Zelle hackers recently stole nearly $23,000 from an 86-year-old New Hampshire woman, draining her Bank of America checking and savings accounts, and the bank denied her dispute of the fraudulent charges for months.
Criminals were able to complete eight separate $2,499 withdrawals from the victim’s account — $1 below the daily transfer limit, according to the victim’s son — calling into question the bank’s ability to spot obvious Zelle fraud, he said.
The victim, Barbara Helmstetter, didn’t notice the string of transactions when they occurred in April until she received an overdraft notice. At the time, she was unaware she had access to the Zelle service, her son Michael told the bank. Despite the obvious fraud pattern, Barbara Helmstetter’s disputes of the transactions — her request to get a “refund” of the stolen funds — was denied by the bank in July.
“($23,000) is a lot of money, especially for someone living on a fixed income,” Renee Hemlstetter, the victim’s daughter in law, told me.
After the family reached out to me, and I contacted Bank of America’s media relations department, the bank reversed its decision and returned $22,900 to the woman.
(I’ve been writing about fraudulent Zelle transactions for more than a year, and continue to receive panicked emails from victims who lose money and are wrongly denied disputes by their bank — I’m digging through a backlog of emails now — but the Helmstetter situation is by far the worst I’ve heard. Zelle, a P2P payment platform and Venmo competitor, is owned essentially by a consortium of banks, including Bank of America, Wells Fargo, US Bank, etc.)
In a painful irony, Michael and Renee were initially rebuffed by the bank in their efforts to help Michael’s mother because their name wasn’t on her bank accounts. In other words, the bank’s security stopped the victim’s children, but not the criminals.
The bank’s initial investigation found that the Zelle transactions were “validated using an authentication code sent to a valid phone number,” so the dispute was denied, according to a letter sent by Michael to the bank. Michael inspected his mother’s phone and found no evidence of such transaction authentication code messages.
When Michael and Renee called the bank and asked that the investigation be re-opened, the family was told to contact the woman’ cell phone provider instead.
Bank of America didn’t comment on the family’s frustration with their experience but did broadly confirm details of the incident.
“We reached out to the client’s son last week and are crediting Ms. Helmstetter’s accounts for the amount,” said spokesperson Betty Reiss.
Consumer fraud protections around Zelle transactions are tricky, and apparently, confuse account holders and banks alike. Many banks — not just Bank of America — continue to wrongly deny disputes from consumers, according to numerous victims who have contacted me. If a criminal hacks into a victim’s bank account and initiates a bogus transfer, that transaction should be covered by federal banking rules that entitle consumers to return of the funds. On the other hand, if consumers willingly initiate a transaction to someone who ultimately turns out to be a criminal — such as a Craigslist poster who never sends purchased goods after a Zelle transfer — then consumers are not entitled to credit-card-like refunds.
It appears from victims like Helmstetter that Zelle hackers have figured out how to defeat text-message-based authentication for Zelle transfers. Either they trick victims into divulging authentication codes, in a phone call, or they intercept the messages electronically somehow. In the past, criminals have cloned phones, or simply changed the cell phone number associated with an account so the message is directed at a phone they control.
However it’s done, consumers should be aware that Helmstetter’s situation is not unique. Criminals continue to figure out ways to send themselves money via hacked Zelle accounts — even when victims haven’t heard of Zelle.
In general, consumers at Zelle-friendly banks — there are hundreds – can’t opt out of the service. But Helmstetter’s son did find a way to essentially disable it from his mother’s account. A Bank of America fraud investigator “blocked her phone number and email so that no one is able to use her information to send additional transfers,” Michael says. That’s an option other consumers should consider.
In his letter to the bank, Michael’s frustration is obvious. He expressed astonishment that the bank’s fraud controls weren’t triggered when the only six transactions involving his mother’s savings account in recent times were six $2,499 Zelle withdrawals.
“What is absolutely astounding with her savings account,” he wrote in a letter provided to me by the family. “… And clearly exposes a major weakness in the bank’s algorithms and controls, is that since March 2018 (as far back as online banking goes on this account, so likely further back), the only, and I repeat ONLY, transactions that occurred in this account were the 6 fraudulent Zelle transfers out of the account – each one at $2499.00, a simple $1 under the Zelle transfer maximum of $2500. And adding insult to injury in your failed controls, the only other two transactions during that period were transfers she made with help from The Bank to her fraudulently hacked checking account because she was concerned and confused by the negative balance notices she was receiving from the bank. So, The bank identified the negative checking account balance and notified customer Helmstetter to resolve this situation, but did not note the numerous Zelle transactions that drained the same account and the associated savings account. How is this possible?”
Early Warning, which operates Zelle, did not comment specifically about this incident but issued this statement.
“This is an unfortunate situation and I am glad to hear that Ms. Helmstetter’s account was restored the $23,000,” said spokeswoman Meghan Fintland. “We cannot comment specifically on the case as it was an issue between the consumer and her financial institution. However, in cases where a consumer’s bank account or debit card have been compromised, and unauthorized Zelle payments made, consumers have rights under the Electronic Funds Transfer Act. We always recommend they contact their bank immediately to determine an appropriate resolution.”