Zelle criminal took $23k from elderly victim; BofA (initially) wouldn’t give it back

This video is from my June appearance on NBC Nightly News talking about Zelle fraud.

Zelle hackers recently stole nearly $23,000 from an 86-year-old New Hampshire woman, draining her Bank of America checking and savings accounts, and the bank denied her dispute of the fraudulent charges for months.

Criminals were able to complete eight separate $2,499 withdrawals from the victim’s account — $1 below the daily transfer limit, according to the victim’s son — calling into question the bank’s ability to spot obvious Zelle fraud, he said.

Zelle fraud emergency kit and FAQ

The victim, Barbara Helmstetter, didn’t notice the string of transactions when they occurred in April until she received an overdraft notice.  At the time, she was unaware she had access to the Zelle service, her son Michael told the bank. Despite the obvious fraud pattern, Barbara Helmstetter’s disputes of the transactions — her request to get a “refund” of the stolen funds — was denied by the bank in July.

“($23,000) is a lot of money, especially for someone living on a fixed income,” Renee Hemlstetter, the victim’s daughter in law, told me.

After the family reached out to me, and I contacted Bank of America’s media relations department, the bank reversed its decision and returned $22,900 to the woman.

(I’ve been writing about fraudulent Zelle transactions for more than a year, and continue to receive panicked emails from victims who lose money and are wrongly denied disputes by their bank — I’m digging through a backlog of emails now — but the Helmstetter situation is by far the worst I’ve heard.  Zelle, a P2P payment platform and Venmo competitor, is owned essentially by a consortium of banks, including Bank of America, Wells Fargo, US Bank, etc.)

In a painful irony, Michael and Renee were initially rebuffed by the bank in their efforts to help Michael’s mother because their name wasn’t on her bank accounts. In other words, the bank’s security stopped the victim’s children, but not the criminals.

The bank’s initial investigation found that the Zelle transactions were “validated using an authentication code sent to a valid phone number,” so the dispute was denied, according to a letter sent by Michael to the bank.  Michael inspected his mother’s phone and found no evidence of such transaction authentication code messages. 

When Michael and Renee called the bank and asked that the investigation be re-opened, the family was told to contact the woman’ cell phone provider instead.

Bank of America didn’t comment on the family’s frustration with their experience but did broadly confirm details of the incident.

“We reached out to the client’s son last week and are crediting Ms. Helmstetter’s accounts for the amount,” said spokesperson Betty Reiss.

Consumer fraud protections around Zelle transactions are tricky, and apparently, confuse account holders and banks alike. Many banks — not just Bank of America — continue to wrongly deny disputes from consumers, according to numerous victims who have contacted me.  If a criminal hacks into a victim’s bank account and initiates a bogus transfer, that transaction should be covered by federal banking rules that entitle consumers to return of the funds. On the other hand, if consumers willingly initiate a transaction to someone who ultimately turns out to be a criminal — such as a Craigslist poster who never sends purchased goods after a Zelle transfer — then consumers are not entitled to credit-card-like refunds.

It appears from victims like Helmstetter that Zelle hackers have figured out how to defeat text-message-based authentication for Zelle transfers. Either they trick victims into divulging authentication codes, in a phone call, or they intercept the messages electronically somehow. In the past, criminals have cloned phones, or simply changed the cell phone number associated with an account so the message is directed at a phone they control.

However it’s done, consumers should be aware that Helmstetter’s situation is not unique. Criminals continue to figure out ways to send themselves money via hacked Zelle accounts — even when victims haven’t heard of Zelle.

In general, consumers at Zelle-friendly banks — there are hundreds – can’t opt out of the service.  But Helmstetter’s son did find a way to essentially disable it from his mother’s account. A Bank of America fraud investigator “blocked her phone number and email so that no one is able to use her information to send additional transfers,” Michael says. That’s an option other consumers should consider.

In his letter to the bank, Michael’s frustration is obvious. He expressed astonishment that the bank’s fraud controls weren’t triggered when the only six transactions involving his mother’s savings account in recent times were six $2,499 Zelle withdrawals. 

