A new rash of Zelle hacks has left consumers with empty banks accounts and little hope for refunds — but there is hope that federal regulators might finally impose fair rules to protect victims. Anyone who’s lost money through Zelle, or who is currently fighting their financial institution over lost funds, should follow the instructions later on in this story.
I’ve been reporting on Zelle crime for several years. Using various methods and cover stories, criminals hijack victim accounts and send themselves money, leaving a wake of frustrated victims in their path. Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin.
In many cases, banks are giving consumers incorrect and self-serving opinions after the thefts. Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. (This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution).
But in email after email, I hear from consumers who are denied refunds, with “fraud investigators” at banks telling account holders Zelle transactions are not entitled to any protection. This is incorrect, and I hope one day a regulator forces banks to reexamine all these fraudulent transactions, issue refunds, and other sanctions for repeatedly mistreating consumers.
However, a slightly different variation of the Zelle fraud is now common and it is less clear that Regulation E applies to it. In this scam, consumers are contacted by a criminal posing as a bank official, telling a cover story that the consumer’s account has been hacked. After several convincing verification procedures — often there’s a text message that appears to come from the bank, which includes a toll-free number to call — the criminal convinces the victim to move supposedly at-risk funds to a new Zelle account allegedly created for their protection. In reality, the criminal is manipulating the consumer into moving the money into an account the hacker controls. Here’s just one example from the flood of emails I’ve received recently:
“I was a recent victim of someone pretending to be Bank of America letting me know my account had been hacked. This happened while I was on the way to a dentist appointment after a very stressful day of work,” the writer told me. The victim, distracted by the appointment, followed the instructions the caller laid out, “thinking I was saving myself from being hacked when in reality I was actually being hacked. After I got off of the phone I literally threw up because I realized what happened.”
Said another writer, “I was scammed and thought I was refunding myself through Zelle but really the $1,000 got sent to the scammer.”
Once victims discover the crime, and call their bank looking for help, they are told they’re out of luck. The bank’s opinion is that the consumer initiated the transaction, so it does not fall under the Regulation E “unauthorized transaction” protection. I’d like to say banks are wrong, but Lauren Sanders of the National Consumers Law Center told me they have a point:
“(Protection applies) where the scammer takes information they got from the consumer and the scammer then initiates the payment. It sounds like in your scenario, the consumer actually initiates — sends — the payment,” she said. “Under the (Electronic Funds Transfer Act), the definition of ‘unauthorized transfer’ is one ‘initiated by a person other than the consumer.’ So if the consumer initiates the payment, you can’t challenge it as unauthorized.”
Sorry to deliver that bad news. There is another potential route for consumers hoping their banks will help, however. Sauders said there is a different set of protections that apply to “errors,” and that includes something designated an “incorrect transfer.”
“Arguably a payment that went to a scammer instead of yourself is “incorrect,” but banks are going to claim that it’s not an error,” Saunders said.
So, to repeat: If a criminal initiates a Zelle transfer — even if the criminal manipulates a victim into sharing login credentials — that fraud is covered by Regulation E, and banks should restore the stolen funds. If a consumer initiates the transfer under false pretenses, the case for redress is more weak.
FILE YOUR ZELLE COMPLAINTS HERE
All the more reason anyone who’s suffered at the hands of Zelle and bank indifference should participate in a new effort by federal regulators to investigate newfangled tech-driven payment tools. In October, the CFPB announced it was ordering Amazon, Apple, Facebook, Google, PayPal, and Square to share information about their payment systems. The inquiry will examine the degree to which these firms are protecting consumer rights. The CFPB asked interested parties, including consumers, to offer commentary on the investigation.
“Consumers expect certain assurances when dealing with companies that move their money,” the CFPB said in announcing the probe. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law. The orders seek to understand the robustness with which payment platforms prioritize consumer protection.”
There is a deadline however, and it’s soon: December 6. Instructions for contributing comments are available here, but basically – send an email to BigTechPaymentsInquiry@cfpb.gov. Include Docket No. CFPB-2021-0017 in the subject line of the message.
“That is the perfect place for people to express their anger and push for better protections,” Saunders said.
NOTE: The inquiry does not officially mention Zelle and other cash-like apps, but any efforts to extend credit-card-like consumer protections to new payment systems might very well apply to Zelle in the end.