Launched in 2017, Zelle has quickly become the most popular Peer-to-Peer (P2P) payment app in the United States. The application is run by Early Warning Systems, LLC, a company that is owned and operated by several of the largest banks in the U.S. Last year, consumers and businesses sent 1.8 billion payments and nearly half a trillion dollars using Zelle.
In only five years, the word Zelle has made it into our daily lexicon as many of us have found ourselves saying, “I’ll Zelle you the money for dinner.” However, as popular as Zelle has become as a staple in our daily financial lives, it has also become a favorite among fraudsters who celebrate its ease of use and lightning speed at which money is sent and received.
As relayed in a recent New York Times article, the number of Zelle scams being committed is escalating at a frightening rate. Zelle fraud often takes the shape of social engineering attacks—a fraudster impersonates a government authority, a romantic interest, or bank representative (to name a few examples)—and tricks the victim into sending money directly from their bank account to an account controlled by the fraudster.
According to Javelin Strategy & Research, P2P payment fraud grew 18% from 2020 to 2021 with an estimated 18 million Americans scammed using P2P applications. It’s no longer a question of whether or not Zelle fraud is a problem, it’s a question of whose problem it is to solve. Customers who are defrauded by criminals in a Zelle scam believe they should be reimbursed by their banks, who traditionally take the responsibility for protecting customer funds. Banks, however, are free to take the stance that responsibility lies with the customer, as customers personally authorize the transactions being made in this type of scam, not knowing they are being scammed.
Why Zelle and Why Now?
The weakest link in any bank’s security is the customer. Regardless of how many security controls are put into place, customers will always be vulnerable to attacks, especially ones that revolve around social engineering. Between that and the speed at which Zelle transactions take place, Zelle scams are difficult to prevent. The features that make Zelle valuable to customers, both usability and immediacy of a funds transfer, also make it valuable to scammers.
It’s important to note that this isn’t a new problem, but one that continues to grow nonetheless (we covered Zelle fraud scams in October of 2021). Moreover, scams on the whole are a decidedly old problem—Zelle fraud is just the latest flavor. Scammers’ methods are always changing, but they aren’t going to lose their taste for stealing any time soon. Scams are hard to detect and stop but harder is for consumers to figure out how to get their money back.
Legality versus Humanity
The crux of the current debate lies on who should take responsibility for the fraudulent payments occurring through Zelle. Clearly, fraud is illegal, and the criminals might get caught and some of the money might be regained that way, but that type of resolution could take months if not years. And that is assuming the perpetrators can even be caught and there’s a way to get the money back, both of which are unlikely. Which means responsibility for solving the problem in real time falls on either banks or their customers.
What does the law say about Zelle scams?
Legally speaking, there’s little recourse for holding banks accountable. In the UK, authorized payment scams have become such a problem that they outpaced card fraud for the first time raising alarm within the industry to take action. UK banks have been operating on a voluntary code of reimbursement for a few years, but many have felt it is not doing enough. For example, in 2021, less than half of victims were reimbursed under the code. More recently, UK regulators have promised amendments to current legislation that would require banks to reimburse customers of authorized payment scams.
In the U.S., regulators are starting to pay more attention to the problem. In response to the growing number of consumer complaints, on April 29, 2022, Senators Elizabeth Warren and Robert Menendez put a spotlight on the issue by writing a letter to Early Warning’s CEO demanding answers around the extent of fraud in the Zelle ecosystem, their refund policies and if Regulation E applies to scams seen on Zelle. While Regulation E requires banks to reimburse customers for unauthorized transactions on their accounts, there are currently no protections for consumers in the event of authorized payments resulting from scams.
Following the letter, there are rumblings in the press around the Consumer Financial Protection Bureau (CFPB) taking a look at how banks can do more to protect consumers from being scammed.
Adding to the pressure financial institutions are facing, several class action lawsuits have been filed against many of the largest banks. The basis of many of these lawsuits is that banks failed to do enough to protect customers from fraud on the Zelle P2P network, thus advertising that it is a secure platform to send and receive money is false. The merit of the cases has come into question, with some dropped before the ink even dried on the initial filing, but the negative headlines and media coverage still stand to cause reputational damage to the banks.
What do customers expect after being scammed?
The customer side of the issue is dominated by a sense of betrayal. Zelle scams can cause massive financial and emotional damage—losing large sums of money because a criminal convinced them to make a transaction. Then, they go to their bank looking for a resolution only to realize that it is not that easy to get a refund.
According to a 2022 Aite-Novarica report, only 6% of banks reimburse all scam claims. If they reimburse customers at all, they do it on a case-by-case basis. Banking is a business built entirely on trust, and trust crumbles when customers are given no way to undo the damage done by a scam. The feeling of betrayal becomes magnified when they learn that Zelle is operated by the same banks that are claiming they have no responsibility for the problem on the grounds that customer authentication counts as an independent decision, even when it’s a decision made under duress or without full understanding of what the other person’s intentions are.
The bottom line
The heart of this issue is the fact that, in a Zelle scam, the customer physically authorizes a fraudulent payment. Customers trust banks with their money with the expectation that their funds will be kept secure, but banks aren’t legally or contractually bound to help in a scenario where a legitimate account holder authorizes a payment that turns out to be a scam.
Financial Institutions: Don’t Zelle Your Soul
For financial institutions, proactive solutions are a must to preserve trust and remain responsive to the needs of customers. Financial institutions are ultimately the custodians of customer capital, and they have a responsibility to do all that they can to protect the customer. Furthermore, this isn't a problem that can be ignored. The money that gets stolen from scam victims is often used to fuel more crime like human trafficking or even terrorism. The tools exist to help prevent this issue, and financial institutions should be using them.
The role behavioral biometrics can play in stopping Zelle fraud
Protecting customers from Zelle fraud requires being able to detect a scam in real-time, before the victim transfers money to a criminal. During an active scam, a user will behave differently than they typically do when engaging with a banking or payments app. Behavioral biometrics is a technology that gathers data on how users behave while using an app or in an online session and can be used to distinguish between usual, genuine and unusual or criminal activity. In the case of Zelle fraud, behavioral data can be used to flag suspicious activity as it happens.
BioCatch’s solution is also capable of telling the difference between a user that’s making a standard transaction and one that’s under duress and likely being targeted by an active scam. Behavioral biometrics helped a top 5 U.S. bank stop an account takeover attack using Zelle. Their success shows that there is a proven method to help stop Zelle scammers in their tracks.
BioCatch adapts as quickly as fraudsters do
BioCatch’s scam detection model can be trained and deployed in a new client’s system within a couple of weeks. The reason behavioral biometrics is effective at solving this problem is because behavior can’t be spoofed or faked. Credentials can be stolen, and skilled fraudsters can trick customers into giving up OTP codes, but they can’t change the way their victims behave online. And there are very clear behavioral differences in an online session where a customer is being scammed.
Where do we go from here?
The best way to solve the Zelle fraud problem is for financial institutions to get ahead of it and implement technologies and processes that can be used to prevent social engineering scams. The tools are available right now for the taking. Financial institutions that don’t address these scams will continue to drive customers away and put more money in the pockets of people who are trying to do harm.
Want to explore more? Check out a recent videocast, The Faces of P2P Fraud: Zelle Abuse and Other Common Scams or download the latest Aite-Novarica research report, On the Precipice of the Scampocalypse.