Several news stories are reporting that a recent scam going around takes advantage of money sharing app, Zelle, which is often turned on automatically for many bank accounts and does not require enrollment.
CBS 2 in Chicago reports hearing from several fraud victims who had funds vanish after fraudsters used this service to transfer money out of their accounts.
Security blogger Tom Eston explains how it works in the following post:
You receive a call from what looks to come from your bank even with the caller ID showing your bank name. If you answer the call you’ll be told that your bank has detected fraud on your account and they can take care of the problem right now on the phone with you. You’ll then be asked to tell them a code that they had just sent you over text message. Just like that, you’ll receive the text message with the code and when you repeat the code back to the caller, they will say all fraud charges have been reimbursed, and to have a nice day.
Minutes later, the scammer uses the verification code that you sent them to create a Zelle account and within minutes, start to drain your bank account sending money to the attacker. In this case, the attacker has either already has gained access to your online banking account or they are social engineering you over the phone so that they can gain access to your online banking account.
Because banks only offer protection for unauthorized Zelle transfers, the authorized payment—ostensibly by the account holder—is the consumer’s responsibility and the victim is liable.
“Banks should present consumers with more black-and-white warnings, such as an additional step to verify the recipient of the money or a clear-cut notification stating the transaction is irreversible,” said Bob Sullivan, a cybercrime expert, in a report on CBS 2.