An article that flew under my radar was this one over on Krebs on Security wherein Brian Krebs explains Zelle scams. It's a fascinating breakdown of fraudsters anticipating how the system works and manipulating victims into bypassing Zelle's security. Here's the kicker: it's not about giving up your password.
An important aspect of this scam is that the fraudsters never even need to know or phish the victim’s password. By sharing their username and reading back the one-time code sent to them via email, the victim is allowing the fraudster to reset their online banking password.
Brian Krebs
Zelle, for those unfamiliar, is a platform developed by banks in order to compete with the likes of PayPal, Venmo, and Apple Cash. You can send and receive money from friends instantly. And because it's all through trusted institutions, the transfers are instant under certain amounts. Larger amounts may take a couple of days to clear, but it's still faster than a check. Meanwhile these scammers are working the system in order to get people to authorize transfers.
The gist is a bogus text message that looks legit will trigger a spoofed phone call, both looking like they're from the bank. They trick the person into giving up their username & providing the 2FA code sent to their phone. Side note: NEVER GIVE THOSE CODES TO ANYONE YOU DIDN'T CALL. From there, the person is able to access the victim's account and initiate a Zelle transfer.
Typically, Zelle has been exempt from normal consumer protections based on its legal language. However, Krebs is quick to point out that victims ARE protected by CFPB regulations. In instances of Zelle fraud the bank must restore the stolen funds.
It's another step in the cat & mouse game to protect bank's customers and scammers finding clever ways to social engineer their ways around them. Krebs has a good mantra to help avoid these: Hang up, Look Up, and Call Back.