P2P/Zelle Fraud – Warning to Members
Fraudsters continue to use advanced/evolved tactics to defraud account holders of funds. Read this important article to learn how to avoid falling victim.
P2P (person-to-person) fraud is a common attack used by criminals to attempt to scam account holders to use electronic means to send and receive money using popular services, such as Zelle. Quest Federal Credit Union does not actively participate or integrate with the Zelle platform, but member/owners should be aware that attackers could use one of many services to perform this scam. The scam is widespread and has been making local and national news recently. Social engineering tactics are used to impersonate a financial institution, such as Quest FCU, via text messages. The scam involves the fraudster impersonating Quest FCU and encouraging the account holder to provide their mobile phone number under the premise that they will be replacing funds “stolen” from their account. However, the funds are transferred out of the accounts to the fraudsters.
These fraud scams result in large losses for the financial institution, banks and credit unions together. In addition, these fraud losses cause impact to members. Credit Union members continue to be targeted; there have been adaptations and changes to the tactics used to perpetuate the criminal activity.
Here’s How It Works:
- Fraudsters send text alerts to users – appearing to come from their financial institution – asking the users if they attempted a large dollar Zelle transfer.
- Fraudsters immediately call the users who respond ‘NO’ by spoofing the FI’s phone number and claim to be from the FI’s fraud department.
- Fraudsters tell the users the Zelle transfers went through, but the funds can be recovered.
- Fraudsters tell the users in order to recover the stolen funds they must use Zelle to transfer the funds to themselves using the users’ mobile phone number, but
before doing so, the fraudsters instruct the users to disable their mobile phone number associated with their Zelle account.
Note: Fraudsters may have previously opened an account at the user’s FI (likely using a stolen identity) and establishes Zelle through the online or mobile banking channel linking the member’s mobile phone number to Zelle.
- When the fraudster links the user’s mobile phone number to the fraudster’s Zelle account, a 2-factor authentication passcode is generated and sent to validate the mobile phone number. The text message containing the passcode is actually sent to the user’s mobile phone; however, the fraudster cons the user into providing the passcode over the phone. (The text containing the passcode has the FI’s name which explains why fraudsters open a fraudulent account at the user’s institution.)
- The fraudster enters the passcode to activate the mobile phone number on their Zelle account.
- Users are instructed to Zelle themselves the funds.
- The Zelle transfers actually go to the fraudsters
Here’s What You Need to Know:
- Don’t share your information with anyone contacting you via SMS/text message or over a phone call. If you have questions, hang up or disregard the message and contact Quest FCU directly!
- Don’t be pressured into providing information if you’re not comfortable!
- Don’t be pressured into using electronic services, such as Zelle, CashApp, Venmo, or other transfer services, if you’ve never used them before or are not comfortable with them!
- Don’t be afraid to use these electronic services, but be cautious and enable all available security measures, such as two-factor/multi-factor authentication, strong passwords, and be cautious of all requests to send money.
- Don’t hesitate to reach out to Quest FCU if you have questions!
Some information materials provided and used from CUNA Mutual Group RISK Aler Publication.