Zelle scams: What to watch for and how to respond

Credit cards and digital payment apps such as PayPal offer some distinct advantages over cash, including the ability to recover money paid to scammers.

But Zelle, a digital payment network owned by seven major banks, isn’t so protective of its users.

If you use Zelle to pay someone who proves to be a con artist, you have only a slim chance of recovering the money from your bank. The same is true if you send money to the wrong person. If you hit Send, the money is probably gone — just as if you’d lost a $20 bill on the street.

On its page for reporting scams, Zelle says: “While we are unable to assist with getting your money back, it is important to us that users have the ability to report this experience. We will report the information you provide to the recipient’s bank or credit union to help prevent anyone else from having the same experience.”

Some critics argue that Zelle and its banking partners are misinterpreting the federal Electronic Fund Transfer Act of 1978 and the regulation implementing it, which shield consumers from much of the liability for “unauthorized” transfers. Under the law, an unauthorized transfer is when someone else initiates a transfer from your account without your approval.

According to Zelle and its partners, if you knowingly send cash to someone who’s taking your money under false pretenses, that’s an authorized transfer under the law. But under a class-action lawsuit filed in Orange County, the plaintiff — a college student who says she was conned out of $2,150 — argues that when someone induces you to send them money as part of a scam, that person is initiating a transfer without your authorization.

The Consumer Financial Protection Bureau could try to settle this dispute, but it hasn’t done so — yet. “Reports and consumer complaints of payments scams have risen sharply, and financial fraud can be devastating for victims,” a CFPB spokesman said in response to an inquiry from The Times. “The CFPB is working to prevent further harm, including by ensuring that financial institutions are living up to their investigation and error-resolution obligations.”

Kevin Roundy, senior technical director of the internet security company NortonLifeLock in Culver City, said other payment systems see more scammers than Zelle: “There are 30 times as many PayPal scams as Zelle scams,” he said.

“But I think [Zelle is] growing in popularity with scammers because it has some significant advantages from their perspective.”

The main one, he said, is that the money transfer is almost instantaneous. “It doesn’t give you the opportunity to hang up the phone, think about it for a few minutes, and go ‘Oh, no.’”

What is Zelle?

Zelle is a peer-to-peer payment system operated by Early Warning Services, an Arizona tech company owned by Bank of America, Wells Fargo, JPMorgan Chase, PNC Bank, U.S. Bank, Capital One and Truist. Last month it marked its fifth anniversary by announcing that it had handled more than 5 billion transactions involving $1.5 trillion.

Consumers enroll in Zelle through one of more than 1,700 participating banks or through the Zelle app, then use it to send money directly from their bank account to another Zelle user’s bank account. The transfer takes a few minutes or less to complete, and in most cases, there are no fees paid by either the sender or the recipient. (Zelle leaves the fees up to its banking partners, and most of them don’t charge any, said Meghan Fintland, the company’s senior director of external communications.)

The process is different from using checks, credit cards and digital payment systems such as PayPal in at least two important ways.

First, because the transfer goes swiftly from bank account to bank account, there is no entity holding onto the money while the transaction is verified or before it’s collected.

And second, because no fees are charged, Zelle isn’t building up a reserve to cover the fraud losses incurred by consumers on the platform. Credit card companies, by contrast, charge fees on every transaction.

Still, Zelle wouldn’t have trouble figuring out where any disputed payments went. People can’t collect money through Zelle without enrolling their U.S. bank or credit union account into the system.

What types of scams are on Zelle?

Early Warning Services touted its safety record in a statement this week, saying, “Tens of millions of consumers use Zelle without incident, with more than 99.9% of payments completed without any report of fraud or scam. Zelle usage has grown significantly since its launch, from 247 million transactions in 2017 to 1.8 billion in 2021, while the proportion of fraud and scams has steadily decreased.”

A new report from Sen. Elizabeth Warren (D-Mass.), on the other hand, estimates that the number of scam and fraud complaints on Zelle has increased rapidly in recent years. Note that both things could be true — as Zelle usage increases, the number of complaints about scams could rise while the percentage drops. Scam and fraud claims from Zelle users are on pace to increase 183% at four banks her office surveyed, from more than $90 million in 2020 to more than $255 million in 2022.

“Increasingly, customers are being defrauded through sophisticated deceptions involving a bad actor’s use of a reputable institution’s name or branding to induce a fraudulent payment — known as ‘spoofing’ — or a bad actor’s use of a consumer’s own contact information to disguise a payment to the bad actor’s account as a payment to the consumer’s account — known as ‘me-to-me,’” Warren’s report says.

