43
votes
The great Zelle pool scam - All I wanted was a status symbol. What I got was a $31,000 lesson in the downside of payment apps.
Link information
This data is scraped automatically and may be incorrect.
- Title
- The Great Zelle Pool Scam
- Published
- Oct 1 2023
- Word count
- 6041 words
It's odd that the author's first thought is to seek recourse from their bank, and largely seems to view the bank as at fault for 'losing someone's 30 grand' and not being willing to 'to go in and extract our money and give it back to us'. The bank did not lose the $30k. No one 'stole $30,000 out of [their] Chase account', in any way that involved their account in a meaningful way. The author instructed the bank to send that $30k, over the course of a week, to two recipients, and the bank did, correctly. Zelle prominently notes, at least on my bank's app, that it is largely not reversible and should be treated like giving someone cash.
By comparison, the author seems to have little concern about the actual security failures involved. If the emails actually came from the contractor's hacked account (I'm not sure I trust the author on this, rather than it being a mispelling / similar character trick), then surely it would make more sense to place some responsibility on either the contractor or their email provider's data security failures? If the email provider is so insecure that their accounts are easily and regularly hacked, the shouldn't that be seen as a problem, not some 'oh, those hackers and their dark web' thing to laugh about? If the contractor is regularly sending invoices through an account that is easily hacked, that isn't quaint and charming, it's a significant risk; their not knowing whether to use an article before the name of the payment system the scammers used seems completely unrelated, and it's not clear why the author sees this as fitting reason to redirect their ire back toward their bank, which had no security failure involved, or, apparently, cryptocurrency.
Still, the author seems to have done almost everything wrong here. I note that the general tone of the introduction suggests that they had mostly communicated by phone with the contractor. They then received emails, with different writing, asking them to send money in a way specifically trying to work around their bank's transaction limits, to completely unfamiliar addresses that were clearly not the contractor's. Despite never being able to confirm the bill with their usual communication mechanisms, or anything other than the odd emails, they then sent $30k through an mechanism that specifically points out that it is not reversible. Then, a week after the first transfers, they wanted their bank to reverse them.
This isn't a scam that relied on Zelle, or cryptocurrency. It's not a scam that is even dependent on new technology. In fact, despite their mockery of 'our own clueless elderly parents whom we make fun of because they are such naive morons', I can be reasonably confident that my grandmother in the US, in her 90s, would not fall for a scam like this, not because she is technologically proficient—she isn't—but because, perhaps because of the eras she grew up in, she is suspicious of exactly these sorts of situations, though usually just without the technology involved: she's always wary of whether an invoice she receives in the mail, or a call she gets, might be someone posing as someone else, asking her to pay somewhere other than usual, or even someone just trying to find out how she is making payments so they can intercept them. These sorts of scams have always existed. Even the laundering they describe just sounds like a slight adaptation of "your work-at-home job is that we'll send you checks to your name to cash, but then you'll withdraw cash / buy something / etc for us".
The bank can of course presumably see which accounts the payments went to (eg, the intermediaries), and could provide that information to the police. Those accounts could be closed, and the account holders could be prosecuted. All of those things may well have happened in this case. But the money would have been gone by the time the author contacted the bank.
In part, I think there might be a cultural shift in views around payments that took place in the US, and not elsewhere, because the US had such problematic and antiquated bank transfer mechanisms for so long, and developed alternatives that relied on banks covering fraud losses with fees and charges to merchants, or, in the case of checks, through trust, fraud detection, prosecution, blacklists, and simply covering them. While the rest of the world transitioned to more secure practices around payments, the US didn't, instead continuing to rely on fraud detection and trying to cover losses (not, I think, usually recovering them from the scammers). This gave the perception that bank payments were particularly reversible. Credit cards are probably particularly at fault here.
Now, with the attempts to introduce something like modern bank transfers to the US, users assume that they behave similarly, when they don't. They're just payments. I don't think anyone in the EU would think it reasonable to expect a bank to reimburse them because they sent a SEPA transfer to someone, and a week later realized they shouldn't have.
