HOUSTON – Have you ever received one of those text messages that appear to be from your bank or a retailer confirming a transfer or purchase you didn’t make? By now, you likely know those messages are usually scams. The scammer wants you to click on the link so that you will give them your financial information. But this new scheme takes it a step further.
How the scam works
Hank Molenaar received a text message in May claiming to be from Bank of America, asking him if he had attempted a Zelle transaction for $2,000. Instead of replying to the text, Molenaar called Bank of America directly at the toll-free number on the bank’s website. An automated attendant answered the call and said the hold time would be in excess of 20 minutes. Molenaar pressed 1 when prompted to hang up and receive a call back from a bank representative.
Shortly after that, someone did call him back. The Bank of America number was displayed on his caller ID. Molenaar explained to the woman on the phone that he wanted to make sure there was no Zelle transfer from his bank account.
“And she acted like she was going to help me and she said she was looking at my account,” Molenaar recalled. “‘We also have another transfer in the amount of $1,500 to the same person. And also did you use your debit card at a Walmart in Dallas for $630 some odd dollars?’ I was like. ‘No, I wasn’t in Dallas.’”
Molenaar said the caller told him he had to set up a reverse transaction in Zelle to get that money back. He followed the instructions, but the next day his money was gone.
“This is almost a foolproof scam,” said consumer expert and author Bob Sullivan.
Sullivan has 20+ years of experience investigating consumer and cybercrime news. He says with this latest scam, it’s about timing. The thieves send a text, assuming you will call the bank directly and be told to wait.
“The criminal knows that’s going to happen. And they call you back five minutes later,” he explained. “What else are you going to assume? It’s Bank of America calling you back? It’s almost a perfect scam.”
Bank of America denied Molenaar’s fraud claim saying he initiated the transfer.
“I was like, ‘Well, no, wait a minute, this was fraud. Y’all supposedly called me back,’” Molenaar said he told a Bank of America representative.
Bank of America said they have a warning that pops up during every Zelle transaction that says you should not transfer money as a result of an unexpected call or text.
But Molenaar said he *was* expecting the call because he had called them first.
“For sure I called the right number, and they will verify it, you can look into the website-- 800-432-1000.”
A law could protect consumers
Sullivan said the Electronic Funds Transfer Act, also called Regulation E, means the bank should refund Molenaar’s money, but the banks are interpreting the law differently.
Bank of America told us because Molenaar “initiated the transfer,” they didn’t have to refund his money.
“Clearly the consumer’s not actually authorizing the transaction. The consumer is being manipulated into pressing the buttons to help the criminal with a transaction,” Sullivan said.
The Consumer Financial Protection Bureau seems to side with Sullivan. Here’s what the CFPB has posted on its website:
“…when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E. (emphasis added)
For example, the Bureau is aware of the following situations where a third party has fraudulently obtained a consumer’s account access information, and thus, are considered unauthorized EFTs under Regulation E: (1) a third-party calling the consumer and pretending to be a representative from the consumer’s financial institution and then tricking the consumer into providing their account login information, texted account confirmation code, debit card number, or other information that could be used to initiate an EFT out of the consumer’s account, and (2) a third party using phishing or other methods to gain access to a consumer’s computer and observe the consumer entering account login information. EFTs stemming from these situations meet the Regulation E definition of unauthorized EFTs.”
A coalition of consumer groups, including U.S. PIRG and the Consumer Federation of America, has asked the CFPB to take enforcement action against the offending banks.
What you can do
If this happens to you and your bank refuses to refund your money, Sullivan said you should file a police report and file complaints with the CFPB, the Federal Trade Commission, and the Texas Attorney General’s Office. Save your paperwork, texts, and notes. He’s convinced if regulators don’t make the banks pay up, a class action lawsuit will.
This is what Bank of America emailed us when we tried to get answers about the scam:
“We can’t share information about an individual account, but we are following up directly with our client. It’s unfortunate when people fall for scams like this. Bank of America and other legitimate companies would not ask a customer to transfer funds between accounts in order to prevent fraud. We alert clients during the transaction if they are sending money to a new recipient that they should only send to people they trust and never transfer money as a result of an unexpected call or text. We periodically reach out to clients with information about how to stay safe and avoid scams and also post information on our website alerting people to scams (https://www.bankofamerica.com/security-center/avoid-bank-scams/).
In this case, the client received a notice that he was sending the transaction to a name and mobile number that was not his own before authorizing the transaction. This notice also included an alert that Bank of America would never ask him to send money to anyone, including himself. We are attempting to get the money back from the receiving bank; however there is no guarantee since the customer has authorized the payment.”