Above, a whimsical image from the website for Zelle, a multi-bank app that let's you "send money as easy as pie" via your phone. It can be prone to scammers.
By John F. Wasik, RealClearInvestigations
July 31, 2019
It’s never been easier to send money around the world in a flash. Fintech apps such as Venmo, PayPal and Zelle allow millions of people to send billions of dollars across the Internet without having to wait for checks to clear or electronic funds transfers to be approved.
Just as the ATM largely replaced in-person cash withdrawals from banks, fintech apps should dominate conventional personal banking as digital commerce writ large is expected to grow to a $6 trillion industry by 2022, estimates Experian, a large credit reporting and marketing firm.
Yet instantaneous money transfers have their drawbacks. Since the fintech industry is barely regulated, it doesn’t have the same protections as hyper-regulated mainstream banking. That could open the door to fraud and more identity theft as millions move online for financial services.
Some two in five consumers worldwide have experienced a “fraudulent event online at some point in their lives,” according to the 2019 Global Identity and Fraud Report by Experian.
Big banks were slow on the fintech draw, as phone-based money transfer apps such as Venmo and PayPal took the country by storm when it came to transferring cash. But the seven largest banks joined forces and gained the advantage with the launch in 2017 of Zelle Pay, an app with the potential to grow to 100 million customers if all the banks’ account holders were to sign up. In 2017 alone, Zelle handled $75 billion in transactions, twice the amount transferred by Venmo.
Instantaneous person-to-person money transfer (or “P2P”) apps eliminate the need to get cash from a check, teller or ATM, often saving days of processing time. They were a $66 billion business last year and are expected to become a $134 billion business by 2022, according to SuperMoney.com, a provider of online financial resources.
But a downside is quickly coming into focus. Although reliable numbers are not available, hundreds of complaints about scamsters stealing money have been posted online and more have been filed with federal agencies.
Gerry Morrison, a graphics programmer in the Los Angeles area (we’ve changed his name at his request), noticed earlier this year a “spammy text message” about a $500 money transfer through Zelle. Since he hadn’t signed up for the service, he ignored it at first and “didn’t even know what it was.”
Yet someone had used the service to steal $500 from his bank account, so he asked his bank to investigate. The institution locked his account for a week while it probed the matter. Fortunately, the bank reimbursed him for the theft, although it never offered an explanation as to how it happened.
Morrison surmised that the money was transferred by a person who didn’t even know his bank password. “Someone was able to set up a Zelle account and steal the money through a link,” he said.
The Consumer Financial Protection Bureau, which regulates consumer banking, showed only a handful of complaints about Zelle on its consumer complaint database. But the low number could be because the lightly regulated fintech industry is growing so fast that legislation and regulation are lagging far behind consumer demand and acceptance. The bureau did not answer a request for more information.
When money is stolen via app transfers, not everyone is made whole in part because fintech protections fall short of those in conventional banking, such as federal deposit insurance, even though the apps are still subject to CFPB rules.
Zelle users with bank accounts linked to its network enter their email and phone numbers and can send money to anyone else with the Zelle app. But as the example of the stolen $500 illustrates, even those who have not signed up with Zelle may be scammed. “Criminals — potentially using stolen online banking credentials or credential stuffing attacks — add a cellphone they control to the user’s profile, then send money to the hacker’s account,” consumer advocate Bob Sullivan found. (Apparently, hackers have discovered how to access fintech accounts without passwords, although they can also use stolen credentials to gain access.)
“After the hacker’s mobile number is added to the bank account,” Sullivan said, “the banks’ confirmation code to verify the transaction is misdirected to that fraudulent number, and the hacker confirms the transaction. So once the account is compromised, a fraudster is able to transfer money out of the account.”
Money transfers can also be transacted with surprisingly little information and little or no confirmation protection, as is required with a bank electronic funds transfer.
Stephen Rouzer, an attorney with the National Consumer Law Center, said he got a notification about a year ago that someone he didn’t know sent him $1,000 via the Zelle app.
“I called my bank, who told me they couldn’t help beyond suggesting I change my online account login and password,” Rouzer said. “I called Zelle and was again told they couldn’t help me — Zelle suggested calling my bank. The next day the sender called me, said he mistyped the phone number and asked me to send the money back. I explained to him that I would, ultimately, but that I had to be sure it wasn’t a scam. I assumed he could have me send him $1,000 and somehow stop payment or reverse charges on the original $1,000.
