Zelle and Other Payment Services are Target of Scams

Mar 5, 2018, 16:36 PM by Nuvision Credit Union 

Woman on phone
Nuvision has received reports of a scam involving Zelle, a digital payment service backed by many of the largest banks in the country that allows users to send and receive money. The scam involves fraudulent activities known as pretexting, vishing and SMS (i.e. text message) social engineering attacks. Mostly, however, the sophisticated scam relies on the victim to let their guard down and takes advantage of what appears to be genuine communication from a legitimate bank.

How the scam works

The latest funds transfer scam is based on a first-hand account of fraud in action (edited for brevity clarity):

I was at a bar with a friend. Two drinks in I got a call and the number on my phone appeared to come from my bank. I'm aware the number could be spoofed, but it did not raise alarm bells yet. I was at a new bar and have gotten calls from my bank previously to confirm charges that were outside of my typical spending pattern, so I answered expecting this to be the case.

The person I spoke with said they were from my bank and identified fraudulent charges on my account, but needed to verify my identity before they can discuss details. They said they sent me a text message (via the cell number they just called) and asked me to read back the 6-digit number to me to verify my ID.

I read the number. The person on the phone suggested the text timed out and I needed to confirm another text. Only a few minutes had passed since I received the text, which seemed a little suspicious, but I still was not concerned enough to ask questions, so I read a second 6-digit code.

The person on the phone then read off five recent charges on my account, four of which I recognized and a fifth that was a $1,000 charge to a credit card I did not own. I immediately identified this as a fraudulent charge and voice on the other end said, "no prob dude, we'll freeze your card and send you a new one". They even gave me the last four digits on the card it was coming from, so everything still sounded legitimate at this point.

Finally, the person with whom I was speaking said he sent one final 6-digit code to confirm the $1,000 credit back to my account for the fraudulent charge.

At this point things seemed weird, but they got me at a good time. I had already had a couple of cocktails, I was interrupted while meeting with a friend I hadn't seen in months, and I was outside trying to avoid the noise inside the bar and dealing with traffic noise from the street. I read the final code and the person thanked me and hung up.

Everything was not OK

After getting off the phone, there appeared to be no serious red flags nor telltale signs of fraud:

  • Request for personal identifying information, such as login, password, Social Security number, bank account number, etc.;
  • Text messages or emails with bogus or suspicious links;
  • Request for payment; or
  • Errors or misinformation.

Unfortunately, after getting off the phone, panic set in:

My phone had been vibrating throughout the call. I had four emails from my bank:

1. Your user name has been reset;
2. Your password has been reset;
3. Welcome to Zelle!, an awesome $$$ forwarding service; and
4. You've just forwarded $1,000!!!!!

I called my bank using the number on the back of my card. After holding 45 minutes to speak to the fraud department, I started to tell my story only to have the call drop. I called back and was on hold for over an hour to talk to a second person (my account had been compromised for more than two hours by this time). My bank representative told me this was a scam they've been dealing with for three months. He said I had to visit a branch and show two forms of identification to deal with the issue, and there was nothing more he could do tonight.

I have a unique password for every website I log into and use 2-factor authentication when possible, so I thought I was safe. I wasn’t.

Here’s what happened

Instead of a legitimate call, the scammer spoofed the bank’s phone number (i.e. tricked the phone into displaying a bogus caller ID). Using the name of a major bank, it was only a matter of time before the scammer connected with customer of that institution. At that point, while on the phone with the victim, the cyber thief executed the scam.

Pretext

Scam

Actual Use

Verify identity

Asked victim to read the 6-digit code

Reset the victim’s online banking user name

First text message expired, so needed to resend a second code

Asked victim to read the 6-digit code

Reset the victim’s online banking password

Verify recent charges

Asked the victim to verify four recent charges and one charge that hadn’t occurred (yet)

Convince the victim that the call is legitimate (because they had access to real charges) and that there was one fraudulent charge, which needed one more text-message confirmation to reverse

Confirm refund of fraudulent $1,000 charge

Asked victim to read the 6-digit code

Authorized a $1,000 transfer to the criminal

The victim had to visit a branch office, endure the embarrassment of telling his story to the banker, and beg for access to his account because someone else had control since the previous evening.

Sophisticated scam

This scam used several sophisticated deceitful techniques. According to the National Credit Union Administration’s Fraud Prevention Center:

  • Pretext – a con where the criminal tricks a victim into handing over the very information that will be used to steal their money, their personal information, or their identities. That is, criminals use a bogus pretext to obtain personal information under false pretenses.
  • Vishing – phishing by voice exploits a general trust in landline telephone services. The victim is often unaware that voice over Internet Protocol (VoIP) allows for caller ID spoofing, thus providing anonymity for the criminal caller.
  • SMS attacks – Phishing via SMS, or SMishing, uses cell phone text messages, or SMS (Short Message Service), to trick you into providing personal and financial information.    

 

How should you protect yourself?

You should always be wary of calls from anyone who asks for any type of personal or financial information. Although the victim in this case didn’t give away any personal data, he did provide the 6-digit code in each of the text messages. That allowed the criminal to gain access to his online banking account, where he could then read off recent charges and fooled the victim into thinking the call was legitimate.

In this instance, the victim should have hung up and called the number on the back of his credit or debit card.

If you receive a similar call:

  • Don’t confirm any information, such as a text message you may have received.
  • Don’t confirm your name, your bank or any other personal or financial data.
  • Hang up so that you can call your financial institution directly.

Nuvision provides its members with access to Popmoney®, which makes it easy to directly send money to any personal bank account in the U.S. Nuvision recommends that you only use Popmoney® to pay and receive money from people you know.

Stay safe, use common sense, and if you have any doubts whether a call is legitimate, hang up and contact your credit union directly.

Stay connected

To stay on top of Nuvision alerts and information related to fraud and identity theft protection, financial and data protection, and cybersecurity, check our Fraud Protection blog or follow Nuvision on Facebook and Twitter to receive updates when new articles are published.