My brother was a victim in a scam exactly like this. A company that he was expecting to have to send money to sent him a large invoice via e-mail (from a legitimate company address, which is how this company usually sent invoices) and he paid them via wire transfer. It turned out the e-mail was forged and he was paying a malicious third party. I examined the communications involved myself and my personal conclusion was that the legitimate company was at fault, since their systems had 90s-level security. Their e-mails had no SPF or DKIM either. All their legitimate invoices were sent through a method that couldn't be proven to be authentic; there was no difference between doing business with them or with any random scammer from the perspective of the buyer. In the end, the company that should have received the payment ate the loss (and, hopefully, fixed their IT).
This company was located in Spain.
That’s exactly how it works in the UK, thanks to some fairly recent legislation changes. Apparently Japan and South Korea use similar mechanisms. I’ve gone into detail above on why I think it’s necessary to make the entities with the power to combat fraud the ones responsible for that fraud - and beyond that, from a broad consumer point of view, I don’t really see why it’s unreasonable to expect bank transfers to operate under a similar framework to cheques or card payments?
Maybe as a receiver of bank transfers you don't want them to be reversible beyond say 48 hours so you can actually rely on them?
UK bank transfers aren’t reversible. Banks are obliged to either eat the cost (heavily incentivising them to take all steps to prevent fraud before it happens) or pursue fraudsters under wider legislation around account freezing for crime and money laundering in general, which to the best of my understanding would apply in the same way to suspicious cash deposits.
Most of us probably feel like we’re unlikely to fall for a Zelle scam. Nonetheless, it is an interesting view behind the scenes into how some of these scams work. They are getting more sophisticated and unfortunately no one takes responsibility in cases of fraud.
I think the timing of these targeted scams is of utmost importance, you’re unlikely to send large sums of money to strangers most of the time, but if a scammer pretends to be your real estate agent / contractor / etc while you’re expecting to pay for a service, then you could easily overlook the red flags.
Once, I got a text message from my “bank” asking me to confirm a large purchase - which I had made earlier that day. I checked on the URL and it didn’t seem legitimate, so I called the bank and it turns out they hadn’t sent the message. I got very close to clinking it though because it felt like a legitimate time to receive such a message. The scammers on this article were messy (odd email addresses, typos on the invoice) but they nailed the timing and got the victims to send money several times without them giving it a second thought.
Man idk. If you're trying to pay someone that is already going to physically be at your house to do work and it is that amount of money, I would just pay with a cheque in person. It would be really hard to fall for this because 31000 is not a small amount of money and I'm not stupid enough to use anything called a payment "app" to do serious transactions. Next article is gonna be "I got scammed trying to pay my mortgage with cashapp and I don't know how" :|
Why is it stupid? Serious question - I can see that the outcome was bad, but that’s only because of poor regulatory framework. I wouldn’t put it on the consumer to know that:
There seems nothing intuitive about that, or stupid about not knowing it unless someone (such as an article like this) has specifically told you that Zelle has no regulations.
I mean it's not really about "regulation". There's a triangle on which you can only have 2:
Zelle has 1 and 3. A credit card has 1 and 2 (with most payment processors, anyway). Cash is also 1 and 3. A normal check is 2 and 3. A cashier's check is 1 and 3.
Zelle is what zelle is. If it were to have more robust fraud protections, it would either require holding the money in the transaction for longer, OR transaction fees. Which defies the purpose of Zelle.
It’s perfectly possible to have all three, it’d just cut into the banks profits a little if they couldn’t add a fee, so they wouldn’t be happy about it. That’s why it needs to be a regulation: not because there’s anything magic or intrinsically positive about government intervention, just because it’s the only way to get a business to do something that’s going to cost them money.
That’s just redirecting where the fee is. It increases operating costs, and that money will come from other revenue sources. Even with nationalized banks, all that means is that you pay for it with taxes.
When a scammer steals someone’s money, for the money to be returned to the original person, it must come from somewhere - the scammer, the payment facilitator, or the original person.
I’m more than fine with Zelle as digital cash - that’s its niche. If I wanted fraud protection I’d use a credit card.
Making free at point of use and amortizing the costs into everything else is a great way to handle lots of stuff.
Ban card transaction fees. Rewards programs will disappear overnight but cashless transactions become easy.