What is absolutely astounding with her savings account,” he wrote in a letter provided to me by the family. “… And clearly exposes a major weakness in the bank’s algorithms and controls, is that since March 2018 (as far back as online banking goes on this account, so likely further back), the only, and I repeat ONLY, transactions that occurred in this account were the 6 fraudulent Zelle transfers out of the account – each one at $2499.00, a simple $1 under the Zelle transfer maximum of $2500. And adding insult to injury in your failed controls, the only other two transactions during that period were transfers she made with help from The Bank to her fraudulently hacked checking account because she was concerned and confused by the negative balance notices she was receiving from the bank. So, The bank identified the negative checking account balance and notified customer Helmstetter to resolve this situation, but did not note the numerous Zelle transactions that drained the same account and the associated savings account. How is this possible?” 

Early Warning, which operates Zelle, did not comment specifically about this incident but issued this statement.

“This is an unfortunate situation and I am glad to hear that Ms. Helmstetter’s account was restored the $23,000,” said spokeswoman Meghan Fintland. “We cannot comment specifically on the case as it was an issue between the consumer and her financial institution. However, in cases where a consumer’s bank account or debit card have been compromised, and unauthorized Zelle payments made, consumers have rights under the Electronic Funds Transfer Act. We always recommend they contact their bank immediately to determine an appropriate resolution.”

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1528 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

13 Comments

  1. Bob – Please tell us how to enforce an action under the electronic funds transfer laws that protect us. When outfits like BofA erroneously deny fraudulent activity, we need to be able to defend ourselves. Who and where do we call or write to?

  2. I find it shocking that consumers cannot opt out of Zelle – you can opt in or out of just about every aspect of your bank account, why can’t we protect ourselves by preemptively putting that block in place?

  3. We had $9000 taken from our account from a criminal. We filed a police report which if fraudulent — i could go to jail. But B of A refuses to give us the money. It was obtained illegally and B of A refuses to give it back.

    • Hi,This is regarding a money tranfer through Bofa using Zelle that went to a wrong person who seemed to have hacked my daughters phone number That I used Zelle money on Jan 29th.Pls, let me know how to recover my daughters tuition money.I used my daughters phone number to tranfer money from my account to her

      Customer: woodstock ga 30188
      I did make this transfer on Jan29th.Ever since I have made 2 claims with Bofa.Bofa wont give me the info, about the person who hold my money unless I send a subpeona.Pls, help me

  4. My wallet and phone was stolen and the thieves or someone Zelle transferred $3500 from my account!! I have no confirmation emails or anything!! Bank of America denied my claim and said it was from my phone of course it was IT WAS STOLEN but the rep told me the IP address of the transaction was 200 miles away from my home Bank of America sucks

  5. Dear Mr. Sullivan, I am reaching out to you in an attempt to get some help and advice. I am elderly and don’t have anyone to turn to in order to get my money back. I am a Bank of America customer. My bank account was compromised through Zelle in the amount of $2,700 which was the total of my stimulus and social security checks. I was left with $60 in my account. This has left me in a financial bind since it occurred. I am retired and live month to month on social security alone. I made a fraud report to Bank of America within 10-15 minutes of the cyber crime and also made a trip to my bank branch to report this in person. The fraud department gave me little hope in getting my money back. The basically told me not to expect a refund and to wait 60-90 days while investigating this. After 60 days I was sent a basic form letter stating they were unable to approve my claim. It doesn’t appear to me that any research was done regarding my claim. The form letter talks about a merchant and to contact the person the funds were sent to for further assistance. There was no merchant involved, nor do I know the person who committed this crime. I feel like I am definitely getting the run around with the bank. I didn’t want to go into detail regarding this fraud, but I did write a letter tp Bank of America with copies of the emails I received as well as texts and time stamps. I appreciate you and what you are doing to expose the criminal activity through Zelle and the banks.

