You Should Know: The Zelle® Fraud Scam

As more and more consumers begin using Zelle® to move their money, fraudsters have taken notice. A new Zelle® scam is increasingly popular, where a scammer poses as a financial institution sending a fraud alert, only to steal the victim’s online banking account and loot it. Here’s what you need to know.

How It Works

It’s a clever — and as a result effective — scam that relies on what’s known as two-factor authentication to completely take over a victim’s online banking account. This is the step-by-step:

  1. You receive a fake fraud alert text from your bank or credit union warning you of a suspicious Zelle® transaction and are prompted to respond with “YES” or “NO” to confirm it.
  2. If you respond at all, regardless of response, the scammer will immediately call you and pose as a representative of the financial institution’s fraud department.
  3. To “verify your identity,” the scammer will then request your online banking username.
  4. After getting your username, they will then use the institution’s “Forgot Password?” feature to generate a two-factor authentication code for verification purposes.
  5. This is the moment the scam hinges on — the scammer will then claim to have sent you a security password that needs to be read back to them over the phone. This is actually the very two-factor code the scammer initiated.
  6. The scammer will then use the code you provide to reset your password.
  7. With the username and newly-created password, the scammer will take total control of your account.
  8. Using Zelle® within online banking, the scammer then transfers your funds out of the account.

Why It’s So Effective

What’s most dangerous about this new scheme is that a password isn’t even needed to complete the scam. Most of us know to never provide a sensitive password to anyone, even loved ones. But by posing as a fraud rep, asking for a username, and tricking the victim into providing a two-factor authentication code, the scammer has everything they need set the password themselves and own the account.

How to Combat

It The first line of defense is always protecting your personal information . Just like your password, never provide account details to anyone. That includes usernames. Financial institutions will never ask for such info, especially over the phone.

Another motto to follow is a twist on a commonly used phrase: “Don’t trust. Verify.” If you suspect a scam is underway or have received unusual calls, emails, or texts, you should never immediately do what they request. Instead, verify that the messages are legitimate:

  • If it’s an email, check it out for phishing attempts. Do not click on any links. Instead, look at the email address, look up the financial institution’s official email, and compare them to verify that the email is legit.
  • If it’s a text message or phone call, do the very same thing. Look up the institution’s phone number to verify that it’s correct. 
  • There is a chance that the scammer will spoof the phone number, making it match the institution’s. In this case, do not call the scammer back. Instead, call the institution directly by plugging in their number manually yourself. Then verify that they were the ones reaching out.

And as always, never hesitate to let us know if you think you’ve been scammed. We’ll do our best to stop it from going through and protect your personal and financial information from further impact.