Fraud Is Flourishing on Zelle. The Banks Say It’s Not Their Problem.
Justin Faunce lost $500 to a scammer impersonating a Wells Fargo official in January and hoped that the bank would reimburse him. Mr. Faunce was a longtime Wells Fargo customer and had immediately reported the scam — involving Zelle, the popular money transfer app.
But Wells Fargo said the transaction wasn’t fraudulent because Mr. Faunce had authorized it — even though he had been tricked into transferring the money.
Mr. Faunce was shocked. “It was clearly fraud,” he said. “This wasn’t my fault, so why isn’t the bank doing the right thing here?”
Consumers love payment apps like Zelle because they’re free, fast and convenient. Created in 2017 by America’s largest banks to enable instant digital money transfers, Zelle comes embedded in banking apps and is now by far the country’s most widely used money transfer service. Last year, people sent $490 billion through Zelle, compared with $230 billion through Venmo, its closest rival.
Zelle’s immediacy has also made it favorite of fraudsters. Other types of bank transfers or transactions involving payment cards typically take at least a day to clear. But once crooks scare or trick victims into handing over money via Zelle, they can siphon away thousands of dollars in seconds. There’s no way for customers — and in many cases, the banks themselves — to retrieve the money.
Nearly 18 million Americans were defrauded through scams involving digital wallets and person-to-person payment apps in 2020, according to Javelin Strategy & Research, an industry consultant.
“Organized crime is rampant,” said John Buzzard, Javelin’s lead fraud analyst. “A couple years ago, we were just starting to talk about it” on apps like Zelle and Venmo, Mr. Buzzard said. “Now, it’s common and everywhere.”
The banks are aware of the widespread fraud on Zelle. When Mr. Faunce called Wells Fargo to report the crime, the customer service representative told him “a lot of people are getting scammed on Zelle this way.” Getting ripped off for $500 was “actually really good,” Mr. Faunce said the rep told him, because “many people were getting hit for thousands of dollars.”
Justin Faunce lost $500 to a scammer impersonating a Wells Fargo official in January.Credit…Carlos Bernate for The New York Times
Wells Fargo later sent him a note saying it did not consider his loss to be a fraudulent one.
It’s not clear who is legally liable for such losses. Banks say that returning money to defrauded customers is not their responsibility, since the federal law covering electronic transfers — known in the industry as Regulation E — only requires them to cover “unauthorized” transactions, and the fairly common scam that Mr. Faunce fell prey to tricks people into making the transfers themselves. Victims say because they were duped into sending the money, the transaction is unauthorized. Regulatory guidance has so far been murky.
When swindled customers, already upset to find themselves on the hook, search for other means of redress, many are enraged to find out that Zelle is owned and operated by banks.
“It’s like the banks have colluded with the sleazebags on the street to be able to steal,” said Bruce Barth, another victim. In late 2020, Mr. Barth was hospitalized with Covid-19 and his phone disappeared from his hospital room. A thief got access to his digital wallet and ran up charges on his credit card, took out cash at an A.T.M. and used Zelle to make three transfers totaling $2,500.
All three accounts were at Bank of America, where Mr. Barth has been a customer for more than 30 years. When he filed fraud reports, the bank quickly refunded his cash and credit card losses. But it denied his claims for the Zelle thefts, saying the transactions were validated by authentication codes sent to a phone that had been previously used for that account. Bank of America was essentially saying that the Zelle transactions were authorized — even if his phone was stolen.
Mr. Barth was livid. “I filed grievances with every agency I could get my hands on, locally and nationally,” he said. “Every response I got was useless.”
After The New York Times contacted Bank of America about Mr. Barth’s case, it refunded him. Bill Halldin, a bank spokesman, said the decision was “based on new information” provided in late February.
The Zelle network is operated by Early Warning Services, a company created and owned by seven banks: Bank of America, Capital One, JPMorgan Chase, PNC, Truist, U.S. Bank and Wells Fargo. Early Warning, based in Scottsdale, Ariz., manages the system’s technical infrastructure. But the 1,425 banks and credit unions that use Zelle can customize the app and add their own security settings.
Peter Tapling, a former executive at Early Warning who is now a payments consultant, said banks haven’t done enough to educate customers about the risks of Zelle. He suggested that customers treat Zelle as they would cash. “Don’t hit the button to send this money unless you would hand this person $100 and walk away, because the moment you send it, it’s gone,” he said.
