The Zelle / P2P fraud scam is widespread and has been making local and national news as the social engineering tactics used by fraudsters continue to evolve. A newer version of the scam has fraudsters, impersonating a Zelle user’s financial institution, conning the user into using Zelle to transfer funds to themselves using their mobile phone number under the guise that it will replace funds stolen from their account. However, the Zelle transfers end up going to the fraudsters.
The Zelle / P2P fraud scam continues to result in large fraud losses for credit unions. Fraudsters continue to target members of credit unions; however, they’ve adapted to a newer version of the scam that has made headlines across the country.
Here’s how it works:
- Fraudsters send text alerts to members appearing to come from their credit union asking the users if they attempted a large dollar Zelle transfer.
- The thieves immediately call the users who respond ‘NO’ by spoofing the credit union’s phone number and claiming to be from the fraud department.
- The scammers tell the members to recover the stolen funds they must use Zelle to transfer the funds to themselves using their mobile phone number, but before doing so, the fraudsters instruct the members to disable their mobile phone number associated with their Zelle account.
- When the fraudster links the member’s mobile phone number to the fraudster’s Zelle account, a 2-factor authentication passcode is generated and sent to validate the mobile phone number. The text message containing the passcode is actually sent to the member’s mobile phone, however, the fraudster cons the user into providing the passcode over the phone.
- The fraudster activates the mobile phone number on their Zelle account.
- Members are instructed to Zelle themselves the funds.
- The Zelle transfers actually go to the fraudsters.
Credit unions should deploy a real-time fraud monitoring system and educate their members about this scam to prevent fraud and losses.