has confirmed to me that consumers who are victims of this fraud are entitled to Reg E protection.. That means banks should not be denying disputes, and should be refunding consumers’ money. See full statement below. ) 

After the hacker’s mobile number is added to the bank account, the banks’ confirmation code to verify the transaction is misdirected to that fraudulent number, and the hacker confirms the transaction. So once the account is compromised, a fraudster is able to transfer money out of the account, I was told.

To be clear: Even consumers who don’t use Zelle can be victims of the crime. Many wouldn’t even know to look for money being Zelle’d out of their accounts. Worse yet, at least some victims who do complain are being told — erroneously — that they aren’t entitled to dispute the fraud.

So take this as a warning: If you have a checking account, scour it for potential Zelle fraud. If you get a message that a phone number has been added to your account, call your bank right away. And if the bank tells you that you can’t dispute the charge, keep trying. Cite this article, if you can.

When $1,800 was stolen from Eric Beckerle’s Bank of America account two weeks ago, he figured getting it back would be relatively painless. But when he used the bank’s normal dispute process, his claim was denied, and he was told he’d be out the $1,800.

By the time I found his Twitter complaints, Beckerle has smartly requested that the bank re-open its investigation.  I contacted Bank of America on Tuesday to learn more about Beckerle’s situation, and the next morning, his $1,800 had been returned.

“Thanks again for bringing this to our attention,” said BofA spokesperson Betty Riess. “We reached out to the customer and, based on our additional research and information confirmed by the customer, we determined that the account was compromised. We apologized for the delay in resolving the claim and have credited the customer’s account for the $1,800.”

Other consumers are complaining online that they are having trouble disputing Zelle charges, perhaps because banks have been deluged with complaints about the more “traditional” form of Zelle fraud: when Zelle users are suckered into sending money themselves to criminals. (In a typical scenario, a victim uses Zelle to pay an online stranger for concert tickets, but the tickets are never delivered). In that situation, Zelle and its member banks say, consumers are not entitled to refunds.  Financial institutions say that kind of incident is akin to handing cash to a criminal, and it’s not reversible.

But if a consumers’ money is stolen because a criminal hacked into their online bank accounts and added a fraudulent mobile number, that fraud should be covered by the banks’ standard dispute process. That’s more akin to a phishing attack followed by an online transfer, a scenario that the Federal Reserve has said in the past is covered by Regulation E, which entitles consumers to fraud protection.

UPDATE: Statement from Early Warning, the network operator of Zelle

“In a case where a consumer’s bank account or debit card is compromised, or a Zelle payment is made from a consumer’s account and not authorized by that consumer, consumers have rights under the Electronic Funds Transfer Act (also known as “Reg E”). Those consumers should contact their bank to determine an appropriate resolution.”

Read my story from earlier this week on this new kind of Zelle fraud.

 

 

 

 

 

Earlier this week,

Criminals can steal money from your checking

About Bob Sullivan 1332 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

1 Comment

  1. Forgive me if I missed this in the article.
    This seems somewhat similar to the problem that the US Social Security Administration’s insecure web account signup process had a couple of years ago, where a proactive step to reduce the risk was to sign up for the account ourselves, as only one account could be created per Social Security Number.
    Is there a similar step that consumers can take against Zelle fraud? If we set up Zelle directly on our bank’s own website, does that stop these fraudulent accounts from being associated with our bank account?

    I tried to search for “Can one bank account be used with two Zelle accounts” but I found no answers. (My assumption is that, if one bank account canNOT be used with two Zelle accounts, and if the legitimate owner of a bank account does set up Zelle either with Zelle itself or with their bank directly, then that should be protective).

    thanks.

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.