It’s hard to tell exactly how much fraud takes place through Zelle because banks aren’t required to publicly report their losses. Banks say they take fraud seriously and are constantly making adjustments to improve security. But police reports and dispatches from industry analysts make it clear that the network has become a preferred tool for grifters like romance scammers, cryptocurrency con artists and those who prowl social media sites advertising concert tickets and purebred puppies — only to disappear with buyers’ cash after they pay.
The Consumer Financial Protection Bureau issued detailed guidance to banks last year about what kinds of fraudulent losses they’re required to repay. The regulator requires banks to reimburse customers for losses on transfers that were “initiated by a person other than the consumer without actual authority to initiate the transfer,” including those who obtain a victim’s device through fraud or robbery.
That guidance set off alarm bells among banks, said Deborah Baxley, a partner at PayGility Advisors, a consulting firm that specializes in the payments market. Until then, “the banks’ point of view was pretty much ‘sorry customer, it’s on you,’” she said.
Still, the consumer agency doesn’t address who is responsible for a fraudulently induced transfer if the customer physically hit the buttons.
“The C.F.P.B. is aware of the problem and considering how best to address it,” said Tia Elbaum, an agency spokeswoman.
The scheme that ensnared Mr. Faunce — some bankers call it the “me-to-me” scam — has become so common that it’s a staple of local news reports and police blotters. The consumer bureau has been barraged with complaints. In Pennsylvania, a surge in reports about the scam prompted the police to issue a warning. The precise mechanics vary, but it is typically a psychological con that involves tricking victims into surrendering sensitive information.
In Mr. Faunce’s case, it started with a text message that appeared to come from Wells Fargo’s fraud department, asking him to verify whether he had made a payment through Zelle.
Moments after he texted back “no,” his phone rang. The caller ID flagged the number as Wells Fargo. The man on the line identified himself as a Wells Fargo employee and told Mr. Faunce that a thief was trying to empty his bank account using Zelle. To stop the transactions, the man said, Mr. Faunce would need to send the money back to himself.
Behind the scenes, the thief had linked his account, which was also at Wells Fargo, to Mr. Faunce’s phone number. To use Zelle, customers must link either their email address or their phone number to their Zelle account. Mr. Faunce did not have his Zelle account linked to his phone number. That allowed the scammer to claim Mr. Faunce’s number and attach it to his own Zelle account.
Then the thief instructed Mr. Faunce to send $500 to his phone number, assuring him that it would route the money right back into his own account. Instead, Mr. Faunce ended up sending money to the thief’s Wells Fargo account. The thief was able to sidestep the bank’s two-factor authentication process by asking Mr. Faunce to read out the verification codes that Wells Fargo sent to his phone.
It was only when the caller told him to repeat the procedure and send another $500, this time from his savings account, that Mr. Faunce got suspicious. He didn’t have that much in the second account. A genuine bank representative would have known that.
Another Wells Fargo customer, Julia Gibson, lost $2,500 to a similar scam in October. After she reported the fraud to the bank, it gave her a provisional credit for the lost cash. But in January, the bank abruptly rescinded the credit, sending her balance to zero and incurring overdraft fees. The bank had decided the loss wasn’t fraudulent.
“What was so frustrating about this whole thing was that the customer service rep I talked to told me so many people had been experiencing this,” Ms. Gibson said.
In their appeals to Wells Fargo, Mr. Faunce and Ms. Gibson cited the consumer bureau’s rules about fraudulent losses, but the bank repeatedly rebuffed them.
“There are certain indicators that we look for in the investigation to let us know that there has indeed been fraud on the account,” Wells Fargo wrote to Mr. Faunce on Feb. 23. “During the investigation, we were not able to find any of those indicators present and denied the claim.”
After The Times contacted the bank, it refunded Ms. Gibson.
“We are committed to following all regulations governing transactions,” said Jim Seitz, a bank spokesman. “We are actively working to raise awareness of common scams to help prevent these heartbreaking incidents.” He declined to discuss specific customer cases.
Other victims of fraud trying to recoup their money from banks have had better luck when citing the law.
Ken Page-Romer, a psychotherapist and author who lives in Long Beach, N.Y., had $19,500 taken from his account in November after he received spoofed text alerts and calls that appeared to come from Citigroup phone numbers. The bank initially denied his claims. At the urging of his husband Gregory, a financial adviser, Mr. Page-Romer wrote the bank a letter citing Regulation E, and sent copies to the police and banking regulators. Citi soon returned his stolen money.
“We encourage customers to be alert to suspicious messages that appear to come from Citibank,” said Drew Benson, a spokesman for Citi. “If a customer does receive such a message, we urge them not to respond, click on links, open attachments or sign on to their account from a link. They should immediately delete the message and contact us.”