Banks want to help you send money. So do phishers
A group of U.S. banks are starting to offer a service called Zelle that lets you send money to your friends using their email address or mobile number, easily, fast and free.
Consumers can use Zelle send money from within their banks’ apps, and last week, Zelle launched its own app.
It’s “the new, easy way to send money in minutes directly between U.S. bank accounts — right from your mobile banking app,” according to the Zelle website, whose design suggests it might be useful for splitting the tab on flowers for your mom and for your avocado toast orders. It competes with other apps for sending money, like Venmo, Square Cash, or Apple Pay.
Zelle says that it processed over 100 million transactions in the first half of 2017, that on average, more than 50,000 people enroll each day, and that the Zelle network, once fully deployed, will be available to 86 million consumers.
When you send money to someone using Zelle (formerly known as ClearXchange), you need to have a bank account with a participating bank, and you need to use their app or the Zelle app. If the recipient doesn’t have a Zelle-compatible bank account, they’ll get a notification via email or text, and then they can sign up at ClearXchange.com to receive the cash.
That’s where things get tricky, because it’s way too easy for hackers to spoof emails from most of these banks.
Watch Out for Frauds
As Zelle rolls out, expect a rash of email impersonation attacks aimed at tricking consumers into thinking they’re about to get some money. All the impersonators need to do is craft a message that looks like a legitimate Zelle “Heads up! Someone is trying to send you money” message, then send it to their targets using a bank’s email address in the From field of the message.
If the bank isn’t protected by email authentication — and most of the Zelle partners aren’t — such fraudulent emails will sail right into consumers’ inboxes. A decent proportion of the recipients will click on links in those emails, hoping to receive their cash, and they might give their bank information, passwords, or other valuable data to the fraudsters in the process.
A dozen banks and credit unions are already up and running on the Zelle system, and another 22 are “coming soon.” Including Zelle itself, they represent 48 different domain names.
The Vulnerability, By the Numbers
Of the domains for banks that are already participating (plus Zelle itself), 87 percent have attempted to authenticate their email using the most advanced standard for email authentication, known as DMARC. DMARC authentication — if implemented and enforced properly — ensures that any email that uses a domain in its From field is coming from a server authorized by that domain’s owner.
But only 53 percent of current Zelle partner domains are enforcing email authentication. That means the rest — 47 percent — are still easy to impersonate.
The picture gets worse when you consider all Zelle partners, including those that are “coming soon” as well as current partners. In this cohort, 52 percent of the domains are attempting authentication, but only 23 percent are enforcing it. As a result, 77 percent of these domains are open season for phishers and impersonators.
There’s one other domain we didn’t include in our analysis, and that’s ClearXchange.com. While Zellepay.com is enforcing email authentication, ClearXchange.com isn’t using DMARC at all, meaning that it’s easy for fraudsters to spoof this domain. Unfortunately, it appears Zelle itself is still relying on the old, unprotected domain (including referring to it from the main Zelle website), so this remains an open vulnerability for the payment system.
If Zelle and its partner banks want to instill confidence and a sense of trust in the services they are offering, they need to close this vulnerability. All participating banks, and Zelle’s own websites, need to implement email authentication at enforcement. Only then can consumers be sure that the “you’ve got cash” emails they get can be trusted.
How to Protect Yourself
If you get an email that appears to be from a Zelle partner bank (or from a friend sending you cash via Zelle) and you’re not sure if it’s legit, you should check the authentication status of the domain used in the email’s From address.
To be sure you’re using the right domain, copy the domain name shown in the From address: If the email says “email@example.com” the domain you want is “superbank.com.” Make sure you include any subdomains, so if the From field says “firstname.lastname@example.org” then the domain you want is “service.superbank.com.”
Enter that domain name into the Valimail domain checker on the homepage of our website. If the results are all green, then you can rest assured that the email was sent by the owner of that domain (or by a sender they authorized).
If the results aren’t all green, as they appear in the domain check for ClearXchange.com above, then you should not trust the email. Don’t click on any links in that message or follow any instructions it may give you: Instead, contact the friend who appears to have sent you the cash (via phone, text, or in person) and ask them to use a safer method.
And if your bank invites you to use Zelle, you might want to politely decline until they implement email authentication and enforce it.