UPDATED 11:30 a.m. EDT Tuesday, April 24, with comment from Early Warning Services, the parent company of Zelle.
Thieves may be plundering your bank account, thanks to an instant-payment service that your bank may have signed you up for without your knowledge.
The New York Times reported Sunday (April 22) about a rash of fraudulent payments involving Zelle, a direct-payment service that several large U.S. banks, including Bank of America, Capital One, Chase and Wells Fargo, launched in mid-2017 to compete with the better-known Venmo payment service owned by PayPal.
Fifty-nine U.S. banks and credit unions are part of the Zelle network. (The full list is here.) Unlike credit-card transactions, fraudulent payments can be hard to reverse on Zelle.
"I know of one bank that was experiencing a 90 percent fraud rate on Zelle transactions, which is insane," a financial-crimes specialist with the accounting firm PricewaterhouseCoopers told the Times. (PricewaterhouseCoopers later issued a statement that the 90 percent figure was "unsubstantiated.")
Tom's Guide has reached out to Zelle seeking comment, and we will update this story with the response.
MORE: What to Do If Your Credit Card Is Stolen
The Times' source says that the banks "just implemented it without any protections" that would normally be taken with online financial transactions, such as two-factor authentication or monitoring of user behavior.
In response, a spokeswoman for the holding company that owns Zelle said that there had been "very few incidents" of fraud.
If so, the Times managed to find a good number of those incidents. A woman fell for a phishing email and lost $2,500 to crooks who got into her Zelle account. A man had $4,000 transferred out of his account through Zelle without his knowledge. Another man got a phony call from someone pretending to be from his bank, and lost $1,000.
One Bank of America customer lost $300 because another person had registered his mother's phone number. Another lost $260 to a concert-ticket seller who never delivered.
The catch, the Times said, is that if a customer authorized a payment, even after having been tricked, the bank doesn't consider it a case of fraud. Bank of America refused to refund the money sent to the wrong phone number until the Times contacted the bank, and the man in question said on Twitter that the bank had not reached out to him.
"Every time a new payment app bursts on the scene, there’s a fraud learning curve," wrote independent fraud expert Bob Sullivan in a February blog posting about Zelle. "Companies never emphasize enough how risky the new app is, and consumers always learn the hard way how little they are protected."
The Times story says that Zelle compatibility is built into participating banks' mobile apps, so customers may not realize they have active Zelle accounts. A recipient's email address or cellphone number is all that's need to send a payment to a registered Zelle user.
TechCrunch wrote about Zelle fraud in February and noted that Zelle the service's fine print says that it's meant to be used "to send money to family, friends, and people that you are familiar with."
However, TechCrunch noted at the time that the Zelle front page, which has a picture of celebrity spokesman Daveed Diggs, touted the service as "a fast, safe and easy way to send money in minutes to almost anyone you know."
Today, that message's last five words are "to your friends and family."
UPDATE: "Safe banking is a top concern, and we offer consumers multiple layers of protection, and clear processes, to investigate and remediate unauthorized transactions," Zelle's parent company, Early Warning Services, told Tom's Guide. "While all financial products are susceptible to an array of threats from con artists and thieves, Zelle has seen very few incidences of fraud amongst the millions of transactions processed per day."