VIDEO: Zelle fraud includes clever text message intercepts, foiling two-factor authentication

Here I am, wondering why consumers have to fight so hard to get their disputes resolved — and get their money back. Click to watch.

I’ve written a lot about Zelle fraud in recent months, as banks keep erroneously rejecting victims’ requests for “refunds” after their money is stolen.  NBC recently reported on the story and asked me to help.  Their piece does a good job of illustrating the scope of the crime – based on the email I’m getting, it’s far too common — but NBC’s Michell Tak found another twist in the crime that’s important for you to hear.

Criminals are getting very clever about evading two-factor authentication schemes. Tak interviewed Chrysanthi Rausch, of Columbus, Ohio, who was duped into coughing up a 6-digit text message sent by her bank that was supposed to keep her money secure.

Zelle fraud emergency kit and FAQ

“She was taking a nap on her couch two months ago when she got a call from a number she didn’t recognize,” the NBC story reads. “On the other end of the line was a woman who said she worked for KeyBank, Rausch’s local bank, calling to alert her of fraud in her account.

“They wanted me to verify my identity through a text code. So they sent me a text, and then I read the six numbers back,” said Rausch, according to NBC.

“That was all it took, she said, for the fraudsters to create a Zelle account in her name and gain access to both her checking and savings accounts — all within hours of their phone call.”

So there’s something else you have to worry about: two-factor text message authentication interception. Consumers should never give out text message codes in response to a surprise phone call. If a bank says it’s calling about fraud, hang up and call the bank back on its 1-800 number. It’s a pain, but that’s the best way to make sure a criminal isn’t posing as your financial institution.

You can see the video by clicking here, or on my image above.

If you don’t feel like watching, here is what I told NBC:

“The fraud we’re talking about today is a totally different kind of fraud,” said Bob Sullivan, an author who tracks online bank scams, “where someone’s access has been stolen just like if someone stole your username or password to your online bank.”

“It’s a simple proposition: the quicker the transaction is, the quicker a criminal can steal,” Sullivan added. “This is almost engineered for crime.”

All banking-related websites and apps are vulnerable to scammers. But experts say Zelle is a particularly appealing target because, unlike other peer-to-peer payment apps like Venmo, it’s embedded within banking apps and automatically connected to user accounts.

“When it launched, there were ads screaming on TV over and over saying, ‘You can trust Zelle. It’s backed by the banks. It’s safe.’ I mean they really traded on the safety of being associated with large banks,” Sullivan said.

And here’s my previous Zelle coverage:

Zelle fraudsters find new victim pool: Consumers who don’t even use Zelle

Here’s how hackers are using Zelle to raid bank accounts; and why victim was out $1,800 until I wrote to the bank

Zelle’s fraud problem gains steam; I fix misleading ads with rap of my own


P2P bank app Zelle soars in popularity — with criminals, and without fraud protections

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1638 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.