Zelle, banks’ answer to Venmo, proves vulnerable to fraud
Big banks are making it easy to zap money to your friends. Maybe too easy.
Zelle, a service that allows bank customers to instantly send money to their acquaintances, is booming. Thousands of new users sign up every day. Some $75 billion zoomed through Zelle’s network last year. That’s more than twice the amount of money that customers transferred with Venmo, a rival money-transfer app.
But the same features that make Zelle so useful for customers — its speed and ubiquity — have made it irresistible to thieves. Hackers and con artists have used the system to steal from victims — some of whom had never used Zelle or even heard of it until someone used it to clean out their bank accounts.
Interviews with more than two dozen customers who had their money stolen through Zelle illustrate the weaknesses that criminals are using in targeting the network. While all financial systems are susceptible to fraud, aspects of Zelle’s design, like not always notifying customers when money is transferred — some banks do; others don’t — have contributed to the system’s vulnerability. And some customers who lost money were made whole by their banks; others were not.
For the banks, Zelle is a big — and must-win — bet on where money is headed. As consumers become increasingly accustomed to splitting dinner checks, paying for their morning coffee and hailing an Uber without touching paper money, banks are rushing to stake their claim on the wallet of the future.
In recent years, apps such as Venmo (which is owned by Paypal), Popmoney, Square Cash and Apple Pay made digital cash transfers quick and simple. Banks were falling behind. So they joined up to create a rival product, run by Early Warning Services, a Scottsdale, Ariz., consortium that is jointly owned by seven large banks.
Last June, Early Warning introduced Zelle. It is built directly into each bank’s mobile app, making the system easy to use for customers — or thieves who gain access to their accounts.
The scale of the problem is hard to pinpoint, because Zelle is fairly new and banks do not report much data about it. But banking analysts say they have seen some alarming incidents.
“I know of one bank that was experiencing a 90 percent fraud rate on Zelle transactions, which is insane,” said Genevieve Gimbert, a partner in Pwc’s financial crimes unit. Most banks have strong authentication and fraud-detection controls for Zelle, she said, but some “just implemented it without any protections” like two-factor authentication and user-behavior monitoring.
Zelle said the problem was under control.
“There are very few incidents,” said Lou Anne Alexander, Early Warning’s head of payments. “When there is a problem, we and the banks are proactive. It’s not something we’re putting our heads in the sand about.”
Eighteen banks in the United States, including most of the biggest players, are using Zelle, and 70 more are in the process of setting it up. Collectively, they connect about half of the traditional checking accounts in the United States. Cash transfers within the network often take place within seconds — much faster than on most of its rival payment services. That has made it more difficult for banks to halt or reverse illicit transactions.
Security is a cornerstone of Zelle’s marketing campaign. But the system has had problems. Brian Kemm, a Bank of America customer in Pasadena, Calif., lost $300 because of a misdirected payment.
To transfer money through Zelle, the sender enters the recipient’s phone number or email address. Zelle is built on the assumption that each of those identifiers is unique to one person.
Last November, Kemm tried to send cash to his mother, Carol Kemm, who is also a Bank of America customer. He typed in the mobile phone number Kemm had been using for at least three years and hit “send.”
“She told me she didn’t get it, and my first thought was, ‘Mom, you’re not being very tech-savvy,’” Kemm said. “Eventually, after a few days, I realized it really didn’t get there.”
When he called Bank of America’s customer service line, he learned that the $300 had been transferred — to a Jpmorgan Chase bank account, whose owner had registered the same phone number Kemm used. He said he was told that there was nothing Bank of America could do to get his money back.
Kemm filed a police report and a fraud claim with Bank of America. On Nov. 30, the bank sent him a reply: “Our records indicate that we initiated the transfer in accordance with your instructions. As a result, your account will not be credited for this claim.”
After being contacted for this article, Bank of America said it would refund Kemm.
“In general, in cases in which the mobile number was previously registered to another person and directed to that account, we’ll work with the receiving bank to reverse the transaction,” said Betty Riess, a bank spokeswoman.
Bank of America’s fine print about Zelle tells customers: “You are protected by the same security you’re used to where you will not be liable for fraudulent transactions.”
The catch is that the bank, like all the others that use Zelle, only considers transactions fraudulent if the customer did not authorize them. When a customer knowingly sends money to someone, the bank offers no protection against rip-offs. (Credit cards, by contrast, protect users against such scammers.)
“We’re committed to ensuring consumers are aware of potential scams, including reminding them that Zelle is intended for sending funds to friends, family or people they know,” said Riess, the Bank of America spokeswoman.
Bob Sullivan, an author who specializes in cybercrime and consumer protection, said he was stunned by how poorly the banks had communicated Zelle’s risks.
Customers have to hunt on Zelle’s website to get to this red flag: “Neither Zelle nor the participating financial institutions offer a protection program for any purchase or sale conducted using Zelle.” Some banks, such as Jpmorgan, don’t notify customers when new recipients are linked to their Zelle accounts.
David Nowicki, a BB & T customer, discovered in March that someone had gained access to his online accounts and used Zelle to steal $4,000. Nowicki said he had never received any email or phone notifications about the transactions, or about a new computer accessing his account.
After he filed a fraud claim with BB & T, and a police report, the bank refunded his loss.