Zelle, the Banks’ Answer to Venmo, Proves Vulnerable to Fraud

Last June, Early Warning introduced Zelle. It is built directly into each bank’s mobile app, making the system easy to use for customers — or thieves who gain access to their accounts.

The scale of the problem is hard to pinpoint, because Zelle is fairly new and banks do not report much data about it. But banking analysts say they have seen some alarming incidents.

“I know of one bank that was experiencing a 90 percent fraud rate on Zelle transactions, which is insane,” said Genevieve Gimbert, a partner in PwC’s financial crimes unit. Most banks have strong authentication and fraud-detection controls for Zelle, she said, but some “just implemented it without any protections” like two-factor authentication and user-behavior monitoring.

Zelle said the problem was under control.

“There are very few incidents,” said Lou Anne Alexander, Early Warning’s head of payments. “When there is a problem, we and the banks are proactive. It’s not something we’re putting our heads in the sand about.”

Eighteen banks in the United States, including most of the biggest players, are using Zelle, and 70 more are in the process of setting it up. Collectively, they connect about half of the traditional checking accounts in the United States. Cash transfers within the network often take place within seconds — much faster than on most of its rival payment services. That has made it more difficult for banks to halt or reverse illicit transactions.

Security is a cornerstone of Zelle’s marketing campaign. In one TV commercial, Daveed Diggs, an actor and rapper known for “Hamilton” and “black-ish,” is encouraged to pay for playoff tickets through Zelle by another actor who raps: “You can send money safely, ’cause that’s what it’s for, and it’s backed by the banks, so you know it’s secure.”

But the system has had problems. Brian Kemm, a Bank of America customer in Pasadena, Calif., lost $300 because of a misdirected payment.

To transfer money through Zelle, the sender enters the recipient’s phone number or email address. Zelle is built on the assumption that each of those identifiers is unique to one person.

Last November, Mr. Kemm tried to send cash to his mother, Carol Kemm, who is also a Bank of America customer. He typed in the mobile phone number Ms. Kemm had been using for at least three years and hit “send.”

“She told me she didn’t get it, and my first thought was, ‘Mom, you’re not being very tech-savvy,’” Mr. Kemm said. “Eventually, after a few days, I realized it really didn’t get there.”

When he called Bank of America’s customer service line, he learned that the $300 had been transferred — to a JPMorgan Chase bank account, whose owner had registered the same phone number Ms. Kemm used. He said he was told that there was nothing Bank of America could do to get his money back.

Mr. Kemm filed a police report and a fraud claim with Bank of America. On Nov. 30, the bank sent him a reply: “Our records indicate that we initiated the transfer in accordance with your instructions. As a result, your account will not be credited for this claim.”

After being contacted for this article, Bank of America said it would refund Mr. Kemm.

“In general, in cases in which the mobile number was previously registered to another person and directed to that account, we’ll work with the receiving bank to reverse the transaction,” said Betty Riess, a bank spokeswoman.

Another Bank of America customer, Heather Pocorobba, went hunting on March 18 for tickets to a Justin Timberlake concert. On Craigslist, she found two good seats for $260. The seller suggested she pay with Zelle.

“I naïvely believed that since my bank uses it, the accounts must be connected to real people, with some sort of protection built in,” Ms. Pocorobba said.

As soon as she sent the cash, the seller stopped answering her text messages. She never got the tickets — or her money back. She reported the fraud to the police and her bank.

Continue reading the main story