Two Chicago-area women say scammers bilked them out of $3,500 each by conning them over the phone and then using the Zelle mobile-payment system to withdraw money from their Bank of America accounts.
"It's really distressing," one of the women, Nausheen Brooks, told TV station WLS. "You save your hard-earned money to just be taken away from you."
- How to freeze your credit and avoid identity theft
- This Windows exploit can hijack your PC, and there's no fix yet — what to do
- Plus: WhatsApp to offer 'end-to-end' encrypted backups — what to know
The scammers texted Brooks and the other woman, Darlene Chelsey, pretending to be Bank of America and asking them to verify purchases. Both women denied making the purchases in question, and then were called by persons claiming to be bank representatives. The scammers used what appeared to be legitimate Bank of America phone numbers.
The women were each told that there had been Zelle withdrawals from their accounts, but that the problems could quickly be fixed if they used their own mobile banking apps to transfer the money back to themselves.
Brooks and Chelsey both did so, and the money disappeared. It seems that both their Zelle accounts had already been taken over by the scammers.
"They definitely had access to the account if the money was wired to herself," Bogdan Bodezatu, a threat researcher with Bitdefender, told WLS. He added that the scammers may have gotten access to the accounts due to data breaches at other websites, which can compromise reused passwords.
How to avoid Zelle scams
Avoiding Zelle scams is like avoiding many other online scams. Create strong, unique passwords for any account that involves money, especially banking accounts, and use one of the best password managers to keep all of them straight.
Don't trust anyone who calls or texts you and wants you to perform a financial transaction, even if that person appears to be from your bank. Instead, call the bank yourself using a number that you look up.
Don't give out one-time-use verification codes to anyone, even if they claim to be from your bank. And again, never reuse passwords for sensitive accounts.
Years of Zelle scams
Sadly, this is not a new occurrence. Zelle-based scams have been happening for years — we first wrote about them in April 2018.
The earliest scams involved crooks getting people to pay for non-existent items through Zelle, then discovering they couldn't get their money back because unlike with a credit-card, the money is withdrawn immediately from your bank account.
That's because Zelle is owned by seven of the largest U.S. banks, including Bank of America, and used by hundreds more banks. Anyone who has an account with those banks is eligible for a Zelle account, and many banks build Zelle right into their own mobile apps.
These most recent scams seem to involve persons whose accounts have already been hijacked, perhaps through password reuse. (If you use a password on more than one account, then a compromise of any one of those accounts compromises them all.)
Why Zelle is vulnerable
The real problem is that Zelle uses email addresses and phone numbers to identify account holders, and neither was ever designed to be foolproof. Both email addresses and phone numbers can be easily "spoofed" by cheap software.
Many banks do text a one-time code to customers to verify certain transactions, yet not only can text messages be intercepted, but scammers can con customers into revealing texted codes.
Another issue is that Zelle has direct access to bank accounts. Venmo, which is not affiliated with the banks, makes users create a separate account that is linked to a credit card or into which the users deposit money. This creates a buffer between Venmo transactions and their bank accounts.
We've reached out to Zelle to ask if the company has made any security improvements in the past three years, and whether Zelle would consider setting up a "staging" account to act as a buffer, similar to the way Venmo operates. We'll update this story when we receive a response.
In the meantime, one thing does appear to have changed: Both Brooks and Chelsey had their $3,500 losses covered by Bank of America. That's a better outcome than some of the earliest Zelle scam stories, in which the victims were essentially told by the banks that they should have read the fine print.
That fine print, by the way, still says that the bank isn't legally liable if you transfer money via Zelle to the wrong people.
Update: Zelle responds
In response to our inquiries, Zelle provided this statement.
"Phishing Scam: This is an example of a phishing scam where the scammer spoofed the Bank of America phone number and attempted to convince the individual to provide their personal information, not a breach of Bank of America or Zelle security.
We'd like to remind consumers that your bank will never call you to ask for sensitive information and they would not ask a customer to transfer funds between accounts in order to prevent fraud. Hang up and call your bank at the phone number listed on the back of your bank-issued debit card or on the bank’s official website if you must provide information over the phone.
In-App Notifications: When consumers send money using Zelle within their mobile or online banking experience, they are sending money directly from their bank account to another person's bank account, typically within minutes when both users are already enrolled.
When sending money there is a final prompt requiring the sender to confirm the mobile number or email address being used and that it belongs to the intended recipient. This prompt provides the first name of the person who the mobile number or email is enrolled to and an alert that the payment cannot be cancelled once sent.
Consumer education: Zelle is working to address an acute need for financial education. Through our Pay It Safe initiatives, we have partnered with organizations to offer free financial education to consumers through modern banking courses and consumer protection resources.
Through a strategic partnership with EVERFI — the leading social impact education technology company — we have reached more than 60k students in 47 states. Results show that high school students achieved a 39% average knowledge gain after taking the Zelle Money Moves: Modern Banking & Identity Protection course.
In addition, we are working with Cybercrime Support Network to spread awareness and educate consumers and small businesses on avoiding financial fraud and scams."
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.