Beware of Zelle transfer scams

As we have said many times before, falling for a scam can happen to the best of us. And it can ruin lives. In our podcast How a scam hunter got scammed, scam hunter Julie-Anne Kearns talked about how she had been duped by people pretending to be from HMRC, which is the UK’s version of the US Internal Revenue Service (IRS).

This week in the New York Times crime reporter Michael Wilson, who has covered many scams during his career, almost fell for a scam that used a spoofed telephone number from Chase Bank. Michael’s story sounded vaguely familiar to us because we reported about something similar back in 2022.

The scam is a prime example of how social engineering is used to talk victims out of their money.

Michael received a call, seemingly from a Chase bank branch. The caller even invited him to Google the number and pointed out which branch he was “calling from.” The scammer claimed that fraudulent Zelle transfers had been made to and from a bank account in his name, even though Michael had never opened an account with Chase.

The initial scammer gave Michael a case number and put him through to “his supervisor.” This man asked Michael to open Zelle.

Zelle is a popular US peer-to-peer payment service that allows users to send and receive money quickly and securely directly from their bank accounts using just an email address or mobile phone number.

Where it says, “Enter an amount,” the “supervisor” instructed him to type $2,100, the amount of the withdrawals he said he was going to help reverse. In another field the scammer wanted Michael to enter the 10 digits of the case number. This triggered Michael’s spidey senses—it looked suspiciously like a phone number:

“This case number sure looks like a phone number, and I’m about to send that number $2,100.”

At that point the scammer gave him a 19 character code to put in the “What’s this for?” field, telling Michael it was needed for his team to be able to reverse the transaction.

But that didn’t calm down the spidey senses and Michael asked the question that will scare most scammers away. He proposed to meet in person and settle this. The scammer tried to persuade him by saying it might be too late by then, but Michael persisted and said he’d call back.

Only then did he realize the scammers had him on the hook for 16 minutes before he managed to break free.

“I should be able to spot a scam in under 16 seconds, I thought — but 16 minutes?”

Michael found that several others had been approached in the very same way. The “supervisor” is an element that provides legitimacy to the call and makes people feel like they’re talking to actual bank employees.

And once they have you filling out forms and writing down long codes, they have turned you from a critical thinker into a person with a mission to fulfil.

For completeness’ sake, Michael went to the bank office and asked for the two employees he’d allegedly spoken to. No surprise they didn’t work there, but someone who did work there recognized the scam and said she’d heard the story many times before and actually knew about a few people that lost money to these scammers.

How to avoid Zelle scams

There’s several aspects of this attack common to many others which may indicate a fraud attempt.

• They don’t want you to call the bank back. If you do this, the scam falls apart because their number is spoofed. A genuine member of staff would have no issue with you calling them.
• Pressure tactics. If a bank calls you out of the blue and claims that they’re powerless to stop something without your assistance, be very cautious. Is your bank really unable to perform a basic banking action?
• Knowing your date of birth, address, and other information doesn’t mean the caller is genuine. They may have obtained the data from a phish, or a security breach.
• Referencing third party payment apps may be another red flag, especially if they talk about a platform you’ve not used before.

Zelle transfers are instantaneous and almost impossible to reverse. And neither banks nor Zelle are liable for fraudulent payments, so a refund is highly unlikely. So, be extra careful when using Zelle.

Did you know, you can use Malwarebytes Scam Guard for this kind of situation as well? We tested Scam Guard with some details from the NYT story and it correctly identified it as a known scam, asked some follow up questions, and provided a clear set of recommendations.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!