Digital payment platforms are becoming the more popular, quick, and convenient way to send money. As the use of P2P apps, such as Venmo, Cash App, and Zelle, continues to rise, unfortunately, so do the scams. Fraudsters are becoming more clever with their scam tactics in order to fool victim’s into giving up their cash – especially with P2P transactions being instantaneous and usually hard to reverse**. It is important for our members to be educated and aware of these scams in order to avoid becoming the victim.
Here is how the latest type of scam works:*
- It starts with fraudsters sending account alerts to members via text message – appearing to come from the credit union – asking if they attempted a large dollar Zelle transfer. The user is given the option to choose “YES” or “NO”.
- If the user responds “NO”, the fraudster will call the member spoofing the credit union’s phone number, claiming to be from the credit union’s fraud department.
- Fraudster tells the user their Zelle transfers can be recoverable.
- Fraudster then tells the user in order to recover the stolen funds, user must use Zelle to transfer the funds to themselves using the users’ mobile phone number. However, first, the user needs to disable their phone number associated with their Zelle account.
- When the fraudster links the user’s mobile phone number to the fraudster’s Zelle account, a 2-factor authentication passcode is generated and sent to validate the mobile phone number. The text message containing the passcode is actually sent to the user’s mobile phone; however, the fraudster cons the user into providing the passcode over the phone.
- Fraudster enters the passcode to activate the mobile number on their Zelle account, and user is instructed to Zelle themselves the funds.
- The Zelle transfers instead go to the fraudsters.
There have been other cases where the members refused to provide the passcode to the fraudsters, the fraudsters impersonated the members and social engineered the members’ mobile phone carrier and were successful in porting the members’ mobile phones to a different carrier. Other credit unions reported that fraudsters successfully social engineered the credit union’s call center employees into changing mobile phone numbers on member accounts allowing the fraudsters to receive the passcodes. In some cases, the fraudsters hacked member email accounts to intercept passcodes sent via email. These tactics allowed fraudsters to intercept the passcodes needed to login to member accounts.
Here is how to protect yourself:^
- Don’t click on any links if you get an unexpected email or text message asking to send money.
- Be wary of unsolicited requests to verify account information.
- Verify legitimacy of the call by contacting the financial institution’s fraud department through their verified phone number on their website.
- Enable Multi-Factor Authentication (MFA) for all of your financial accounts and do not provide these codes over the phone.
- Be cautious of callers that provide information that is personally identifiable, such as Social Security numbers.
It is important to be aware that even if you get caught in a Zelle payment scam, you still may not be able to get your money back. Zelle doesn’t offer a protection program for authorized payments, so it is important that you should only be using the app to pay friends, relatives, coworkers, or people that you trust.
If you sent money to a scammer, report the scam to the mobile payment app and ask them to reverse the transaction right away. Then, report it to the Federal Trade Commission. When you report a scam, the FTC can use the information to build cases against scammers.
*Emerging Risks Outlook, Zelle and P2P Fraud, CUNA Mutual Group;
**Wells Fargo Zelle Scams Support Spoofing, 6abc News.;