This will never happen. Banks will always claim "maintenance", "services", "improvements", and other blah blah factors as reasons for needing the transaction service fees, as if all those weren't business expenses on their behalf for running their companies already. But yeah, the service charge will only go up from here. Newcomers into the neo-banking/neo-finance scenes would just get gobbled up via acquisition or acquihires or threatened by finance cartels to implement service fees. It's all a giant sham, backed by the industry with the most money.
It happens if the rules imposed on the banks say that’s what’s going to happen. Sure, the banks will grumble and cry and act like marginally reducing yet more hypothetical profit growth is tantamount to stealing the last penny of hard earned money from their vaults - but ultimately if that’s what the rules say, they suck it up and deal with it while continuing to make massive profits. Just maybe very slightly less massive, is all.
I mean, this will never happen because government will never regulate banks. Not in 08, not in 23, not ever.
Do you mean that you feel the regulations are insufficient? In all countries that I'm aware of, banking licences are difficult to obtain and subject to quite a bit of scrutiny.
From my understanding, the discussion here was about whether it's a good thing to increase regulation on fraud, piggybacking off the already-existing Know-Your-Customer regulations.
There is still a good bit of regulation on banks. We can see what its like without them courtesy of crypto.
Does the political will exist in the US to expand banking regulations to cover this scenario? Maybe, maybe not, it’s going to depend on a thousand factors - but yeah, from the status quo alone it’s not looking too hopeful.
I was still one step back from that, at “is this even possible or desirable to achieve?” and on that I’d say a resounding yes simply based on the number of other countries that have already done so.
I don’t see how it’s a problem if it comes from the scammer or from a tiny fraction of the payment facilitator’s profits? I certainly wouldn’t call it a fee in either case, especially if it’s actively recovered from the scammer - something that’s vastly more likely to happen if the banks have good reason to cooperate on tracing and reversing fraudulent transactions.
Not to mention the possibility of significantly reducing fraud overall if the entity with the power to do so is suddenly the same entity on the hook for the costs - better security measures, additional KYC, all those kind of things start to look like a bargain rather than an unnecessary expense.
To cover whatever amount of fraud can’t be prevented or reversed, profit isn’t set in stone: if their revenues are already maximised at what the market will bear (and I see no reason they wouldn’t be, given that’s the banks’ sole reason for existing), and the government forces the banks to cover the costs of fraud, then the profits go down by some small percentage. That’s business, profits have to drop sometimes due to market conditions, and regulation is a market condition.
They might not like it, but if economic theory is right and they’re already squeezing maximal blood from the stone, there’s not much they can do about it (where “it” is covering the already substantially lower amount than the consumers were paying, thanks to the incentive fixes above).
[Edit] Some numbers for context: if we take the £0.5B cost of fraud from the article above and make the implausibly generous assumption that it can’t be reduced in any way, so the banks have to cover every penny, it’d take their profits down from £41.1 billion to £40.6 billion. It’s a 1% change in profit when the banks are making an additional 12% there compared to the previous year just by failing to pass on interest rate rises to depositors.
Expressed as a transaction cost, that’d be £0.12 per bank transfer, or a 0.016% fee by value. Sixteen one-thousandths of one percent, in the worst possible scenario where fraud cannot possibly be reduced and the banks can’t tolerate a 1% hit to their double digit year-on-year growth in profits.
Because it doesn't come from a fraction of profits, they aren't going to give up profits. It's going to come from you and every other user of the system in the way of a higher fee elsewhere. Economic theory doesn't take into account collusion be it direct or indirect.
You're also only counting the actual fraud cost, not investigation of fraud which requires people, departments, managers, hardware, structure, benefits, on and on.
So the adage still rings true, you only get two sides of the triangle.
Companies acknowledge that regulation increases the cost of doing business all the time - it’s worked into annual reports, it’s an accepted reason for lower than expected projections, it’s why they spend so much lobbying against regulation.
But that’s exactly why I added the context at the end, to head off that debate in either case: covering the cost of fraud is an inherent upper limit, unrealistically assuming there’s no possible way to reduce it - and I gave a very concrete example of how regulation does actually decrease fraud a little further down.
Actual costs are almost certain to be much lower, but it sets a maximum value: they don’t need to manage and investigate if they’re just reimbursing it out of pocket. And if they did decide to do that, and somehow managed to squeeze it back out of customers, it amounts to a 0.016% transaction fee - it’s a rounding error’s rounding error.
