As you may know, Zelle is a commonly used payment service offered by many banks and credit unions. This service is often offered by default to customers. Due to the rapidity and irreversibility of Zelle payments, scammers are targeting customers with bogus text messages, like the following:
Image courtesy of Krebs on Security
How it works, is that any response whatsoever will trigger a phone call from a scammer posing as a representative from the financial institution’s fraud department. The scammer typically uses a spoofed phone number, so victims believe the phone call is coming from their bank. Using the pretext of identity verification, the scammer asks for the victim’s username, and then asks the victim to read back a verification code the scammer sends. This verification code has been generated by the scammer after entering a victim’s username at the login prompt for the site and clicking “forgot password”. Using a victim’s username and the generated authentication passcode, a scammer can reset a victim’s online banking password and gain access to their account.
In response to this scam, Zelle began sending account holders whose passwords were reset text messages requesting payment confirmation. Scammers began keeping victims on the phone, telling them that their approval of this text message was required in order to reverse fraudulent charges.
Many financial institutions claim they are not responsible for reimbursing victims for such losses. To avoid these scams, if you receive messages or phone calls about fraud, hang up or don’t respond, and phone the financial institution using a trusted phone number to confirm.
Resource: