by Dave Moore, 2-23-2020
Lately, I’ve been helping a local couple climb out of an identity theft hole. It is a serious, full-on identity theft situation, with the bad guys making off with many thousands of dollars. Since this column is all about helping you stay out of trouble, the next few columns will cover scams relating to identity theft, and how you can protect yourself.
One way the crooks stole money directly from my client’s bank account was using a so-called “peer-to-peer” Internet-enabled money transfer program called Zelle. A number of social engineering scams are used to bypass online security systems and facilitate this crime.
Zelle is a digital payments network owned by Bank of America, BB&T, Capital One, JPMorgan Chase, PNC Bank, US Bank, Citibank and Wells Fargo. Zelle touts itself as “a fast, safe and easy way to send money in minutes with friends, family and others you trust.” Many smaller local and regional banks have “features” like Zelle automatically enabled by default on all of their customers’ accounts. Is your bank one of them?
Bank customers are at fault because they do not learn how peer-to-peer money transfer programs actually work. Banks also are at fault because they do not effectively monitor and regulate money transfer programs, and do not properly educate their customers about the fact that, except in cases involving fraud, these money transfers are not “backed” by the bank.
There are many ways Internet crooks use Zelle to steal money. One scam works like this: (1) Crook knows the Victim’s name, phone number and bank name. Crook sends Victim a text message using Caller ID spoofing, which makes the text appear to come from the Victim’s bank.
(2) Victim gets a fake text that seems to come from Victim’s bank; it displays the correct name and number of the bank. The text says, “Unusual account activity has been detected. Reply “No” if it was not you.” Victim replies. (3) Crook calls Victim from “banks” phone number, and identifies himself as being with the bank’s fraud department. Crook asks Victim to verify their online banking username. Victim complies.
(4) While still on the phone, Crook visits Victim’s banking website. Crook enters the username Victim just gave him in the “Sign In” box and clicks “Forgot passcode.” Crook selects the “text me a temporary passcode” option. Bank texts the temporary passcode to the Victim. (5) Then, Crook tells the Victim, “Read me the code we just sent you.” Victim tells the Crook the temporary passcode the bank just sent them. Crook tells the Victim, “Thank you, we have confirmed your account. All is well.”
(6) Crook signs in to Victim’s bank account using the temporary passcode, sets up his own passcode, changes contact phone number and email to those he controls, turns off fraud alerts and sets up a Zelle account. (7) Crook proceeds to move money from the Victim’s bank account to the Crook’s account and disappears.
Banks will often blame their customer for the scam succeeding, and refuse to help. Few bank employees and even fewer bank customers know, however, that Zelle’s own website states, “If someone gained access to your bank account and made a payment with Zelle without your permission, and you weren’t involved in any way with the transaction, this is typically considered fraud since it was unauthorized activity… you are typically able to get your money back after reporting the incident.”
If you are a victim of a Zelle fraud scam, you should (1) Report the fraud immediately. Prepare a written affidavit stating you are a victim of fraud, have not authorized any Zelle money transfers, you have never used Zelle and that, until the present case, you didn’t even know what Zelle was. Get it notarized and give a copy to the bank. Then be prepared to wait. The bank has 10 days to investigate the situation. (2) Insist in writing that all Zelle and other peer-to-peer money transfer “features” associated with all of your accounts be disabled, not just the one initially victimized. Make sure the banks does this for all your accounts: checking, savings, investment, etc.
(3) Change your password, security questions and PIN numbers for all accounts. (4) Get detailed cell phone call records. These records can help prove your case.
(5) If the bank turns you down, ask for a written explanation. Request detailed information about how the transaction happened: who, what, where, when, how. Compare your phone records with the timeline of the scam for clues. What do they know that they are not telling you? Section 609(e) of the Fair Credit Reporting Act requires they give you this information within 30 days of your written request. Make sure they know you know this, and that you will contest the transaction.
Next week: cell phone hijacking, number porting and SIM card swapping.
Dave Moore has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.com