Sadly, these sorts of scams are growing increasingly familiar to anyone with a smartphone and a bank account, regardless of whether they use Zelle, Venmo, PayPal or another payment system. In a spoofing scam, you’ll get an email, a text or a call that appears to come from a person or business you know, urging you to pay them through Zelle — in some cases, ironically, to protect yourself from a purported fraud. In the me-to-me scam, someone pretending to be from your bank tries to persuade you to send money to yourself through Zelle, while in the process hijacking your Zelle account with your help.

And even people who reported unauthorized Zelle transfers had trouble getting help from their banks, Warren’s report says. Data from Bank of America, U.S. Bank, PNC Bank and Truist indicate that these customers recovered less than half the money they lost in 2021 and the first half of 2022.

Adylia Roman of Westwood is one of the Zelle users who tried in vain to recover money from transfers that she insists weren’t authorized.

She shares a Bank of America savings account with her son, who received an email from the bank in April notifying him of a problem with the account. When her son called, Roman said, the bank told him about three back-to-back transfers from the account on April 18 that totaled $2,700. He knew nothing about the transfers or the recipient, a woman named “Marie,” and definitely never authorized them, Roman said. Bank of America said it would investigate.

A consumer who reports an unauthorized electronic funds transfer within two days is liable for no more than $50 of the loss, under federal rules. A consumer who waits longer to report the fraud could be liable for up to $500.

About a week later, Roman said, Bank of America sent a letter saying the transfers had involved an authorized device and had been validated by an authorized phone number — points that Roman and her son dispute. It said the case was closed, offering no chance to appeal and no help in recovering the money from the scammer.

When she contacted Zelle, Roman said, she was told there was nothing the company could do. Her son, meanwhile, feels intimidated and blamed by Bank of America for a problem he didn’t cause.

Betty Riess, a spokesperson for Bank of America, said customers whose requests for reimbursement are rejected “can always request an additional review.” And in cases when customers are scammed, she said, “We do reach out to the recipient bank to see if we can recover the money.”

How to use Zelle safely

Zelle instructs users in the process of making a payment to be sure to send money only to people they know and trust. It’s good advice, and it addresses part of the threat posed by scammers.

“If an offer sounds too good to be true, it probably is,” Zelle says on its website. “For example, is a stranger selling online concert tickets at a steep discount and insisting you pay with Zelle? Think twice.” Better yet, just say no.

There are other options better suited for purchasing items and services because they have mechanisms for recovering your money when you’re scammed. Venmo, for example, offers something it calls purchase protection for transactions involving goods or services. PayPal offers its own version.

Zelle also tells users to confirm the recipient’s mobile phone number or email address before sending money. Remember, if you make a mistake, Zelle and its banking partners will say that’s your problem, not theirs.

That leaves the threat of spoofing, in which scammers try to hide behind the names and brands you “know and trust.” They do so by using fake email addresses and phone numbers, or by timing a phone call to make it appear to be a response from your bank to a suspicious text you just received (that they just sent).

How do you guard against these sorts of attacks? Experts offer the following tips:

If it’s an email, look carefully at the sender’s address. Spoofers often create domains that are slightly different from the one they’re impersonating — for example, [email protected] — or that use a generic domain — say, [email protected]. If the sender’s domain doesn’t match the company’s, it’s not from the company.

Pro tip from the security firm Kaspersky Labs: Look at the entire email header, if your email software lets you do so. Official emails from your U.S.-based bank should not originate overseas.

If it’s a text warning you about Zelle fraud, do not reply to the text. Call your bank’s fraud hotline instead. Brian Krebs, a journalist who specializes in online security issues, described how this Zelle scam works: The scammer sends you a text purportedly from your bank, asking if you’d just tried to make a (fictitious) payment through Zelle. If you respond, that lets the scammer know you have a Zelle account — so the scammer then calls you, pretending to be someone from your bank’s anti-fraud unit. Then you are asked to reveal something that will help the scammer take your money. If you do, you’ve been had.

Scammers might also tell you that to stop the suspicious payment from being made, you need to send the amount in question through Zelle to a safe account at the bank, Roundy said. But that’s not a safe account — it’s the scammer’s, and you will be filling it.

Similarly, Roundy said, don’t use a Zelle address sent in a text to pay a bill. If you get a message that purports to be from a government agency or service provider, and it invites you to pay your bill via a Zelle address provided in the text, it’s almost certainly a scam. “Ninety-nine percent of the time, the legitimate institutions aren’t sending you a request for payment through Zelle,” he said.