“About two weeks later the sender called and said he had received a letter from his bank,” Rouzer continued. “He sent me the letter and it stated that the bank could not help him because they determined he initiated the transaction willingly and that there was no evidence of fraud. Upon seeing the letter, I sent $1,000 back to him through Venmo and deleted my Zelle account.”
The upshot, according to Rouzer: “There was no harm done to me, but the sender was out the $1,000 for two weeks, as was the intended recipient. Had I decided to keep the money, both banks and Zelle would not have been willing to help the sender.”
Since banks are largely eliminated as middlemen, P2P also tends to eliminate another layer of security. As scams go, the way P2P fraud works is simple: Say you wanted to buy concert tickets advertised online. The seller then asks that you pay through Zelle, instead of PayPal or Venmo. You transfer the money to the seller, assured that Zelle is backed by major banks.
Then the seller keeps your money and immediately shuts down his account and vanishes – providing no tickets and no refund from the fraudulent transaction. “He disappeared,” writes a poster on Reddit after being fleeced. “Phone off, no responses to email, nothing. Email doesn't come back with any social media results (although I sent him a tracking link that he opened the next day.) Phone number seems equally fruitless.”
A Zelle spokesperson, Meghan Fintland, would not estimate how many fraudulent events have been reported or tracked by the company. “Sadly, fraudsters use stolen credentials from data breaches and phishing scams to take over bank accounts,” Fintland said. “When a fraudster gains access to an account, a number of tools are at their disposal to remove funds.
“But Zelle offers protections like send limits and real-time alerts to help the consumer flag unauthorized activity,” she added. “Since Zelle sits inside the bank app, it is subject to multi-factor authentication and other security layers that financial institutions (FIs) impose on their digital channels.”
Zelle is also trying to get out in front of the fraud problem, suggesting precautions via a blog and video. “When using Zelle,” the company said in a statement, “consumers should only send money to people they trust. They should treat it like cash. Because once they authorize a payment to be sent, they can't cancel it if the recipient is already enrolled in Zelle. Why? Because money moves quickly -- directly into the recipient's bank account typically within minutes.”
Transactions through Zelle are covered by the Electronic Funds Transfer Act, also known in the industry as “Regulation E.” It is policed by its chief regulator, the CFPB. But the legal protections are murky and enforcement is uncertain. The law may consider a scam transaction a “pre-authorized” transfer. When the tickets aren’t delivered and the money is in the hands of the scamster, for example, the law may inadvertently protect the fake seller. After all, the money was willingly sent by the buyer, although the consumer had no idea it was a fraudulent transaction.
“A lot of people don’t even know to complain to the CFPB,” says Lauren Saunders, associate director of the National Consumer Law Center in Washington, D.C. “In the case where people send money to a third party – say for tickets advertised on Craigslist – banks claim you `authorized’ the transfer,” added Saunders, whose advice is “don’t use these systems unless you’re 100% sure of the person on the other side of the transaction.”
How bad is the money transfer problem? It’s hard to tell. The Office of Comptroller of the Currency, the main regulator of large banks (assets of $10 billion or more), reported a total of 111 EFTA complaints from 2014 through 2018, according to a Freedom of Information Act request filed on April 11.
Overall, last year the comptroller’s office received some 17,000 complaints, down from 38,000 in 2013. But that tally is for mainstream financial products ranging from credit cards to mortgages. The majority of complaints the agency received still involved checking accounts and credit cards. In the semi-annual report issued to Congress by the CFPB in 2018, the government stated that only 3% of its consumer complaints involved money transfer services. Moreover, if a complaint doesn’t trigger enforcement action, which it rarely does, “information concerning the violation is confidential and therefore is not available to the public due to the supervisory nature of this information,” a spokesman for the comptroller's office stated in the FOIA response.
“I don't have any idea how many incidents there are,” Sullivan adds. “I hear from people constantly who are in this situation. People are getting screwed and told by the banks there's nothing they can do. Consumers don’t need to take no for an answer; they do have Reg E protections.”
This and all other original articles created by RealClearInvestigations may be republished for free with attribution. (These terms do not apply to outside articles linked on the site.)
We provide our stories for free but they are expensive to produce. Help us continue to publish distinctive journalism by making a contribution today to RealClearInvestigations.
Support RealClearInvestigations →
