Experts have recently studied one of the most commonly exploited ways on how threat actors withdraw money from stolen bank accounts of their victims and empty their funds. The study involves the peer-to-peer payment solutions app called “Zelle,” which several banks and financial institutions use to send cash to others fast, and how it is exploited to perform fraud and phishing scams.
Initially, threat actors who execute phishing scams blast text messages to their victims, telling them about a fund withdrawal transaction from the Zelle app. The victims will be required to reply either “yes” or “no” to the text message that they do not know is a phishing text. After a while, a threat actor who pretends to be a staff from the victim’s servicing bank’s anti-fraud department will call the victim to discuss the said transaction.
The caller will ask for the victim’s online banking username, claiming they need it to verify their identity. Afterward, they will request the victim to read aloud a code sent to their phones, a one-time password (OTP), to access the victim’s bank account and drain their funds.
Upon gaining access to the victim’s bank account, threat actors will change it and steal all the money stored using the Zelle payment solution app to transfer the funds.
Experts said that the threat actors only need the OTP to perform the fraud. Moreover, victims who were attacked have not even heard of the Zelle payment solutions app.
Several banking and credit institutions have been offering Zelle as part of their services online. Despite members not being required to use Zelle as an integrated payment solution within their servicing banks, many of them have been targeted already by fraudulent scams. Experts also added that threat actors prefer Zelle because of its speed in funding transfer transactions.
The payment solutions app has attempted to combat these fraudulent activities by launching an out-of-band authentication process with real transactions by the clients. However, threat actors have already found their ways to evade this layered security as well.
The customers who are victims of these frauds might think that their banks cover insurance for their lost funds, but that is not the case, and most of these victims are left disappointed for not being able to refund their lost money back.
However, another expert said that victims could express their rights to have the stolen funds refunded from their banks with the help of Regulation E that states their entitlement of refund. The victims are also advised to send their banks the link to the constitution if they refuse to offer a refund.
For now, it is highly suggested for all mobile banking app users to be vigilant in accepting calls and instructions from suspicious people, especially if they are requesting sensitive details such as username and OTP.
