Stealing money using Zelle is apparently as easy as adding a phone number to a consumer’s checking account, and then telling the bank to “Zelle” money to a hacker-controlled account — at least in some cases.
When following up my story earlier this week about consumers who don’t even use Zelle get hit by Zelle fraud, a bank official told me that’s how it’s done. Criminals — potentially using stolen online banking credentials or credential stuffing attacks — add a cell phone they control to the user’s profile, then send money to the hacker’s account.
(UPDATE 4/29/19: Zelle has confirmed to me that consumers who are victims of this fraud are entitled to Reg E protection.. That means banks should not be denying disputes, and should be refunding consumers’ money. See full statement below. )
After the hacker’s mobile number is added to the bank account, the banks’ confirmation code to verify the transaction is misdirected to that fraudulent number, and the hacker confirms the transaction. So once the account is compromised, a fraudster is able to transfer money out of the account, I was told.
To be clear: Even consumers who don’t use Zelle can be victims of the crime. Many wouldn’t even know to look for money being Zelle’d out of their accounts. Worse yet, at least some victims who do complain are being told — erroneously — that they aren’t entitled to dispute the fraud.
So take this as a warning: If you have a checking account, scour it for potential Zelle fraud. If you get a message that a phone number has been added to your account, call your bank right away. And if the bank tells you that you can’t dispute the charge, keep trying. Cite this article, if you can.
When $1,800 was stolen from Eric Beckerle’s Bank of America account two weeks ago, he figured getting it back would be relatively painless. But when he used the bank’s normal dispute process, his claim was denied, and he was told he’d be out the $1,800.
By the time I found his Twitter complaints, Beckerle has smartly requested that the bank re-open its investigation. I contacted Bank of America on Tuesday to learn more about Beckerle’s situation, and the next morning, his $1,800 had been returned.
“Thanks again for bringing this to our attention,” said BofA spokesperson Betty Riess. “We reached out to the customer and, based on our additional research and information confirmed by the customer, we determined that the account was compromised. We apologized for the delay in resolving the claim and have credited the customer’s account for the $1,800.”
Other consumers are complaining online that they are having trouble disputing Zelle charges, perhaps because banks have been deluged with complaints about the more “traditional” form of Zelle fraud: when Zelle users are suckered into sending money themselves to criminals. (In a typical scenario, a victim uses Zelle to pay an online stranger for concert tickets, but the tickets are never delivered). In that situation, Zelle and its member banks say, consumers are not entitled to refunds. Financial institutions say that kind of incident is akin to handing cash to a criminal, and it’s not reversible.
But if a consumers’ money is stolen because a criminal hacked into their online bank accounts and added a fraudulent mobile number, that fraud should be covered by the banks’ standard dispute process. That’s more akin to a phishing attack followed by an online transfer, a scenario that the Federal Reserve has said in the past is covered by Regulation E, which entitles consumers to fraud protection.
UPDATE: Statement from Early Warning, the network operator of Zelle:
“In a case where a consumer’s bank account or debit card is compromised, or a Zelle payment is made from a consumer’s account and not authorized by that consumer, consumers have rights under the Electronic Funds Transfer Act (also known as “Reg E”). Those consumers should contact their bank to determine an appropriate resolution.”
Earlier this week,
Criminals can steal money from your checking