THANK YOU FOR SUBSCRIBING
The Quintessential Technology Source for Corporate Financial Professionals
CFO Tech Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from CFO Tech Outlook
Karen Boyer, Vice President Fraud, People’s United Bank N.A.Zelle fraud. By now, we have all seen the headlines. We know the dangers of using Zelle and the terrible victim impact statements that come with it. You probably have even seen the interviews that paint this money movement channel as the worst thing to come out of the payment space since Shrute Bucks.
Now, I’m not underestimating the pain of losing money, just reflecting on the news that we have, unfortunately, grown accustomed to. That said, what if I were to tell you that what we refer to as “Zelle fraud” actually has nothing to do with Zelle at all? While it is true that Zelle has been repeatedly used as the preferred choice of many criminals to siphon funds from victims’ accounts, the actual fraud that is occurring has nothing to do with the platform itself.
First, let me explain how these scams work. There are some variations on the premise, but generally, most cases you hear about go something like this:
John receives a text from what appears to be his bank: “There’s been a $1000 purchase at a Wal-Mart in Florida. Did you do this? Answer Yes or No. Since John is in Maine (and the fraudsters know this), he quickly answers “no” to the text, panicked that his account has been hacked (a term that is also often misused).
Afterward, John receives a second text saying “Thank you for your response, a fraud representative will call you shortly.” This is quickly followed by a call from the fraudster, using an app that spoofs the bank’s 1-800 customer service number.
The fraudster’s script goes something like this: “John, this is Donna from the fraud department at ABC Bank. I understand that there was an unauthorized charge on your account recently.”
John: “Yes. I am not in Florida, and I didn’t go to Walmart.”
Donna: “Got it. Yes. I see that. For security purposes, is this John XYZ at 123 Main Street, and we’re talking about card ended in x6789?” (This information was already purchased on the dark net from a prior breach, and is the source the fraudster used to know which bank to impersonate. Naturally, this also builds credibility with John. Donna must be from the bank. After all, how else would she know all his information?)
John: “Yes, that is me.”
Donna: “Okay. We’ll get a claim started for you immediately. What is your username for your online banking?
John: “Umm… John123.”
Donna: “Got it… Oh, this is bad… Let me know your password so I can stop this now!”
John “321John”
Donna: “Thanks, John, and just so I can be sure that you are really John, I am going to send you a code. When you get it, read it back to me.”
John: “789606”
Donna: “Thank you. I got it.”
Now, the fraudster is in John’s profile and sending payments. After all, the code that John read off to the caller was what was needed to access his online profile. John is very grateful that Donna not only identified the fraud, but also called to file the claim for him to get his money back. However, it’s been a week and John’s money has still not been reimbursed, so he calls ABC Bank and inquires about his claim status. ABC Bank has no record of John’s claim filing, and tells John that he has probably been scammed. John, however, is completely confused, since his call log proves that it was the bank that called him!
“The best way to prevent fraud, and its many variants, is customer education”
There are many variations to this, and years ago, the questionable transaction would not only be hinted at, but completed. John would log into his account and see an actual $1000 payment to Wal-Mart, so clearly the phone call following this would have merit. Since then, the fraud groups realized the manpower and costs to perform the “baiting” transaction are not really necessary to trick a victim.
Why do these schemes work so well? Well, they mimic exactly what occurs when the bank questions a customer about a suspicious transaction. The difference is that a real bank representative would NEVER ask for your username OR password. And, for customers of banks without digital capabilities, the fraudster will simply ask for debit card and PIN numbers, which is another thing we wouldn’t do.
That is why I reiterate that this is not a scam from or against Zelle. It is a scam against humans, who, unfortunately, are continuously the weakest link in all transactions. This scam comes in so many forms that banks have been dealing with it for years. There is bill payment fraud, access to secret codes without permission, and even setting profiles up to fund an account linkage or transfer to another bank or PFM app. The results of many of these scams may not be evident for several months.
I am pretty sure Zelle is being singled out for its speed and ease of payment, but it is the customers of the banks that use the app that are the real targets. Not to mention, the recent saturation of Zelle means there is a high probability that 7 out of 10 victims would use the app on their online profiles.
The best way to prevent this fraud, and its many variants, is customer education. Of course, these efforts are fruitless unless the customer has an inkling that he or she is being scammed. In the industry, I continue to read and hear comments from vendors, which are echoed by the media, that banks don’t have the right fraud prevention tools, or that they don’t understand the scope of the fraud that is occurring I can confirm wholeheartedly that we do, but since fraud is such a small percentage of the traffic that occurs on any payment channel, legitimate traffic, along with customer experience and expectations, will always take priority.
To summarize, I’m not a Zelle advocate, but I am an anti-fraud professional who would like to redirect the attention to putting an end to the actual scam by redirecting the industry‘s focus. This is an impersonation scheme, not a supposed “Zelle fraud.”
Fortunately, the FTC recently started cracking down on impersonation scams, but these schemes are really just low hanging fruit. I invite them to look at the app stores that carry spoof apps and determine the real reason that anyone would ever have to impersonate someone. These apps not only override caller id systems, they also come equipped with voice changers, after first offering a free trial, the cost usually settles around $4.99, and that’s on the high side.
And, while it is certainly true that the debate of who “should” reimburse the victims is a real one, we aren’t EVER going to stop fraud, at its root cause, by only focusing on who will pay for it. We are allowing the fraudsters to have a field day while we all debate who is holding the proverbial hot potato. We need to stop the fraud by stopping the scam and eliminating the tools the thieves are using. Together, with a redirected focus, we can make fraud prevention become the new customer service.
Read Also