Even in the worst possible case, it’s almost unnoticeable to the customer, so I can’t see any reasonable argument not to make that shift of responsibility.
Why? The main difference there is that you should be savey enough to only pay the person after they do the work, not before they even arrive at your house. I don't think I've paid a handyman, plumber, etc. with cash or checks in like the last 8 years or something. It's always been either card, zelle, and sometimes venmo/cashapp for the smaller ones.
Many people use "apps" to pay for their mortgage, yes. And rent. And car payments. There's nothing inherently insidious about electronic payments.
I think some people are lulled to a false sense of security because the majority of their electronic payments go through instruments like credit cards, which have fraud protections (at the cost of merchant fees, which of course, the merchant will use to recalculate their prices). Zelle is digital cash - treat it like you're handing physical cash to someone. If you want physical cash back, you ain't getting it back.
I'm not from the US and have literally never used a cheque. Besides cash there is no other way here besides transferring the money electronically. I mean, I guess you could go to the bank but I think that if they even offer it they would just put you behind a computer to do it.
Fraud is obviously still possible and it definitely happens, but as you say there is nothing inherently wrong with electronic payments.
The big difference (as someone who moved from the US to Germany) is that directly transferring between bank accounts the way Europeans do with SEPA transfers is a pain in the ass in the US (and doesn't typically come with the protections you get with SEPA transfers). So Americans fall back on stuff like Paypal and Zelle, even though these are private services without any of the regulatory protections that SEPA transfers have.
Back when I lived in the US ~5 years ago, I paid my rent by check bc the alternative of paying with a debit card came with a fee. It's literally the only thing I've ever used checks for, and it was a pain in the ass to have to order checks (and they make you order quite a few at once) and remember to mail one every month. Automatic SEPA transfers are a lot easier to handle now that I live in Germany.
This seems wild to me as someone based in the EU. Mortgage payments and bank loans are almost exclusively paid by a direct debit electronic transfer from your bank account to the account of the lender.
For a project of this value, I can't conceive of anybody making payment here using anything bar a direct SEPA bank transfer. Maybe if someone was doing a small job for €150 you'd revolut them after they were done because it's faster, but not for tens of thousands.
Is bank account to bank account transfer not a "thing" in the US?
It is, but it is notoriously slow and difficult to use as a user (the actual "API" involves SFTP, for reference). Zelle is functionally a wrapper between banks of ACH, so there isn't really a difference between Zelle and a bank-to-bank transfer (Zelle is not really a discrete product, it's run by a consortium of the major banks in the US).
For that matter, I've never used a "Zelle" app, if such a thing exists. I've always used Zelle through my bank's app (Chase, to be specific).
There would be no difference to the user in question on whether or not they got scammed if they somehow manually sent ACH transactions to the scammer instead of Zelle.
It's the same in the U.S. I just set up that transaction online through the mortgage holder's website. You likely do the same in the EU.
I don't believe I can pay with a credit card. I would love to, because then I get up to 5% cash back on it, but I'm not allowed to, because then the mortgage processor would pay up to 5% in transaction fees.
It's somewhat different. Electronic SEPA transfers are quite common for all uses (person-to-business, person-to-person, etc) in the EU, and those are entirely payer-controlled / push-based: the payee gives you their account number, and you set up the payment via your bank, with appropriate authentication. These are real, direct transfers.
There are also direct debit transfers, which are pull-based, where you give your account information and authorization to the payee, and they can then provide those to your bank to make debits from your account. But these are very regulated by comparison to both regular SEPA transfers and US ACH transfers. For example, you can usually reverse the charges, even if you don't dispute that they payee was authorized to make debits, for at least 13 months. So while companies do use these, especially for bills that are of varying amounts, they're not as common as they are in the US; some places will opt for receiving payer-initiated payments instead. I seem to recall that when the payee provides the initial authorization to your bank, your bank also usually notifies you that the authorization has been provided; they may also notify you in advance of the debit, so you can stop it, and have a mechanism for you to block it.
So as a business, you can choose between having the payer control sending you the money, but having the money reasonably securely quickly, or pulling the money from the payer's account, but having them able to stop or undo the transaction for any reason, even a year later. That's the cost, as the payee, of getting pull-based transactions.
