Fraudsters continue to target members of credit unions offering Zelle by using a sophisticated scam to defeat 2-step authentication (also referred to as out-of-band authentication), which leverages the use of one-time passcodes. In a new twist to this scam, fraudsters are defeating out-of-band authentication with transaction details, which Zelle introduced to help curb the fraud.
Credit unions offering Zelle started reporting large fraud losses in 2019 as a part of a sophisticated scam targeting their members. Fraudsters continue to target members of credit unions offering Zelle by using a sophisticated scam to defeat 2-step authentication (also referred to as out-of-band authentication), which leverages the use of one-time passcodes.
Here’s how the scam works:
- Fraudsters send text alerts to members – appearing to come from the credit union – warning members of suspicious debit card transactions.
- Fraudsters call those members who respond to the text – spoofing the credit union’s phone number – and claim to be from the credit union’s fraud department.
- To verify the identity of the member, the fraudster asks for the member’s online banking username and tells them they will receive a passcode via text or email and the member must provide it to the fraudster. In reality, the fraudster initiates a transaction, such as the forgot password feature, that generates a 2-step authentication passcode which is delivered to the member.
- The member provides the passcode to the fraudster who uses it to log in to the member’s account using a device not recognized by the host system.
- Upon logging into the accounts, fraudsters change the online banking passwords and then use Zelle to transfer funds to others.
Note that fraudsters prefer to target Zelle due to the speed in which the transfers are made (minutes versus hours or days); however, the fraudsters have targeted other vendor P2P products offered by credit unions.
Please contact us immediately if you get a call or text message with a warning of suspicious debit card transactions using Zelle.