Zelle is fast and easy to use. To transfer funds, the sender simply needs to provide the recipient’s mobile phone number or email. The transaction is typically completed within minutes (when the recipient’s email address or U.S. mobile number is already enrolled with Zelle). These factors – driving Zelle’s adoption with US consumers – are also fueling Zelle’s popularity with cybercriminals and fraudsters. After initiating a fraudulent transfer, the fraudster can expect to receive the funds within minutes. It is unlikely that the accountholder would detect the fraudulent transfer in real time, and even less likely that he or she can act quickly enough to suspend or cancel the transaction.
Consequently, cybercriminals and fraudsters that manage to gain unauthorized access to victims’ online banking account are increasingly “cashing out” through Zelle transfers. Often, cybercriminals add Zelle to accounts that have not previously activated Zelle . Our research suggests that some organized cybercriminal groups have shifted nearly 50% of their online banking fraud activities to Zelle, and that the average fraudulent Zelle transfer amount ranges between $500 to $2,000.
Often, cybercriminals carefully study the victim’s Zelle transfer history – particularly the frequency and dollar range - in order to avoid triggering banks’ anti-fraud controls. For example, consider a victim who typically transfers between $1,000 and $2,000 twice a week via Zelle. The cybercriminals taking over the account would execute Zelle transfers in the same amount and frequency so as not to generate any unusual activity.
The underground ecosystem of Zelle-related tools and services is expanding. Cybercriminal and fraud forums on the Dark Web are full of postings related to Zelle fraud schemes. By way of example, there is a growing number of mule operators offering a service to “cash out” stolen funds using Zelle. The “cash out” is done through so-called money mules – mostly unwitting mules - people recruited online for what they think is legitimate employment and unaware that the money they are transferring is a product of crime. Mule operators develop large networks of such mules, cashing out from hundreds of compromised accounts on a daily basis. The cash-out process is actually quite simple:
Malware authors have also taken note of Zelle’s popularity. Seeking ways to scale and automate the process, leading Eastern European cybercriminals have been developing Automatic Transfer Systems (ATS) targeting top banks. ATS is a type of web-inject that not only steals the victim’s sensitive information (e.g. credentials to online banking), but also automatically executes a funds transfer from the victim’s account to a mule account. These new ATS modules are designed to automatically execute Zelle transfers from victims’ accounts. In addition, the ATS is configured to disguise the transaction from the accountholder by changing the balance and transaction information displayed when the legitimate accountholder logs in to his or her online banking account.
With Zelle and other instant payment platforms increasingly targeted and exploited by cybercriminals and fraudsters, financial institutions are facing greater risk of fraud and other financial crimes. To prevent illicit Zelle fund transfers, financial institutions can Leverage E-Crime Intelligence technologies to proactively:
About the Author
Dima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.