Blogs

The increasing popularity of digital payment platforms, known for their speed and convenience, is accompanied by a rise in fraud. Peer-to-Peer (P2P) apps like Venmo, Cash App, and Zelle are widely used and the transactions are often difficult to reverse, making them attractive tools for scammers. To prevent financial loss, it is crucial for everyone using these apps to be aware of how the fraudsters work and how to protect yourself and your customers or members.

How P2P Scams Happen

P2P scammers typically employ social engineering, which is psychological manipulation used to gain the victim’s trust and trick them into sharing confidential personal and financial information.

One of the more prevalent Zelle schemes begins with the fraudsters sending an accountholder a text message that appears to be coming from their financial institution. The message asks if they initiated a large-dollar Zelle transfer; the accountholder responds with either "YES" or "NO."

• If the accountholder chooses "NO," the fraudster proceeds to call the individual, spoofing their financial institution’s phone number and posing as a representative from the fraud department. The fraudster falsely reassures the accountholder not to worry because their Zelle transfer can be recovered.
  
  
• To initiate the supposed recovery process, the fraudster instructs the accountholder to utilize Zelle to transfer the funds back to their account by using their mobile phone number. However, the accountholder is told to first disable the mobile phone number associated with their Zelle account.
  
  
• The fraudster then links the accountholder’s mobile phone number to the fraudster's Zelle account and a one-time passcode is generated and sent to validate the mobile phone number. Although the passcode is sent to the accountholder’s mobile phone, the fraudster manipulates the accountholder into providing the passcode to them over the phone.
  
  
• The fraudster enters the passcode to activate the victim’s mobile number on the fraudster’s Zelle account. The accountholder thinks they are transferring the “recovered” funds back to their account, but the funds instead are directed to the fraudster’s account.

How to Protect Yourself

Protecting yourself from financial fraud is not difficult, but it does require constant vigilance and caution. 

• Never disclose bank authentication or verification numbers or other personal information, including account usernames, passwords, Social Security number, or details of your bank accounts, debit cards, and credit cards, to any individual who contacts you, even if the caller ID suggests they are from a familiar company. Legitimate institutions will not call you to ask for personal information.
  
  
• If you receive a call purporting to be from your financial institution, hang up and call the official financial institution phone number on the back of your card or on your statement for verification. Do not search for a customer service phone number online, as fraudsters sometime create deceptive websites with toll-free numbers that redirect to them.
  
  
• Refuse when a stranger tries to persuade you to send money, either to yourself or someone else. Do not send money to individuals you are unfamiliar with or have not met face to face; be certain you know and trust the recipient when transferring money. In addition to verifying the recipient's name, email address, and phone number, send a $1 test transaction to any new recipients before sending a larger amount. A single mistake, such as an incorrect digit, could result in transferring funds to the wrong person. Once the transaction is sent, the financial institution may not be able to recover it.
  
  
• Set up alerts to receive notifications of any transactions on your accounts.  If you have not already done this, do it now.
  
  
• Implement multi-factor authentication, such as a verification code sent via text, for all accounts. Never share verification codes with anyone, even those claiming to represent your financial institution.
  
  
• Never let anyone gain access to your phone.
  
  
• Ensure that any bank or P2P app you use is regularly updated to maintain security features.
  
  
• Always exercise caution when accessing financial or personal information on public Wi-Fi or mobile hotspots; these channels often lack security, making it easier for hackers to capture sensitive personal data.
  
  

Tips for Financial Institutions Launching Zelle

Careful, thorough planning can ensure you are ready to protect your institution and your customers or members.

• Make sure your implementation team includes all internal stakeholders, especially your fraud department.
  
  
• Partner with a vendor that can:
  
  
• Stop the fraud at the app’s “front door” prior to gaining access to money movement.
  
  
• Provide real time alerts for suspicious activity.
  
  
• Offer biometric security features.
  
  
• Set risk-based parameters for Zelle eligibility; some accountholders may not qualify for access to the service.
  
  
• Start with low transaction limits and consider increases as your fraud detection analytics improve over time. Be cautious about relying on Zelle averages to determine the appropriate limit for your institution.
  
  
• Consider activity-based automatic service level tiers if offered by your service provider, for example:
  
  
• Tiers:  Bronze, Silver, Gold, Platinum
  
  
• At launch all accountholders are assigned to the Bronze tier with the lowest limit, e.g. $100.  When an accountholder meets preestablished activity criteria, e.g., uses the service at least three times per month with dollar values of at least $25 per transaction, they move up to the Silver tier.
  
  
• This progression continues with higher transaction limits and activity levels at each tier.
  
  
• Staff adequately for the review of internal fraud alerts and those coming directly from Zelle or from your service provider. Your institution is required to respond to Zelle alerts.
  
  
• Ensure the messaging to accountholders accompanying one-time passcodes emphasizes that the code should never be shared with anyone.
  
  
• Provide ongoing customer education about recognizing and preventing fraud schemes.

Reporting Fraud

If financial fraud occurs, reporting it is key to protecting the community; investigators need this information to build cases against scammers and stop them.

• Report Zelle Fraud: Report a Scam | Zelle (zellepay.com)
  
  
• Report directly to the FBI Internet Crime Complaint Center at https://www.ic3.gov
  
  
• Explore additional safety resources from your financial institution, Cybercrime Support Network, FTC, CFPB or other community resources for fraud victims.

If you are a visual learner, you can find the content above in interactive microsession format in our member Fraud Forum Community.  Other great resources in the Fraud Forum cover Check Fraud, Online Account Opening Fraud, and coming soon, Debit Card Fraud. I also highly recommend our free Fraud Reduction Meetings that happen in multiple locations throughout the year, where members share information on fraud they are seeing at their institutions and brainstorm mitigation strategies. 

Keep an eye out for more details to come on our annual Financial Crimes Symposium, happening September 19 in San Antonio, with a virtual option!

Please let me know if you have any questions about any of our fraud resources.  I can be reached at vrini@epayresources.org.