Chrysanthi Rausch was taking a nap on her couch two months ago when she got a call from a number she didn’t recognize.
On the other end of the line was a woman who said she worked for KeyBank, Rausch’s local bank, calling to alert her of fraud in her account.
“They wanted me to verify my identity through a text code. So they sent me a text, and then I read the six numbers back,” said Rausch, 30, of Columbus, Ohio.
That was all it took, she said, for the fraudsters to create a Zelle account in her name and gain access to both her checking and savings accounts — all within hours of their phone call.
The scammers had tricked Rausch into providing them with the code that the bank had sent her to confirm her identity.
“I woke up … and they had taken about $1,500 from my account,” Rausch said.
Her case is hardly unique. NBC News talked to several consumers who said hackers stole anywhere from $190 to $6,400 from their bank accounts using Zelle.
The service is a digital payment network that is pre-built into many banking apps such as Chase Bank and Bank of America. Zelle links to a user’s bank account and allows customers to send money to other people instantly using an email address or phone number.
But it turns out that Zelle’s simplicity and speed, the features that make it attractive to consumers, have also drawn in a sophisticated pool of scammers. Thieves use spoofed calls, phone calls that look like they’re coming from an individual’s bank, and traditional hacking to access people’s Zelle accounts, experts say.
“The fraud we’re talking about today is a totally different kind of fraud,” said Bob Sullivan, an author who tracks online bank scams, “where someone’s access has been stolen just like if someone stole your username or password to your online bank.”
“It’s a simple proposition: the quicker the transaction is, the quicker a criminal can steal,” Sullivan added. “This is almost engineered for crime.”
All banking-related websites and apps are vulnerable to scammers. But experts say Zelle is a particularly appealing target because, unlike other peer-to-peer payment apps like Venmo, it’s embedded within banking apps and automatically connected to user accounts.
“When it launched, there were ads screaming on TV over and over saying, ‘You can trust Zelle. It’s backed by the banks. It’s safe.’ I mean they really traded on the safety of being associated with large banks,” Sullivan said.
Zelle’s popularity has soared since it launched an instant payment service in 2017. It’s now the largest player in the person-to-person payment market by partnering with hundreds of financial institutions through their banking apps and even offering a standalone app.
Just last year, the Zelle network saw $119 billion transferred among its users, according to company data provided to NBC News.
Zelle and a number of smaller competitors have become the tech world’s answer to a consumer market looking to pay from the convenience of their phones, one industry expert said.
“I think consumers want something that serves them in the same way that cash does,” said Dayna Ford, senior director analyst for digital commerce payments at the research and advisory firm Gartner.
Ford said social experiences such as splitting the check at dinner offer an ideal scenario to use digital payment services, especially since paying someone through cash creates issues of exact change.
“You have the same sense of security as if I had handed you a $10 bill,” Ford said, adding that the popularity of the smartphone has propelled the demand for quick payment options.
Many of the victims NBC News contacted said they were shocked to find fraud on their Zelle account because they hadn’t even heard of the service before getting hit with sham charges.
“I have never used Zelle,” said Troy Hopkins, of Vancouver, Washington, who says he lost $6,400 to scammers who used Zelle to hack his account. “I didn’t know about Zelle until I went on to my account and kind of searched around a little bit about how the money was taken out of my account, and I noticed Zelle there.”
Cases like Hopkins’ are exactly what Sullivan said is most disturbing about this new wave of scammers.
“A year ago, for you to fall for a Zelle scam, you had to be a Zelle user,” he said. “But this new scam, you’ve never heard of Zelle — you can still be a victim.”
Fortunately for consumers, federal regulations require banks to fully reimburse any customer whose money is fraudulently stolen from an account. All the victims NBC News spoke with, including Rausch, were fully reimbursed by their banks, but many reported they had to make several calls and wait weeks for the money to be replaced.
In a statement, Early Warning Services, LLC., the network operator behind Zelle, said that the “potential for fraud” is a risk associated with all digital payment technologies.
“In cases where a consumer’s bank account or debit card have been compromised, and unauthorized Zelle payments made, consumers have rights under the Electronic Funds Transfer Act. We recommend they contact their bank immediately to determine an appropriate resolution,” the statement read.
While Zelle also emphasized its current security features, such as identity verification and multifactor authentication, Sullivan said he isn’t convinced they will completely deter future attacks on consumer accounts.
“Criminals right now are trying to get around this second factor [authentication], so they have to hack your online bank account access, and they have to somehow essentially hack your text messages to get the answer,” he said. “They can do that through social engineering like a phone call where they pose as the bank.”
KeyBank, where Rausch is a customer, said it “has made the client’s funds whole again” after she was victimized by a “phone call scammer who convinced her to provide information that enabled access to her account.”
“KeyBank is taking proactive steps to help our clients prevent fraud attempts similar to this case by educating through direct email communications, investment in our security systems, and multifactor authentication,” the bank added in a statement.
Chase said in a statement: “As with any other fraud, we reimburse our customers for fraudulent activity on their accounts. We’ve made significant investments in fraud detection and prevention technologies as well as customer education to help stay ahead of fraudsters.”
Bank of America did not respond to a request for comment.
Zelle and the American Bankers Association shared the following tips to prevent the fraud:
• Change your security settings to enable multifactor authentication — a second step to verify who you are, like a text with a code — for accounts that support it.
• Don’t provide any personal information to anyone who calls or emails you out of the blue. Instead, use a trusted channel to contact the bank or company, like the phone number on the back of your credit or debit card.
• Sign up for text or email alerts offered by your bank to warn of suspicious activity on your account. Contact your bank immediately if you suspect fraud.
Sullivan said that last tip is the most important.
“We all get so many of these warnings that we ignore them, or they end up in spam,” he said. “But right now, in particular, pay attention to those notes because if someone attaches a phone number to your bank account, that could very well be the first step to one of these Zelle frauds.”