Send Money with Zelle®, but Watch for Scammers
CCU members’ use of Zelle®* services has grown significantly, with Zelle® reporting in March of 2021 that transaction volume and value from 2019 to 2020 increased 58% and 62%, respectively. Used as designed, it’s a great way to send and receive money. However, one of the most attractive qualities of Zelle® – the speed with which money is transferred – is why the service can be vulnerable to fraud schemes.
CUNA Mutual Group reports that a new scam has surfaced, whereby fraudsters represent themselves as the Zelle ® user’s financial institution. They then con the user into using Zelle® to transfer funds to themselves using their mobile phone numbers under the premise of replacing funds stolen. The transfers, though, are routed to the fraudsters.
Details of the Scheme
- Fraudsters, posing as the victim’s financial institution (FI), send text alerts to account holders asking the them if they attempted a large Zelle® transfer.
- Fraudsters call the account holders who respond “NO” by spoofing the FI’s phone number. (Spoofing is when fraudsters pretend to be someone or something else to win a person’s trust. The motivation is usually to gain access to systems, steal data, steal money, or spread malware.)
- Fraudsters tell the account holder that a Zelle® transfer pulled funds out their account, but that the funds can be recovered.
- Fraudsters instruct the account holder that recovery of the stolen funds requires that they (the account holder) must use Zelle® to transfer funds to themselves using their mobile phone number. But before doing so, the fraudsters instruct the account holder to disable the mobile phone number associated with their Zelle® account.
- Unknown to the account holder, the fraudsters open an account at the account holder’s FI and established Zelle® through a mobile banking channel linking the account holder’s mobile number to Zelle®.
- When fraudsters link an account holder’s mobile phone number to the fraudulent Zelle® account, a 2-factor authentication passcode is generated and sent to validate the mobile phone number. The text message containing the passcode is actually sent to the account holder’s mobile phone. The fraudsters con the account holder into providing the passcode over the phone.
- Fraudsters enter the passcode to activate the mobile phone on the fraudulent Zelle® account.
- The account holder is instructed to Zelle® themselves funds.
- The transfer is actually directed to the fraudsters’ account.
How to Prevent This from Happening to You
- Do not provide verification codes, access codes, or passwords to anyone – even if they claim to be a CCU representative or members of law enforcement.
- Do not wipe your existing phone number as a token, even at the request of an alleged CCU representative.
- Any action that is requested by a “CCU representative” for you to do – by way of the phone – should be confirmed by you independently. Before carrying out such a request, you should end that call and contact us with the number listed on our website to confirm the validity of instructions provided on the previous phone call.
- Again, as a means of independent verification, after receiving a call from an alleged “CCU representative” who asserts that your account has been subjected to a fraud loss, you should disconnect the call and access the account in question to see if there was such alleged activity.
- You should never Zelle® funds to yourself to/from the same account at any one credit union.
*Zelle® and the Zelle® related marks are wholly owned by Early Warning Services, LLC and are used herein under license.