By Scott Hamilton
Senior Expert in Emerging Technologies
I learned this week about a new scam currently circulating on the Internet. The global ‘Zelle Fraud’ scam uses Zelle, which is a peer-to-peer payment service used by many banks to allow customers to transfer funds to friends and family. You might wonder how this could be exploited to drain your bank account, but like any online service, banking services and applications are not really any more secure than any other web site. The attack ironically does not initially involve Zelle, or any other funds transfer application; it starts as a text message.
The attack generally starts with a text message from the scammer that is worded something like, “Free Msg-J.P Morgan Chase Bank Alert-Did You Attempt A Zelle Payment For The Amount of $5000.00? Reply YES or NO Or 1 To Decline Fraud Alerts.” If you get a message like this, even if it appears to come from your bank, you should immediately delete the message. If you are afraid it may be legitimate, call your bank immediately to confirm the message, but do not reply to the message.
Anyone who responds to the message in any manner at all will receive a phone call from a spoofed line that looks like it is coming from your bank. The scammer will then pretend to be a fraud agent at your bank. They will ask you questions to verify your identity; they will then ask for your online banking username. You will receive a text message with a verification code, which they will also ask you to provide over the phone. This is a password reset code, which the scammer generated using your username. They can then use this code to reset your banking password and empty your bank account.
This is a common method of breaking into user accounts of all kinds, not just banking accounts, but any online account. The moral of the “Zelle Fraud” is to never give out identifying information to someone that has called you. Even if it looks to be a legitimate call, it could be someone fishing for personal information to steal your identity, money or investment account.
So you might ask, how do you deal with issues like this? The best way to avoid falling for such traps is to always be on your guard. Don’t open e-mails that you have not asked for from your financial institutions: for example if you get an e-mail that says your online statement is available, but you did not sign up for paperless billing, delete the e-mail because it is probably a trap to steal your account password. Along the same lines, always delete un-requested text messages that appear to be from your bank if you have not signed up for text notifications, or if the notification comes from a different number than prior notifications. When in doubt always ignore or delete the messages and contact your financial institution yourself, using the number from your ATM card or bank web site. Never call back the number that sent the text or made the call.
I hate to say it, but the fastest way to allow a hacker to steal all your money or get into your accounts is to trust that people are who they say they are. If you get a call from your bank, always tell them you will give them a call back in a few minutes; never confirm your identity and never trust them for the call back number. Calling them at their known number and asking for the representative that called you is the safest way to insure you are talking to a real person at your bank.
The worst part about this type of scam is the bank is usually unwilling to assist in funds recovery. Many consumers who were unaware they had Zelle accounts linked to their bank accounts have called their banks when noticing the illegitimate transfer, expecting credit card fraud-like protection, only to find they are in financial ruin and facing disappointment as the bank claims nothing can be done. If you run into this situation, mention that you are entitled to Regulation E protection, and the bank is required to refund the stolen money. The Consumer Financial Protection Bureau (CFPB) is conducting a probe into companies operating payment systems in the United States, with a special focus on peer-to-peer payment systems like Zelle. I recommend calling your bank and asking if they offer Zelle or similar services in their online banking applications just to know if you are vulnerable.
Until next week, stay safe and learn something new.
Scott Hamilton is a Senior Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to firstname.lastname@example.org or through his website at https://www.techshepherd.org.
By Scott Hamilton