Updated with comments from the Consumer Financial Protection Bureau.
More and more people are losing thousands of dollars to scams involving the Zelle mobile banking app — and then finding that their banks won't help them until they get their stories on the TV news.
In nearly a dozen cases reported across the U.S., the method is the same: The victim receives a text message warning of a "fraud alert" about a pending payment via Zelle, which the victim is asked to confirm or deny.
- How to freeze your credit and avoid identity theft
- The best identity theft protection services
- Plus: Google Pixel 6 Pro vs Samsung Galaxy S21 Ultra: Which phone wins?
If the victim denies the transaction, he or she is quickly telephoned by someone claiming to be a bank representative. The caller ID seems to verify that the call is coming from the bank.
"I wrote, 'No,' and so instantly, not even two minutes later, I get a phone call," Barbara Zyhajlo of South Amboy, New Jersey, told WABC-TV. "It's a guy, he says his name is Sharif, he's here to help me."
"This person said that this person was trying to scam me, and that he could help me out," Claudia Rivera of San Jose, California, told KGO-TV.
The victim is asked by the phony bank rep to provide the credentials for his or her Zelle account to prevent the unauthorized transfer. Once the victim does so, money is taken out of their bank account.
"Sure enough, I looked at my account, and $3,500 was gone," Paige Pollack, a nurse in the San Francisco Bay Area, told KGO-TV.
Tom's Guide reached out to Zelle, which told us that it's up to the individual banks to handle claims of fraudulent transactions.
"The reports of recent scams and any scam or fraudulent use of Zelle is simply unacceptable," a Zelle spokesperson told us.
"When a consumer reports an incident to us, we immediately inform our partner financial institutions to investigate and take actions to prevent additional abuse. We aren't able to comment on behalf of our FI [financial institution] partners, and recommend reaching out to them directly with your questions."
How to protect your bank account from Zelle scams
Zelle is fast and convenient, but that's also its weakness. Unlike its rival Venmo, it has direct access to your bank account, so once you authorize a transaction, the money moves as quickly as possible.
Furthermore, Zelle fraud falls into a legal gray area. Some experts say that fraud victims are protected by the Electronic Fund Transfer Act, the same law that limits a consumer's losses due to credit-card fraud. Under the EFTA, these experts say, victims of electronic-fund-transfer phishing scams should be reimbursed by the banks for their losses. [The Consumer Financial Protection Bureau agrees; see below.]
However, many banks claim that because the victims trust the fake bank representatives and in fact do authorize the transactions, those do not qualify as "unauthorized transactions" under the law. As a result, these banks argue, they bear no responsibility.
We've reached out to the government's Consumer Finance Protection Bureau for clarification.
Because of these technical and legal factors, it might be safer to use Venmo. Payments from Venmo draw money either from a credit or debit card, which have clear legal protections for consumers, or from a limited Venmo account into which you can deposit money for future transactions.
Many banks build Zelle right into their mobile apps, however, and some victims have been scammed before they even knew they had Zelle accounts. Contact your bank and ask if that's the case with its mobile app, and if so, if and how you can deactivate Zelle.
If you do decide to use Zelle, then make sure your passwords for the Zelle app or your bank's mobile app are strong and unique. Use a password manager if you have to, and turn on two-factor authentication if your bank's app offers it.
As always, never trust anyone who calls or texts you and wants you to perform a financial transaction, even if that person appears to be from your bank. Instead, call the bank yourself using the number on the back of your bank's ATM card. And don't give out one-time verification codes to anyone.
One very big bank wouldn't help victims at first
The three women mentioned earlier are all Bank of America customers — and all three were told by the bank that there was nothing the bank could do to help them recover the money.
"I called Bank of America right away," Rivera told KGO-TV. "They told me there was no solution. I was shivering, I was crying. That was all the money I had."
A fourth woman, Katie Singer of Oakland, California, who had $3,500 drained from her Bank of America account, said she had never even used the Zelle app before.
"They told me because Zelle is a third-party company, they basically didn't have any control over that," Singer told KGO-TV.
In fact, Zelle is owned by a consortium of seven U.S. banks: Bank of America, Capital One, JPMorgan Chase, PNCBank, Truist, U.S. Bank and Wells Fargo. Many other banks use Zelle as well.
"I trusted my bank that they have top-of-the-line security," a fifth Bank of America customer, Crystal Vaka of Antioch, California, who lost also $3,500, told KGO-TV. "They were telling me, 'I'm sorry ma'am, you and many others fell for this kind of scam, and there's nothing we can do."
