Big banks are making it easy to zap money to your friends. Maybe too easy.
Zelle, a service that allows bank customers to instantly send money to their acquaintances, is booming. Thousands of new users sign up every day. Some $75 billion zoomed through Zelle’s network last year. That’s more than twice the amount of money that customers transferred with Venmo, a rival money-transfer app.
But the same features that make Zelle so useful for customers, its speed and ubiquity, have made it irresistible to thieves. Hackers and con artists have used the system to steal from victims — some of whom had never used Zelle or even heard of it until someone used it to clean out their bank accounts.
Interviews with more than two dozen customers who had their money stolen through Zelle illustrate the weaknesses that criminals are using in targeting the network. While all financial systems are susceptible to fraud, aspects of Zelle’s design, like not always notifying customers when money is transferred — some banks do; others don’t — have contributed to the system’s vulnerability. And some customers who lost money were made whole by their banks; others were not.
For the banks, Zelle is a big — and must-win — bet on where money is headed. As consumers become increasingly accustomed to splitting dinner checks, paying for their morning coffee and hailing an Uber without touching paper money, banks are rushing to stake their claim on the wallet of the future.
In recent years, apps such as Venmo (which is owned by PayPal), Popmoney, Square Cash and Apple Pay made digital cash transfers quick and simple. Banks were falling behind. So they joined up to create a rival product, run by Early Warning Services, a Scottsdale, Arizona, consortium that is jointly owned by seven large banks.
Last June, Early Warning introduced Zelle. It is built directly into each bank’s mobile app, making the system easy to use for customers — or thieves who gain access to their accounts.
The scale of the problem is hard to pinpoint, because Zelle is fairly new and banks do not report much data about it. But banking analysts say they have seen some alarming incidents.
“I know of one bank that was experiencing a 90 percent fraud rate on Zelle transactions, which is insane,” said Genevieve Gimbert, a partner in PwC’s financial crimes unit. Most banks have strong authentication and fraud-detection controls for Zelle, she said, but some “just implemented it without any protections” like two-factor authentication and user-behavior monitoring.
(After the New York Times published this story, PwC issued a statement saying that the 90 percent figure used by Gimbert was "unsubstantiated" and that the firm regrets the error.)
Zelle said the problem was under control.
“There are very few incidents,” said Lou Anne Alexander, Early Warning’s head of payments. “When there is a problem, we and the banks are proactive. It’s not something we’re putting our heads in the sand about.”
Problem for BofA customer
Eighteen banks in the United States, including most of the biggest players, are using Zelle, and 70 more are in the process of setting it up. Collectively, they connect about half of the traditional checking accounts in the United States. Cash transfers within the network often take place within seconds — much faster than on most of its rival payment services. That has made it more difficult for banks to halt or reverse illicit transactions.
Security is a cornerstone of Zelle’s marketing campaign. In one TV commercial, Daveed Diggs, an actor and rapper known for “Hamilton” and “black-ish,” is encouraged to pay for playoff tickets through Zelle by another actor who raps: “You can send money safely, ‘cause that’s what it’s for, and it’s backed by the banks, so you know it’s secure.”
But the system has had problems. Brian Kemm, a Bank of America customer in Pasadena, California, lost $300 because of a misdirected payment.
To transfer money through Zelle, the sender enters the recipient’s phone number or email address. Zelle is built on the assumption that each of those identifiers is unique to one person.
Last November, Kemm tried to send cash to his mother, Carol Kemm, who is also a Bank of America customer. He typed in the mobile phone number Kemm had been using for at least three years and hit “send.”
“She told me she didn’t get it, and my first thought was, ‘Mom, you’re not being very tech-savvy,’” Kemm said. “Eventually, after a few days, I realized it really didn’t get there.”
When he called Bank of America’s customer service line, he learned that the $300 had been transferred — to a JPMorgan Chase bank account, whose owner had registered the same phone number Kemm used. He said he was told that there was nothing Bank of America could do to get his money back.
Kemm filed a police report and a fraud claim with Bank of America. On Nov. 30, the bank sent him a reply: “Our records indicate that we initiated the transfer in accordance with your instructions. As a result, your account will not be credited for this claim.”
