Zelle: Instant Payments = Instant Fraud
- Digital payments like Zelle are becoming more and more popular
- Fraud via digital is near-instantaneous, making it almost impossible to stop
- Banks often do not or cannot return digitally stolen funds
Digital payments are becoming more and more popular. You can pay for that haircut or pizza almost instantly with the touch of a button on your iPhone. Certain retailers encourage it as well; this week Starbucks is offering a free reusable cup if you order or reload your account via PayPal.
Zelle, in particular, is growing in popularity. It's speedy and easy to execute, and becoming a verb ("Just Zelle me...").
On the other hand, "speedy and easy to execute" comes with a price. As reported in the New York Times:
Zelle’s immediacy has also made it a favorite of fraudsters. Other types of bank transfers or transactions involving payment cards typically take at least a day to clear. But once crooks scare or trick victims into handing over money via Zelle, they can siphon away thousands of dollars in seconds. There’s no way for customers — and in many cases, the banks themselves — to retrieve the money.
Take the case of the unfortunate Justin Faunce:
Justin Faunce lost $500 to a scammer impersonating a Wells Fargo official in January and hoped that the bank would reimburse him. Faunce was a longtime Wells Fargo customer and had immediately reported the scam — involving Zelle, the popular money transfer app.
But Wells Fargo said the transaction wasn’t fraudulent because Faunce had authorized it — even though he had been tricked into transferring the money.
Faunce was shocked. “It was clearly fraud,” he said. “This wasn’t my fault, so why isn’t the bank doing the right thing here?”
The Payment Contrast
In the case of a check transaction, a bank must make the first $225 from the deposit available, for either cash withdrawal or check writing purposes, at the start of the next business day after the "banking day" that the deposit in question is made. The rest of the deposit should generally be available on the second business day. That period of time offers an account holder time to make an inquiry and challenge a charge.
Credit cards are more generous with their time frame, with the Fair Credit Billing Act stating that you must report fraudulent charges within 60 days of receiving the billing statement containing the suspicious charge.
This "cushion" does not exist in the digital world of P2P payments. Transactions and transfers are near-instantaneous.
The banks are aware of the widespread fraud on Zelle. When Faunce called Wells Fargo to report the crime, the customer service representative told him “a lot of people are getting scammed on Zelle this way.” Getting ripped off for $500 was “actually really good,” Faunce said the rep told him, because “many people were getting hit for thousands of dollars.”
Wells Fargo later sent him a note saying it did not consider his loss to be a fraudulent one.
Treat Zelle Transactions As If They Were Cash
Even cases of outright theft are treated much differently than traditional payment avenues like cash, checks, and credit cards. Take the case of Bruce Barth. In late 2020, Barth was hospitalized with COVID-19, and his phone was stolen from his hospital room. A thief made short work of getting access to his digital wallet: he ran up charges on his credit card, took out cash at an ATM, and used Zelle to make three transfers totaling $2,500.
The results?
All three accounts were at Bank of America, of which Barth has been a customer for more than 30 years. When he filed fraud reports, the bank quickly refunded his cash and credit card losses. But it denied his claims for the Zelle thefts, saying the transactions were validated by authentication codes sent to a phone that had been previously used for that account. Bank of America was essentially saying that the Zelle transactions were authorized — even if his phone was stolen.
Barth was livid. “I filed grievances with every agency I could get my hands on, locally and nationally,” he said. “Every response I got was useless.”
It should be stated that the Zelle network is operated by -- ironically -- Early Warning Services, a company created and owned by seven banks (Bank of America, Capital One, JPMorgan Chase, PNC, Truist, U.S. Bank, and Wells Fargo). This has led to the impression that banks are not willing to shield victims of digital transactions from fraud.
Peter Tapling, a former executive at Early Warning who is now a payments consultant, said banks haven’t done enough to educate customers about the risks of Zelle. He suggested that customers treat Zelle as they would cash. “Don’t hit the button to send this money unless you would hand this person $100 and walk away, because the moment you send it, it’s gone,” he said.
Fortunately, last year the Consumer Financial Protection Bureau issued detailed guidance to banks regarding the kinds of fraudulent losses they’re required to repay. The regulator made it clear that banks must reimburse customers for losses on transfers that were “initiated by a person other than the consumer without actual authority to initiate the transfer” -- including those who obtain a victim’s device through fraud or robbery. However, it doesn’t address who is responsible for a fraudulently induced transfer if the customer hits the buttons by accident or by trickery.
Safe Guarding in a "Digital World"
With the growing popularity of P2P payments such as Venmo and Zelle, it is important that users safeguard themselves. Once the bad actor gains access to their accounts, they have access to your funds immediately. There are practical measures to take such as ensuring your phone has is locked and not to save passcodes for your account on the phone. Once that transfer is made, you can essentially kiss the money goodbye so denying access is key for consumers.
On the backend, banks need to deploy better safeguards for their customers. One key will be threshold limits -- perhaps set by the user in the settings of their account, or even at the bank -- where if a transfer of funds over a set limit will need not only prior authorization but will take a full business day for the transaction to go through. While this seems to go against the idea of instant money transfer, it attacks one of the biggest reasons that bad actors are targeting the payments platform.
Additionally, Zelle should be taking a page out of the checks and credit card payment fraud playbook, deploying new technologies like AI and machine learning to understand the behaviors of their users. If a transaction is made to an unknown user for large amounts, this should immediate set off a flag. While authorization for the transaction is sent to the users, this is not particularly useful, of course, if the user's phone is compromised.
In a digital world where near-instantaneous transactions are desired -- and expected -- so also should effective fraud detection be integral.