More generally, do not reveal anything to an unknown caller, texter or emailer professing to be from your bank, no matter how persuasive their credentials are or how urgent the supposed problem with Zelle is. Instead, call the bank yourself, on the number listed on the back of your ATM card, to see if there is a problem with your account. And never, ever, ever reveal a two-factor-authentication code you receive from your bank, even to a caller who appears to be from your bank.

Watch how a me-to-me scam works, as explained by Patrick McKenzie, a software engineer at the payments company Stripe: You get a call from a scammer who claims to be from your bank, saying that someone has made an unauthorized transfer. To stop the fraud, you are told, you need to Zelle money to your own phone number. The scammer says the bank will send you a code via text to confirm, which the scammer will ask you to read aloud. Unbeknownst to you, however, the text from your bank is actually a two-factor-authentication code that will allow the scammer to assign a different phone number — the scammer’s — to your Zelle account. So when you send money from your bank via Zelle to yourself, you’re actually sending it to the scammer.

Roundy said Zelle “definitely has great use cases,” particularly when you’re sending money to people you know or can validate. But you need to be extremely careful when you send money to a person or business “where you’re not 100% sure of the provenance of an account.”

More safety tips

Taking a safety-first approach to the internet generally will help protect you against scams on Zelle and other payment platforms. This starts with using two-factor authentication wherever it is offered to protect your accounts. And it’s more secure to use an authenticator app on your phone instead of text messages as the second factor.

If you aren’t doing it already, filter out spam calls. Fraudsters do their work at scale, spamming scores of potential victims in search of a few gullible ones. The more times you answer a robocall (or respond to a spam email), the more you’ll invite the attention of other scammers.

Many smartphones running Apple or Android operating systems have built-in filters for unknown callers. There are also numerous apps offered by mobile phone networks and third-party developers; the Federal Communications Commission offers a partial list on its website.

Or you could do what my wife does, and send every call from someone not in her contact list straight to voicemail. Legitimate callers will leave a message.

Don’t click on attachments in unsolicited emails. That’s one of the main ways online criminals distribute malware.

While you’re at it, don’t click on links in emails from unknown senders. And even if you think you know the sender, make sure you know where the link would take you before you click on it. On a computer, you can right-click on the link with your mouse to copy it, then paste it into a text app to check the web address. Or you can hover over the link with your mouse, which should cause the URL to be displayed in a pop-up window. On a smartphone, pressing and holding a link should display the URL. If the address starts with “http:” instead of “https:”, that’s a big red flag.

Never, ever click on a link in a text to reset your password. That’s “highly likely” to be a scam, Kaspersky Labs warns. The company also says that financial institutions won’t ask for personal information via text, so that’s another tipoff when you’re dealing with a scammer.

What to do if you are defrauded

As noted above, Zelle will field your complaints about scammers on its website, but you won’t get your money back that way. Nevertheless, if you’ve been conned into sending someone money under false pretenses, you are the victim of a crime. So you should report it to law enforcement, including the FBI’s Internet Crime Complaint Center.

If money has been siphoned out of your bank account through a truly unauthorized transfer, Zelle’s policy calls for your bank to cover 100% of your loss, Fintland said. You should report the transfer(s) to your bank or, if you signed up through the Zelle app, report it to Zelle at (844) 428-8542.

However, banks will first investigate to determine whether the claim is valid, Fintland said.

That’s where some fraud victims say they are running into roadblocks.

Numerous media outlets have told of Zelle users who were defrauded but unable to recover their funds from their bank. And Warren’s office flatly states in its report, “Banks are not repaying customers who contest ‘unauthorized’ Zelle payments — potentially violating federal law and CFPB rules.”

Frank Hirsch, a lawyer of counsel with Kaufman & Canoles, noted that there are several class-action suits pending from Zelle users victimized by scammers. The plaintiffs argue that there should be no difference between a fraudster who hacks into your Zelle account to siphon off money and a fraudster who cons you into sending the money. “In both cases,” Hirsch said, “you’re defrauded.”

But the Electronic Fund Transfer Act was passed long before the commercial internet existed. Hirsch predicted that the question of whether banks have to reimburse Zelle users for fraudulently induced transfers is “likely to persist in the courts for a while until somebody says the Electronic Fund Transfer Act does not apply or does apply.”

“There’s many kind of circumstances where we’re trying to define where the line is drawn,” he said. “It’s difficult — particularly when you’re talking about new technologies” that entered the marketplace after the law was passed.

“But honestly, that is in part why we have a CFPB, and why we have an FTC [Federal Trade Commission], and why we have these regulators who are supposed to try to suss out and explain to the actors whether they have to comply with certain rules.”