3/8/22 PLEASE READ THIS SPECIAL ALERT SENT OUT TO BANKS FROM THE MASS BANKERS ASSOCIATION:
Fraud Alert: Zelle and Online Banking Platforms
Mass Bankers has recently heard from member banks about fraud schemes utilizing sophisticated vishing1 tactics to compromise consumer accounts. According to these institutions, bank customers are receiving spoofed phone calls with the bank’s name and/or main phone number, typically in the evening or at night. The fraudsters are then using social engineering tactics to lessen the customer’s concerns by stating that they are calling to help mitigate potential fraud and requesting the customer provide online banking credentials including the username, password and multi-factor authentication codes received by text.
Once the fraudster gains entry to the customer’s online banking, they can initiate peer-to-peer (P2P) payments (most typically using Zelle), intra-bank transfers, EFTs and even – in some cases – wire transfers. In addition, the fraudsters sometimes initiate debit card transactions first. Card transactions have been noted as originating from Texas and retailers such as Kroger and Walgreens. The fraudsters know that real-time fraud prevention will initiate automated phone calls to the consumers to verify these flagged transactions and they preempt the automated calls by first calling the bank customers themselves and advising them to respond favorably to the subsequent automated phone calls by marking them as “no fraud”. Once this is achieved, our members have observed several POS transactions running through impacted consumer accounts.
This is challenging fraud to mitigate, but Mass Bankers recommends educating both staff and customers about fraud, social engineering and vishing tactics through outreach, internal training, email, social media, and website channels.
The Consumer Financial Protection Bureau (CFPB) issued FAQs on unauthorized transactions and P2P in June 2021 with some amendments and updates made recently in December as well. These FAQs are available here. The FAQs are not regulation, and these instances of fraud should be considered on a case-by-base basis to determine your institution’s financial liability.
1. "Vishing" is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers.
Be aware of giving personal information over the phone, by email and over the internet, unless you have initiated the contact. There are a number of telephone and telemarketing scams out there.
To learn more about ways to shield yourself from becoming a victim, click here.