Zelle and P2P fraud

Fraudsters continue to target members of credit unions offering P2P (e.g., Zelle) by using a sophisticated scam to defeat two-step authentication which leverages the use of one-time passcodes.

A smartphone scanning a QR code on another smartphone

Credit union members continue to be targeted in the Zelle/P2P fraud using a sophisticated scam to defeat two-step authentication which leverages the use of one-time passcodes. They are being scammed into providing online banking usernames and passcodes resulting in unauthorized electronic fund transfers (EFTs) from member accounts via Zelle/P2P.

Some credit unions have reported that they do not intend to re-credit members victimized in this scam because they voluntarily provided the fraudsters with their login credentials. Refusing to re-credit members victimized in this scam may violate Reg E.

Several credit unions have reported that the majority of the members targeted in the scam never used Zelle/P2P. One credit union reported that nearly 70% of the members targeted never used Zelle/P2P. To mitigate risk, require active rather than passive enrollment for Zelle/P2P. Members should be required to enroll for Zelle/P2P in person at a branch or through the call center, but only after members are properly authenticated.
An effective risk mitigation step is to adopt lower limits for new Zelle/P2P users. Several credit unions offering Zelle/P2P were hit with the scam shortly after introducing the service to their membership — many were hit in the same month in which they rolled the service out to their members. Introducing Zelle/P2P to the membership with lower daily limits will help keep initial fraud losses lower.

Credit unions should avoid automated overdraft transfers for Zelle/P2P transfers that overdraw member accounts.
Fraudsters, impersonating a credit union employee, scam the members into providing their online banking username to verify their identity. The fraudsters then use the usernames by targeting the “forgot password” feature, which triggers a 2-factor authentication passcode to the members. The fraudsters scam the members into providing the passcodes needed to reset the members’ online banking passwords allowing the fraudsters to log into the accounts. Blocking Zelle/P2P transfers for that occur immediately following a password reset for research is an effective control. These transfers should be confirmed with the members.
Use a real-time fraud monitoring solution with behavioral analytics that can identify password resets using a device not recognized, immediate enrollment in Zelle/P2P, and an addition of a new token.
Consider including a statement in texts and emails containing the passcode to remind members of the fraud potential.
Some credit unions have denied members’ Reg E claims of unauthorized electronic fund transfers (EFTs) using Zelle/P2P or unauthorized debit card transactions because the members voluntarily provided their login credentials or debit card information to the fraudsters. Refusing to re-credit members victimized in this scam exposes credit unions to lawsuits alleging violation of Reg E.

§1005.2(m) defines an unauthorized electronic fund transfer as “an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.” The commentary to §1005.2(m) clarifies that “an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through robbery or fraud.”

The Consumer Financial Protection Bureau (CFPB) issued Electronic Fund Transfers FAQs clarifying what constitutes an unauthorized EFT under Reg E.

The CFPB’s responses to questions 5 and 6 under the category, “Error Resolution: Unauthorized EFTs,” clearly indicate that consumers victimized in this type of scam are entitled to protection under Reg E and should be re-credited.