Fraud has been plaguing Bank of America and Zelle customers for weeks.
The scam also has seen mainstream media coverage with customers unable to reclaim the money they lost to cybercriminals.
ABC7 Chicago: "A widespread scam is targeting Bank of America and Zelle customers. Imposters claiming to be from the bank tricking consumers into sending them money through Zelle."
This week, Ken Otsuka, of CUNA Mutual Group discusses the fraud process and weaknesses inherent in the current Zelle system that allow this scam to occur.
We heard from other cybersecurity experts on the danger of the Zelle scam, why payments apps can lead to widespread fraud, and what can be done about mitigating scams and stopping cybercriminals in their tracks.
Rajiv Pimplaskar, CRO, Veridium:
“The proliferation of P2P (Peer To Peer) and PSPs (Payment Service Providers) is the result of the payment industry-wide shift to online, which offers more flexibility and choice for customers but is also facilitating growth channels for money laundering and fraud. Consumer fraud is rapidly adapting towards transactions, with fraudsters developing insidious new ways to target vulnerable individuals. The expanded attack surface is also stressing the fault lines and gaps in the banking systems traditional AML systems (Anti Money Laundering) and customer authentication methods.
Passwords are inherently the weakest link in the chain. Because they are inherently “phishable”, through social engineering, brute force guesswork or coercion, they can enable MITM (Man In The Middle) attacks that can bypass traditional checks and balances and are responsible for more than 80% of all incidents. Complex passwords are hard to remember, are often stored in plain text and reused further compounding the problem.
Consumer finance institutions and e-commerce sites should mandate passwordless authentication methods based on W3C and FIDO standards. Such solutions create a strong binding between the end user and their FIDO2 authenticator making it impossible for a 3rd party to misuse. Also, these solutions are easier to use and improve customer satisfaction.”
Saryu Nayyar, CEO, Gurucul (she/her):
"Despite widespread publicity of the scams involving the Zelle money transfer service, hackers continue to use social engineering to break into accounts. While the results aren’t in the range of the millions of dollars that ransomware attackers are demanding, individual losses can easily be in the thousands.
Hackers are calling Zelle users, posing as representatives of Zelle or the underlying bank, and tricking them out of providing the user name of their account. With the user name, they change the password in real time, giving them the data necessary to hack the account.
Social engineering represents one of the most common ways of obtaining personal information. The answer is to never, ever give out such information. While that’s easy to say, it’s hard to put into practice if someone is talking to you on the phone. But Zelle users need to resist the impulse to do so.”
Bill Lawrence, CISO, SecurityGate:
"This common example of social engineering implemented by savvy actors is a time-tested tactic. What I find interesting is when this approach is aimed at operational teams in traditionally “air gapped” critical infrastructure environments, signaling the importance of policies and training alongside technical solutions.”