Webinar Recap: How to Protect Your Institution from Zelle Fraud

Feb. 3, 2020 | by BioCatch

Around the globe, faster payments are becoming the norm. Peer-to-peer (P2P) payment systems, like Zelle, allow users to make instant payments using email or their mobile phone. While the convenience of a real-time digital payment network is undeniable, the inherent fraud risks must be acknowledged.

In a recent BioCatch webinar, our Chief Cyber Officer, Uri Rivner, explained how cybercriminals are staging massive Zelle fraud campaigns using a clever mix of social engineering and technical infrastructure.

Listen in to the full webinar discussion to learn more about fraud in the era of faster payments, or continue reading for the key takeaways. 

Zelle, the Consumer, and Faster Payment Fraud

Zelle is accessible through two main channels. Users can download the standalone Zelle app to send and receive money after attaching it to their bank account. They can also access the payment network through a bank app, as banks commonly embed Zelle within their systems. 

No matter how users deploy Zelle, the risk of real-time fraud is high. Before faster payments, there was a lag between the time of a transaction and when funds reached an account, giving fraud teams additional time to detect suspicious transactions. Now, the window for detecting fraud has shrunk to what can be detected in the moment, as a transaction is underway. In some cases, fraud levels have tripled as criminals took advantage of banks that were unprepared for the shift.

The Anatomy of a Zelle Fraud Attempt

How, exactly, are criminals attacking major banks and credit unions through payment networks like Zelle? Their typical approach is a combination of social engineering, robo texting, and phone spoofing. 

Here’s an example of how an attack could unfold:

  1. To begin an attack, the fraudster obtains the name of the account holder and their phone number. Personal information like this is readily available for sale on the dark web.
  2. A robotext sends a message to the potential victim, appearing as a legitimate message from a bank. It could read: “Fraud transaction was spotted. If you did not make it, reply to this text.” 
  3. The customer replies to the text. 
  4. The fraudster then calls the victim from a spoofed number, which appears as a bank’s number, so as to raise no red flags. The call starts like this: “Can I verify your username?” 
  5. The victim complies. Now armed with their username, the fraudster can access the victim's online banking and initiate a password reset, triggering an one-time password (OTP) as two-factor authentication (2FA). 
  6. The victim provides the OTP to the fraudster, who then resets the account password and locks the genuine user out of the account. 
  7. From there, the fraudster can enroll in Zelle and transfer money to their personal accounts. 

The results can be devastating to end users, with some attacks costing them thousands of dollars as fraudsters drain their accounts. In a similar scenario, a woman lost $1,500 after a scammer posed as a representative from her bank.

Best Practices for Safely Launching Zelle

While cybercriminals are heavily targeting Zelle, the banking industry is working to defend itself against real-time payment fraud. Whether you host your own Zelle pages, use a third-party vendor to fulfill payments, or plan to launch Zelle in the next year, there are preventive measures you can take to protect your assets.

From risk management to TRX monitoring to beneficiary analysis, there are a plethora of tools you can arm your institution with to limit fraud. One of the best ways to limit real-time fraud is through behavioral biometrics, which can detect real-time anomalies in user behavior. 

Behavioral biometrics analyzes data entry patterns — like mouse tactics, mobile swipe patterns, and keystrokes — to detect fraud while it is happening. Because there are clear differences between how a normal user and a fraudster navigate within an app, the technology can identify suspicious activity and sends alerts to a fraud team. For example, while a normal user will swiftly input their credentials, a fraudster may excessively delete information during a single session because they are unfamiliar with the correct details.

As we mentioned in our blog “2020 Predictions: 10 Cybercrime and Fraud Trends to Expect in the New Year,” we believe Zelle fraud will escalate quickly, leaving users vulnerable as levels surge. For the full scoop on Zelle fraud, what the banking industry is doing to defend itself, and how BioCatch can help secure seamless online experiences, watch our full webinar on-demand.

Topics: Payments