After being contacted for this article, Bank of America said it would refund Kemm.
“In general, in cases in which the mobile number was previously registered to another person and directed to that account, we'll work with the receiving bank to reverse the transaction,” said Betty Riess, a bank spokeswoman.
Another Bank of America customer, Heather Pocorobba, went hunting March 18 for tickets to a Justin Timberlake concert. On Craigslist, she found two good seats for $260. The seller suggested she pay with Zelle.
“I naively believed that since my bank uses it, the accounts must be connected to real people, with some sort of protection built in,” Pocorobba said.
As soon as she sent the cash, the seller stopped answering her text messages. She never got the tickets — or her money back. She reported the fraud to the police and her bank.
Bank of America’s fine print about Zelle tells customers: “You are protected by the same security you’re used to where you will not be liable for fraudulent transactions.”
The catch is that the bank, like all the others that use Zelle, only considers transactions fraudulent if the customer did not authorize them. When a customer knowingly sends money to someone, the bank offers no protection against rip-offs. (Credit cards, by contrast, protect users against such scammers.)
“We’re committed to ensuring consumers are aware of potential scams, including reminding them that Zelle is intended for sending funds to friends, family or people they know,” said Riess, the Bank of America spokeswoman.
Risk warnings hard to find
Bob Sullivan, an author who specializes in cybercrime and consumer protection, said he was stunned by how poorly the banks had communicated Zelle’s risks — and by their failure to learn from the painful lessons of the past.
Craigslist, PayPal and Venmo faced early criticism for leaving users vulnerable to fraud. In response, each made changes. Craigslist, for example, added a warning about scams on every sale listing. PayPal increased the protections it offers on some digital sales and provided a detailed disclosure about what kinds of transactions it will and won’t protect.
And Venmo — which, like Zelle, does not protect users if a seller does not deliver what they promised — upgraded its security policies in 2015 to better detect fraud, including by notifying customers when someone adds an email address or new device to their account. This year, the Federal Trade Commission criticized the company for not having those protections in place from the start.
Customers have to hunt on Zelle’s website to get to this red flag: “Neither Zelle nor the participating financial institutions offer a protection program for any purchase or sale conducted using Zelle.” Some banks, such as JPMorgan, don’t notify customers when new recipients are linked to their Zelle accounts.
David Nowicki, a BB&T customer, discovered in March that someone had gained access to his online accounts and used Zelle to steal $4,000. Nowicki said he had never received any email or phone notifications about the transactions, or about a new computer accessing his account.
After he filed a fraud claim with BB & T, and a police report, the bank refunded his loss.
“We have multiple layers of security measures,” said David R. White, a BB & T spokesman. “Clients are protected and reimbursed for any unauthorized transactions.”
BB&T sends email notices about Zelle transactions, White said. Nowicki, however, said he was certain he had not received any.
Jane Butler, a Wells Fargo customer in Downingtown, Pennsylvania, first heard of Zelle when it was used to steal $2,500 from her bank account.
The con was elaborate. First, a phishing email that appeared to be from Wells Fargo tricked her into entering her bank ID and password into a fraudulent website. The next day, Butler got a call that appeared to be coming from Wells Fargo’s fraud department. The number she saw displayed on her phone screen matched the phone number on the back of her bank card – but it wasn’t her bank on the other end of the line. The call had been spoofed.
The caller tricked her into handing over one-time pass codes that provided access to Zelle, which was then used to make six transfers from her account, ranging from one penny to $999.98. Wells Fargo refunded Butler for her loss.
Others have fallen victim to similar calls. Cory McWilliams, a Wells Fargo customer in Houston, said that thieves had called him from a spoofed Wells Fargo number, fooled him into giving them authentication codes texted by the bank and then stole $1,000.
Jim Seitz, a Wells Fargo spokesman, said the company takes customer security “very seriously” and that it will “continue to evolve our multilayers of controls to further help our customers avoid becoming victims of fraud.”
McWilliams reported the theft to a banker at his local branch, and Wells Fargo refunded his loss.
“The banker I spoke with was not surprised at all,” McWilliams said. “He stated he was aware this sort of scam was going around.”
This story was originally published April 23, 2018 2:52 PM.