Accounts Drained By Zelle Smishing Scam

Accounts Drained By Zelle Smishing Scam featured image

By: Jim Stickley and Tina Davis

From time to time, scammers come up with a new tactic using new technology, new events, or whatever they can to continue tricking us into giving up our personal or confidential information. Over the past few years and with the increasing use of texting and SMS messaging, a newer one in the bag of tricks has been coined as “smishing.” Because it’s text, it often catches people off guard and causes them to react quickly, which is exactly what you shouldn’t do.

Often, various scams arrive via the data service on a smartphone. However, it can also be iMessage, which is the text messaging service that Apple uses over WiFi. But whatever the app is called, the term applies to any type of text messaging, including What’sApp, Facebook Messenger, and other chat programs.

Phishing is a method cybercriminal used for decades to try to dupe people out of information, and if they are really successful, login credentials or payment card details. Often, phishing comes via email and includes a link or attachment that when clicked, leads someone to fill confidential information into a form or install malware that steals data off the device. Researchers at Experian found that adults from 18-24 send over 2,022 text messages per month from their mobile devices for an average of 67 per day! That’s valuable information for the cyberthief just waiting to cash in. In a recent scam, users are sent a text message that appears to be from their financial institution attempting to confirm a Zelle transaction. However, that phone number is spoofed by the cybercriminal. A message might say something like “Did you attempt a Zelle Payment of < some amount>? Reply YES or NO or 1 to stop alerts.”  In other cases, the text may want the user to confirm identity by reading or sending back a supposed code. If the user replies, money is transferred directly out of their account to the scammers.

While phishing and even smishing have been around a while, there is a recent scam that intends to steal money using the newer digital payment services, such as Zelle.

Zelle, launched in 2017, is often embedded into banking apps and links to a user’s banking account. It allows members to send money to other people instantly. All it takes is an email address or phone number. In 2019, the company reported that users of the service transferred $119 Billion.

Federal regulations require financial institutions to reimburse customers whose money is fraudulently stolen from an account. But that doesn’t mean it’s no risk or no cost. The financial institutions incur costs for every fraud that often gets passed onto the members and customers. Therefore, it’s to everyone’s benefit to avoid becoming a victim of these types of scams in the first place.

  • If you don’t know the sender, aren’t expecting a message with a link or attachment, or just aren’t sure a link is safe to click, don’t click it. Instead, contact the sender independently of the received message and ask about it.
  • Don’t react quickly to any message, whether text, voice, or email that threatens something bad may happen if you don’t. Take a breath. Go to your financial institution’s website or app and log in there. Never click links in messages for financial related details.
  • If you don’t initiate the phone call to your financial institution, don’t send information. Instead, log in to your account using the app or the banks official website and check on your accounts. Making a quick phone call using a number you find or know also works. Don’t use information sent to you in unsolicited messages.
  • Remember that financial institutions do not ask you to verify or update details via text or email. Go directly to the official app or website to do this.
  • It’s not rude to just not reply to suspicious emails or texts. In fact, it is recommended you do just that.
  • Report fraud via smishing to the FCC. There is a form on the agency’s website. This helps the FCC combat these types of crimes and potentially protect others.

A few other common smishing scams include the following:

  • A text message arrives that appears to be from the target’s financial institution requesting that a link be clicked that will go to a website to address and resolve an issue with the account or payment card. If it’s clicked, malware is installed and email address, contact list information, and other data is stolen.
  • A text message claims the user signed up for some sort of service and will be charged unless a link is clicked. The result is again malware getting installed and data stolen from the device.
  • The user is sent a text claiming he or she has won a prize of some sort. Often, it’s a gift card. A link must be clicked to claim the prize. The link directs to a website where personal information is requested, but the victim never gets the prize, of course. Instead, the information is used for spamming or efforts to steal additional information such as financial account credentials.
Disclosures