As a result, bank account numbers are reasonably safe to just give to people in the EU. Some companies/people will just have their bank account number on their website.
ACH transfers in the US merge these two mechanisms in a way that seems absurdly unsafe, basing all transfers off only account information that can be found on any cheque, and having them all be pull-based.
A ton of places here in Germany have their IBANs on their letterhead too.
Large transactions, like a pool, often require payments at start of work and upon completion, if it's a very large transaction (like building a house) there will be milestone payments along the way. The $31,000 mentioned for the pool is the payment expected to begin the work, they're will be another, likely the remaining 50-66% of the balance due at completion.
While many people use "apps" to pay things like their mortgage, rent, car payments. They aren't paying them with the payment apps like Zelle, Venmo, Cashapp, they're using their mortgage company's app, their landlord's app, their dealership's app. Things that let them pay a single institution, like a Starbucks app. It'd throw up a red flag if your landlord said "Send me this month's rent on the Starbucks app" after you've been paying them via their app all along. That's the equivalency here.
While I feel the same way in that I flat out refuse to use zelle/venmo, the standard is that these things are just "a part of life" and people treat them like it's a bank or something else.
It takes being scammed for many people to learn, and this article is a pretty good example of what standard views on these things actually are.
I've fallen for a Venmo scam. I had to input a number that was in a text sent to me via Venmo that had "do not give this number to anyone over text or phone" explicitly in the text message. I am excited for the federal offering of direct user/user transfer that all other modern countries have and the security that comes with it.
I'm always really confused by banks who require customers to confirm things by text. My bank only allows me to confirm payments using an app or a physical security key which helps to eliminate some of this avenue for fraud.
I’m not really sure if this should be thought of as fraud. The fact that the perpetrators had hacked into Gary’s email and were specifically targeting his customers takes this to another level. If you paid Gary the money in cash, and someone broke into his safe, that’s not fraud. If he had a gun to his head, and called you to say “leave the money at XXX Street”, that’s not fraud. I think the writer of this article feels guilted into saying how dumb and privileged they are for daring to have 30K on hand, but this is more brazen than a romance scam.
The difference is that if a thief/burglar breaks into Gary's safe, Gary eats the loss. These hackers impersonated Gary. That's fraud and they succeeded.
I’m reasonably sure it is. Not against Gary - there’s a whole other list of crimes being committed against him in that hypothetical - but the purpose of those crimes is to coerce him into helping with the fraud against the author.
In the actual case, it’s fraud by impersonation being committed against the author, although Gary is probably also the victim of a crime under the CFAA for the email hacking as well as identity theft for the way that access was then misused.
I've made a few replies basically saying "a little regulation goes a long way", so I figured it was worth a top level comment with a concrete example of why this type of fraud is much harder in the UK. It basically only takes three rules for a case like this:
The first and second rules lay the foundation, allowing that last minor addition to make entire classes of fraud thousands of times harder. That's what good regulation and proper incentive structure looks like.
Try to send a transaction to a fraudulently supplied account number now and you'll get a big red box saying that the account name doesn't match Gary's (or that of his company) that you entered. It's an approach that looks at the process from a human perspective and puts in a fix to prevent the bulk of the problem before it even happens, with zero downsides for those involved.
Sure, it's not perfect, maybe the scammers would try to explain that away and get you to use a different name, but that's raising a lot more red flags - and in a much more intuitive, understandable, and memorable way for the customer than dealing with effectively random account numbers.
Equally importantly, it's the kind of fix that only happens with outside influence: it cost some amount of money to implement, and required a shared standard between a bunch of competing organisations. There's no economic incentive for them to implement it if the losses are being borne by their customers, even if the cost to implement is vastly lower than the cost of those losses. But as soon as someone forces them to do it, everyone wins.
I cannot believe they still used the same guy to build the pool. Even knowing how much is wasn’t his fault, I still don’t think I could have used the same guy.
I have fallen for one Venmo scam, but was on edge about it and set it up with the protections Venmo offers, which allowed me to get all the money back pretty easily.
I used Zelle for something like a week ago, and I was not a fan. Totally felt like throwing money into the void and hoping I’d gotten all the numbers typed right. I did, but I hope to not need it again.
This article was really well-written! You wouldn't think a piece on Zelle scams could be legitimately funny, but this was.