Zelle Fraud: You Ain’t Seen Nothing Yet…

If you live in the US, you probably already use Zelle.

Zelle is super awesome. It's sleek, real-time, and allows you to pay instantly to anyone with an email or phone number directly from your bank account - with zero commission.

And it also attracts criminals like bees to honey.

Banks that have launched Zelle – ranging from the very Top 5 US banks to small credit unions - report highly targeted fraud campaigns and an adaptive race with clever cybercrime rings who are quick to respond to new controls. In fact, by now Zelle fraud is the single most growing area of account takeover fraud in the US banking sector.

Three types of deployment

Not all Zelle flows were born equal. The usage of Zelle can be divided into three:

Stand Alone Zelle app – this is the mobile app available for direct download by consumers. The app, produced by Early Warning Services, is one of the top 5 financial apps by user ranking. EWS has various fraud controls, but they only apply to those users who use the app directly.

Online/Mobile Banking: while there aren’t any public stats, it’s likely that a vast chunk if not the majority of Zelle traffic is generated not through the stand-alone app, but rather through online and mobile banking services in which the Zelle enrollment and payment flows are embedded.

This is the case of the big national banks: they offer Zelle to their customers as a new tab within online or mobile banking. As the user enrolls to Zells and make money transfers, the back-end fulfillment is then done using the EWS rails via secure APIs. Fraud controls are done by the bank.

Zelle via P2P providers: the big P2P money transfer providers now also offer Zelle functionality to banks. In this scenario a user would log into the bank’s website or mobile app, but when they ask to enroll to Zelle or make a payment, they’re taken to the P2P money transfer provider’s pages – so the bank loses visibility into the user’s actions, and relies on the P2P provider’s controls.

Some banks that rely on third parties to fulfill Zelle enrollment and payments report that those P2P providers struggle with keeping the lid on Zelle fraud, and are therefore currently implementing strong Pre-Zelle controls in order to have better risk management.

Another motivation for those controls is being able to increase daily / trx limits for the Zelle transfers, especially in the current Corona virus outbreak prevening people from using checks or cash transfers. Those controls focus on the login sequence and the activities before and after making the Zelle interaction.

Social Engineering at its Best

Many banks targeted by Zelle fraudsters already experience the cutting edge of social engineering attacks. Phone number spoofing, robocalls and personalized text messages are already widely deployed.

Finally, it’s important to equip the call center with some visibility into what’s going on within the online/mobile banking app. If a Zelle enrollment or payment in the online banking channel was suspicious and blocked, the criminal may immediately take their chances with the call center.

A bay-area FI suffered a targeted attack in which members received a personalized fraud alert via text message. The text included the real victim’s name, warned about a possible fraudulent transaction, and asked the user to confirm whether it was valid. Those that responded got a phone call using a number spoofed to look like the real bank’s contact center number. They were asked for their user ID which was “verified”; in fact the criminal quickly went through a password reset process and asked the victim to read out loud the one-time-code sent to reset the password. Armed with a set of new credentials, they logged into the victim’s mobile banking account; at this point the user is already locked out of their account. The criminal enrolled to Zelle, asking the user to provide a second one-time code, and then went ahead and made payments of a few thousands of dollars from the victim’s account.

Another bank, one of the Top 5 Retail banks, launched Zelle a few years ago. One late Friday afternoon in September it experienced a massive social engineering attack against its users. Customers were tricked by the criminal to share their credentials, allowing them to enroll to Zelle and then make real-time payments.

The bank was quickly to react, using behavioral biometric analysis to single out the criminal actions. The fraudsters had very unique behaviors: their login patterns and up-and-down scrolling methods were different than those of the regular user in each account; they were not familiar with personal data of the payees that were set up; and they showed a remarkable familiarity with the Zelle enrollment flow - something normal people have to navigate through for the first time. The bank was able to deflect most of the attack, saving about $200k in just a single weekend. The bad guys decided not to waste more time there, and went to attack other banks.

The Dos and Don’ts

Retail Banks in the US have been fighting online banking ATO (Account Takeover) for over a decade, but never in real time. Responding to Zelle fraud, which is always real-time, is therefore a new challenge.

The typical knee-jerk reaction to a rapid escalation in fraud would be quite similar to the initial response the banking sector had to the wave of phishing campaigns some 15 years ago: add controls, add warnings, and generally add friction. But tightening controls, lowering transactional limits and placing stark warnings in the online banking site - generally elevating the friction level with the real users – is a short-lived measure that leads to counterproductive results.

Fraudsters adapt fast to any new control, try out new social engineering story lines, and have an enormous bag of tricks that was proved useful in many international online fraud campaigns – things such as malware, remote access tools, and various tools and methods to increase the effectiveness of their social engineering and make it more scalable. The real users that are hit by elevated friction, however, often feel cheated and frustrated by experiencing a sub-optimal digital journey, and may revert to other payment forms or using the call center.

As a general rule, it’s better to prepare for something as significant as launching a new digital payment vehicle by adding invisible layers of visibility into the user’s journey. These controls are harder for criminals defeat as they need to guess what exactly is being monitored and analyzed.

It’s also important to monitor adjacent user flows, not just the immediate danger zone of Zelle enrollment and payments: login, password resets, email and phone changes are all quite important to analyze.

Finally, it’s important to equip the call center with some visibility into what’s going on within the online/mobile banking app. If a Zelle enrollment or payment in the online banking channel was suspicious and blocked, the criminal may immediately take their chances with the call center.

So - stay safe, and prepare yourselves for Zelle attacks. For cyber criminals, it's the most interesting game in town.