orange arrow

Why Fraudsters and Cybercriminals Love Zelle

Executive Summary

  • Zelle is a United States-based digital network offering an easy and quick way to send money directly between almost any US bank accounts. With just an email address or mobile phone number, a user can quickly send and receive money, regardless of where both parties bank.
  • Offering convenience and speed, Zelle has become quite popular. In Q2, over 170 million transactions were completed at a value of $44 billion, across 400+ financial institutions.
  • At the same time, Zelle has gained popularity among fraudsters and cybercriminals as a convenient and effective method of stealing funds from compromised bank accounts. The primary reason is speed. Zelle fund transfers are typically completed within minutes, making it nearly impossible to detect and disrupt transactions.
  • Accordingly, the ‘underground’ ecosystem of Zelle-related tools and services is expanding. For example, malware authors are developing tools to automate and scale fraudulent Zelle transfers, and mule network operators are increasingly offering Zelle accounts.
  • Financial institutions can deploy effective strategies to prevent fraudulent Zelle transactions, by: 1) proactively flagging compromised customer accounts that can be exploited, and 2) blacklisting Zelle mules.
Zelle - an Attractive Platform

Zelle is fast and easy to use. To transfer funds, the sender simply needs to provide the recipient’s mobile phone number or email. The transaction is typically completed within minutes (when the recipient’s email address or U.S. mobile number is already enrolled with Zelle). These factors – driving Zelle’s adoption with US consumers – are also fueling Zelle’s popularity with cybercriminals and fraudsters. After initiating a fraudulent transfer, the fraudster can expect to receive the funds within minutes. It is unlikely that the accountholder would detect the fraudulent transfer in real time, and even less likely that he or she can act quickly enough to suspend or cancel the transaction.

Consequently, cybercriminals and fraudsters that manage to gain unauthorized access to victims’ online banking account are increasingly “cashing out” through Zelle transfers. Often, cybercriminals add Zelle to accounts that have not previously activated Zelle . Our research suggests that some organized cybercriminal groups have shifted nearly 50% of their online banking fraud activities to Zelle, and that the average fraudulent Zelle transfer amount ranges between $500 to $2,000.

Fraudster seeking partners for Zelle “cash-outs” on an underground forum
Fraudster seeking partners for Zelle “cash-outs” on an underground forum.

Often, cybercriminals carefully study the victim’s Zelle transfer history – particularly the frequency and dollar range - in order to avoid triggering banks’ anti-fraud controls. For example, consider a victim who typically transfers between $1,000 and $2,000 twice a week via Zelle. The cybercriminals taking over the account would execute Zelle transfers in the same amount and frequency so as not to generate any unusual activity.

The Underground Ecosystem

The underground ecosystem of Zelle-related tools and services is expanding. Cybercriminal and fraud forums on the Dark Web are full of postings related to Zelle fraud schemes. By way of example, there is a growing number of mule operators offering a service to “cash out” stolen funds using Zelle. The “cash out” is done through so-called money mules – mostly unwitting mules - people recruited online for what they think is legitimate employment and unaware that the money they are transferring is a product of crime. Mule operators develop large networks of such mules, cashing out from hundreds of compromised accounts on a daily basis. The cash-out process is actually quite simple:

  1. A cybercriminal with access to a victim’s bank account initiates a Zelle transfer to the mule’s account.
  2. The mule then withdraws the funds at a bank branch or ATM, taking a certain percentage as compensation.
  3. The mule exchanges the remaining amount to Bitcoin, usually at a Bitcoin ATM, and sends the Bitcoin to the mule operator.
  4. The mule operator shares the Bitcoin proceeds with the cybercriminal based on a pre-determined split agreement.
Mule operator advertising Zelle “cash-outs” on an underground forum
Mule operator advertising Zelle “cash-outs” on an underground forum.

Malware authors have also taken note of Zelle’s popularity. Seeking ways to scale and automate the process, leading Eastern European cybercriminals have been developing Automatic Transfer Systems (ATS) targeting top banks. ATS is a type of web-inject that not only steals the victim’s sensitive information (e.g. credentials to online banking), but also automatically executes a funds transfer from the victim’s account to a mule account. These new ATS modules are designed to automatically execute Zelle transfers from victims’ accounts. In addition, the ATS is configured to disguise the transaction from the accountholder by changing the balance and transaction information displayed when the legitimate accountholder logs in to his or her online banking account.

Recommendations for Financial Institutions

With Zelle and other instant payment platforms increasingly targeted and exploited by cybercriminals and fraudsters, financial institutions are facing greater risk of fraud and other financial crimes. To prevent illicit Zelle fund transfers, financial institutions can Leverage E-Crime Intelligence technologies to proactively:

  1. Identify compromised online customer accounts that may be exploited, and take immediate steps to remediate such accounts.
  2. Flag and blacklist known mule accounts associated with fraudulent Zelle activity.

 


 

About the Author

Dima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.