Milt Tipperman had never heard of Zelle before April 18, but he learned about the peer-to-peer (P2P) payment app quickly when eight fraudulent Zelle transactions drained $800 from his checking account.
“I was mad, and I still am,” says Tipperman, of Maryland. He says his bank, PNC, is investigating, but when I spoke to him on Monday, he was still short the money. “I have never used or even heard of Zelle before. I have never used my cellphone to do banking … They apparently provide a service to people who choose to use their service, but for everyone else who do not use their service, they are a threat.”
Zelle is exploding in popularity with consumers and apparently with fraudsters, too. Designed by big banks to compete will digital-age P2P apps like Venmo, Zelle has continued to pick up steam.
The firm that manages Zelle, Early Warning, says 5,000 financial institutions are signed up to use the network. Just one, Bank of America, reported recently that its Zelle transaction volume had doubled in a year, to 58.1 million transactions in the first quarter of this year, up from 28.6 million in 2018’s first quarter. The value of the payments grew from $9 billion to $16 billion during that span.
Last year also saw an avalanche of complaints against the service, as users found out the hard way that their transactions come with no credit card-style fraud protections. Fraudsters seized on this; a typical scam involves requesting Zelle payments for concert tickets that were never delivered.
Zelle warns users to treat its payment system like cash, and it won’t help consumers who unknowingly send money to criminals.
But recently, a new spate of fraud complaints using a method that’s more troubling has hit Zelle — complaints from consumers like Tipperman, who’ve never signed up for the service.
As during last year’s outbreak of fraud cases, consumers are frustrated because many feel they are being bounced back and forth between their bank and Zelle, with neither entity taking responsibility or making any offers to refund losses, which is the standard response in cases of credit or debit card fraud.
Early Warning told me it is investigating Tipperman’s complaint, but the Zelle manager did not offer comment by press time. Amy Vargo, PNC vice president of media, said the firm couldn’t comment on specific customers, but said Tipperman’s case had been escalated.
It appears criminals have found a way to open Zelle accounts attached to consumers’ existing bank accounts and then send money to themselves.
In Tipperman’s case, criminals completed eight transactions sent to three different recipients.
“The first person I talked to said we must have given our ID and password to somebody. Of course, that didn’t happen,” Tipperman said.
He has since closed his bank account and expects he’ll be reimbursed for the fraud. Still, he’s frustrated.
“When I called Zelle, I was told they can do nothing since their records use phone numbers and my phone number is not in their records. So a thief is using their (own) cell number to open a Zelle account using my bank account. My bank, PNC, said they cannot block Zelle transactions from my account,” Tipperman said.
It’s not hard to find similar-sounding complaints online, several from around the same time period as Tipperman.
“Our online banking was compromised, and money was moved via Zelle. We were told this was our doing. We are victims and are being treated as crooks. Legal action might be necessary,” wrote one Twitter user on April 18. The user confirmed to me later that his request for a refund had been denied.
“We have never used Zelle, and yet someone was able to gain access to our account, activate Zelle and send money to an email address without our knowledge or consent. We were told by the bank’s investigators that the transaction was legitimate, and they denied our claim,” he said.
In March, another Twitter user wrote: “I woke up this morning to find $1,000 in fraudulent transactions from Zelle to my TDBank_US account. Turns out I’m seeing dozens of stories this morning of rampant bank fraud associated with Zelle.”
The problem isn’t new. Last May, an NBC affiliate in San Diego reported a string of similar-sounding fraud events involving account takeovers.
“Consumers like Brad Miller say they’ve been robbed in a matter of seconds,” the KNSD report said. “Miller said he’s banked with Wells Fargo for more than 29 years. He said everything was fine until recently, when he got an alert on his phone saying his Wells Fargo password had been changed.”
It’s unclear what security tools Zelle uses to authenticate bank account holders at signup, permitting them to link bank accounts to their smartphones for instant payments.
One possible scenario: Criminals are using typical credential-stuffing attacks to gain access to victims’ online bank accounts, then using that access to arrange Zelle transfers. Or they could be tricking victims into divulging login information some other way.
Last year, Early Warning told the NBC station it was taking reports of non-Zelle user attacks seriously and has implemented several systems to prevent such fraud.
“We are listening to, and acting on feedback, working closely with our financial institution partners to resolve issues quickly, or addressing situations directly when the Zelle app is used to originate a transaction … We and our partner financial institutions each apply multiple layers of protection across both the Zelle app and the mobile banking apps, respectively, alongside 24/7 fraud monitoring at the network level,” the firm said.
More from Bob Sullivan:
- “Weather Channel knocked off live TV by hackers“
- “Breach podcast, the conclusion: ‘Privacy died but it can be reborn’“
- “Can a high school senior hack his way into college? Young researcher finds flaw at several schools“
Disclosure: The information you read here is always objective. However, we sometimes receive compensation when you click links within our stories.