Bad publicity seems to get good results
However, when local TV news broadcasts aired the five women's stories, Bank of America suddenly changed its mind. The victims all got their money back. Bank of America told KGO-TV that it considers each case individually.
If this sounds familiar, Tom's Guide reported on similar cases just two months ago. Two Chicago-area women were each scammed out of $3,500 using the exact same scam described above. Both women got their money back after WLS-TV asked Bank of America about the incidents.
The same thing happened to a woman in Texas — Bank of America washed its hands of the $3,000 she lost until a Dallas TV station started asking questions.
For the Chicago story, we reached out to Zelle for comment and were told that these cases were "not a breach of Bank of America or Zelle security."
"We'd like to remind consumers that your bank will never call you to ask for sensitive information and they would not ask a customer to transfer funds between accounts in order to prevent fraud," Zelle said.
Not all banks dismiss victims' problems
Similar scams have recently befallen Chase banking customers. A Southern California man lost $19,300 that he was saving for his daughter's college tuition. And a Cincinnati woman trying to start her own business lost more than $13,000 when a scammer pretending to be a Chase bank representative tricked her into giving up her Zelle login credentials over the phone.
"This has just, like, taken me out," Catina Brown, the Cincinnati victim, told WCPO-TV.
The difference here is that JPMorgan Chase says it is still investigating these two cases and has not refused outright to cover these victims' losses. (However, a Chase customer in North Carolina was told she was on her own after losing $2,000.)
Two Wells Fargo customers and one BB&T (now Truist) customer who had lost money in Zelle phishing scams were refunded their losses by their banks without much fuss, The New York Times reported in 2018.
We've reached out to Chase for clarification of its policies regarding such cases. We've also reached out to Bank of America and the Consumer Finance Protection Bureau for comment and clarification. We will update this story when we receive replies.
Updates: Bank of America and Chase respond
In response to our queries, a Bank of America spokesperson told us:
"It's important your readers understand banks would not ask a customer to transfer funds between accounts or request sensitive account information. We alert clients during the transaction if they are sending money to a new recipient that they should only send to people they trust and never transfer money as a result of an unexpected call or text."
We were also pointed to a Bank of America web page that instructs customers on how to avoid scams of this nature. We're not sure if the alerts about money sent to new recipients would work in these scams, which mostly involve the victims transferring money into their own Zelle accounts.
A Chase spokesperson provided this statement:
"Unfortunately, scammers target consumers from many banks. We urge all consumers never to share their banking password or to send money to someone who says it will prevent fraud on their account. Bank employees won’t call, text or email consumers asking for this, but crooks will."
The Chase spokesperson pointed us to a page dedicated to spotting fraud on the Chase website.
Frankly, we're not sure such statements will reassure a bank customer who doesn't understand that they were not speaking to an actual bank representative when they were scammed, and who doesn't understand how such things could happen in the first place. Telling victims that they were scammed because they were dumb doesn't help.
It's likely that these kinds of scams will keep happening until some kind of friction is added to the Zelle payment system — perhaps a waiting period for transactions to go through, or mandatory two-factor authentication, or a limited Zelle reserve account that the consumer can top up periodically. Until then, people will keep getting ripped off.
Update: Government agency says banks should take responsibility
We got a response from the Consumer Financial Protection Bureau regarding whether banks can claim that losses incurred by consumers who fall victims to electronic-funds phishing scams are the result of "authorized" transfers by the owners of the phished accounts.
Such scams, as detailed earlier in this story, definitely are considered "unauthorized electronic fund transfers (EFTs)" under federal law, the CFPB told us via email.
We were directed toward a FAQ that explains that "an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery."
Another form of unauthorized EFT is "when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account."
Furthermore, the FAQ states, banks may NOT "consider a consumer's negligence when determining liability for unauthorized electronic funds transfers."
Now, the banks are not immediately liable for covering the victims' losses. But they cannot refuse to consider doing so outright. Instead, they are obligated to open an investigation.
However, says the FAQ, "if a consumer has provided timely notice of an error ... and the financial institution determines that the error was an unauthorized electronic fund transfer (EFT), the liability protections Regulation E, § 1005.6, would apply."
Regulation E, § 1005.6 is the law that limits liability for fraudulent use of a debit card. If the customer notifies the bank within two business days of learning of fraudulent use of the customer's debit card, then the customer is on the hook for at most $50.
We've asked the CFPB if and how they plan to force banks to comply with these regulations regarding Zelle scams and other mobile electronic-fund-transfer scams.