  6. Hello Mr Sullivan,
    I was also scammed by the messed up Bank of America and zelle system. They called me from the B of A phone # said they was fraud activity on my account. From Kroger’s for $ 200 and a gal named Tiffany for $ 3,500. They never asked me any account info. I said let me log in and see what is going on, told them I did not see the pending charge, they said that’s because they caught it. But I needed to send $ 3,500 to myself thru Zelle. I thought that was odd, but again he sounded good and the call came in on the B of A phone #… Said they cancelled my debit card and another will come via fed ex in 1-2 days. I asked them to verify my address and they had it right…
    Can you help me? I think they is a CLASS ACTION SUIT waiting to happen hee. I spoke to (2) B of A people and asked them how many people did they file this same $ 3,500 claim on today … They both said MORE THAN (10) claims. Their system at B of A is BROKEN..

    • Almost the same thing happened to me, only difference is I knew the original text was illegitimate & wrote the mobile app on their help center to Erica and wrote “I think I have been hacked” & seconds later I got a call from “BANK OF AMERICA” who was the scammer & at that time had no reason to question it as I just wrote the Help Center. I also had a witness present.

    • Mr. Sullivan or Kev please respond promptly as we can figure out how to turn this into a Class Action Lawsuit. I am a single mother who just got off work when this happened.. it’s like these people knew what time I gif off work & they had my full address and my email & were already logged into my account.

    • Kev,
      Same thing just happened to me today with BOA/Zelle, the exact same thing. Did you file a claim? I did and they said it was highly unlikely I would get it back since it was through Zelle. I am beyond devastated. I was left with $41 in my bank account.

  7. Mr. Sullivan,
    Please read my full story and help me get my $3,400 back that I was saving for my daughters private school tuition.
    *I have slept a total of 6 hours in 3 days since this scam happened. I am a single mother of two children under 4 years old. I work 5 nights a week as a server (I don’t receive benefits) & I am a survivor (not a victim) of domestic abuse— an experience that taught me to defend myself & get justice.

    I have been a customer with BofA for 11 years with no issues of fraudulent charges in the past until this Saturday night after work. My story is very similar to this mans & I have called over 25 times to get BofA to get their investigative team to solve this. I spoke with the supervisor & the best he could do was get an accelerated payment back for financial hardship within two business days but I have not heard anything back yet. I have cried my eyes out, & have been sick over this while taking care of a 2 & 4 year old by myself, which is nearly impossible right now. I gave the representatives a piece of my mind.
    So here’s what happened.

    *Saturday July 25, 2021 I received a text at 10:03pm while I was working from an unknown number posing as the fraud department from BofA. Apparently someone just deducted $4000 out of my account.
    I did not react until 10:52pm when I was dropping my coworker off, I then wrote the help center “I think my account was hacked.” My coworker was a witness to this. I then received a call from “BANK OF AMERICA” seconds after “Erica” from mobile banking responded.
    It was a man with the same genuine tone as any representative helping in the claims department.. & realizing I had just given my banking information to Mercury Insurance over the phone a day prior, I realized my information may have been compromised & did not question the call in the least.

    What this guy did to me was a Zelle scam having attached his information to my email he was able to receive the money I thought I transferred to my email… because that was the only way he said I would receive my $3400 back in my account that was supposedly pending on Zelle. I don’t use Zelle & have been a victim of an app that is connected to my banking with zero warning until you are about to send a payment & even then you don’t question that the bank isn’t liable if something goes wrong. Chase quick pay was the receiving end of the scam btw.
    In this case, I did reach out to the Consumer Financial Protection Bureau & they were willing to work with me if this claim did not get approved.

    I ask for your help, if you can potentially reach out to Bank of America. I have done everything I could. Assuming Bank of America can be apart of an even bigger scam that happens frequently, you would think they would resolve this. They also refused to give me chat history on the banking app for evidence for my case. I also have an aunt who’s an editor for NBC who I can reach out & I also sent this to one other news reporter, but I think this story is worth changing lives for the better & helping spread awareness about scammers.

    Thank you for everything you do. You have such an amazing heart & truly I look up to you & admire your work.

    Sincerely,
    Ariel Archuleta

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.