2022 has emerged as the year of the Zelle fraud. Thousands of recent news reports reveal the woes of Zelle users who have lost entire bank account balances to fraudsters who falsely pose as bank representatives responding to fake fraud alerts. When victims file a claim with their bank requesting reimbursement—similar to what they would do for credit card fraud—those claims are being denied and Zelle users are left bearing the loss.
Research backs the enormity of the problem. According to Javelin Strategy & Research, an industry research firm and consultant, nearly 18 million Americans—or about 7% of the adult population—were defrauded through scams involving digital wallets and person-to-person (P2P) payment apps in 2020, the last year for which numbers are available.
Zelle is a product of Early Warning Services and a US-based digital payments network owned by seven of the nation’s top financial institutions. It enables instant payments between consumers, using just an email address or phone number attached to the Zelle account. When a payment is made, it’s deducted from the sender’s linked bank account and deposited into the recipient’s Zelle-associated bank account. The payment may happen in real time, depending on whether a user’s bank participates in The RTP® network. Regardless, payments cannot be canceled, unless the recipient hasn’t enrolled in Zelle.
Banks outside the ownership circle are able to participate by enabling the Zelle service through an integration with their institution’s financial technology and then making the Zelle service available to customers through their mobile banking application. This increases the overall network to an estimated 2,500 banks.
A primary challenge in detecting fraud on Zelle is inherent to the back-end set-up of the network. Unlike Venmo or Cash App, no single entity is able to see both the sender’s and recipient’s transactions. In order to maintain proprietary control over account data, a financial institution can see only the side of the transaction which is attached to a customer bank account at their institution. Even so, there must be a way for banks to work together to resolve instances of Zelle fraud or, especially so, when a bank holds the accounts for both sides of a transaction, right? Wrong.
Earlier this year, the New York Times chronicled the story of a man who had been the victim of Zelle fraud. When the victim realized he had been defrauded and contacted his bank, he learned the fraudster’s account was also held with the same bank. He probably thought that the matter would be resolved in no time, given that the bank controlled both accounts. Ultimately, his claim was denied. What happened?
Synthetic identities are hiding behind Zelle fraud, and it’s preventable
A hidden threat surfacing about Zelle fraud is that many linked bank accounts have been established by criminals using synthetic identities. A synthetic identity is created by combining real and fake personally identifiable information (PII), such as a stolen, but legitimate, Social Security number (SSN) merged with a made-up name and date of birth (DOB), or entirely fabricated PII, to form a new identity. The bottom line is that no such person exists—so when the bank reaches out to a “customer” in response to a Zelle fraud allegation, it’s not able to contact or locate the “person” behind the account.
Meanwhile, when the fraudulent Zelle transfer hit the fraudster’s bank account, those funds likely were immediately shifted to another account outside the control of the bank. The bank might freeze the original account, pending certain terms being met. However, since there is no real person behind the account, the fraudulently obtained funds will never be recouped and returned to the victim—hence the claim denial. The bank itself is unlikely to incur a financial loss—which means that the account (and the matter) will be closed with no one officially tracking these synthetic identity fraud incidents or the magnitude of the problem. The problem, however, has captured the attention of government officials and lawmakers.
CFPB issues guidance, and lawmakers demand action
Last year, the Consumer Financial Protection Bureau (CFPB), the US government agency responsible for consumer protection in the financial sector, issued updated guidelines stating that person-to-person or P2P payments are covered under Regulation E. Regulation E, or Reg E as it’s sometimes called, was established by the Federal Reserve Board in 1978 to provide rules and procedures for protecting banking customers who utilize electronic funds transfers (EFTs) to transfer money. Much of Reg E outlines the procedures a consumer must follow in reporting EFT errors, or unauthorized payments, and the steps the bank must take to provide recourse.
Early in July, a group of senators led by Bob Menendez, Elizabeth Warren, and Jack Reed sent a letter to the CFPB urging them to do more to protect consumers from and hold banks accountable for the fraud that is occurring on Zelle.
On the heels of the Senators’ letter, the Wall Street Journal reported that the CFPB will be issuing further guidance in the coming weeks that anticipates requiring banks to cover more reimbursements to consumers who are victims of P2P fraud—with the rationale that banks are doing little to enhance security or warn users of the risks. According to the article, the primary target appears to be Zelle owing to the increase in complaints but the requirements would likely apply to any other payments service, such as Venmo or Cash App, that connects directly to a consumer’s bank account.
In the New York Times article and other news reports, banks have adopted the position that denied Zelle fraud claims are not “unauthorized payments” or the technical definition of “fraud”—since the account holder approved the transfer—and therefore, the banks are in compliance with Reg E.
The solution for synthetic identity fraud: Purpose-built detection
A straightforward solution already exists to address this burgeoning problem. Financial institutions should be employing purpose-built detection controls at the outset to prevent bank accounts from being opened by a fraudster using a synthetic identity. Those accounts should then be monitored to identify anomalies or other signs of synthetic identity fraud throughout the customer lifecycle. Investing nominally in synthetic identity fraud prevention builds user goodwill, establishes trust, eliminates reputational harm, and makes better economic sense than reimbursing millions of dollars in Zelle fraud losses and possibly incurring regulatory fines.
Synthetic identities can be elusive and difficult to detect. If banks are not tracking for synthetic identity fraud now, they may not even know that synthetic identities exist in their portfolio—especially if they are closing accounts or writing off credit losses without investigating whether the identity behind the account is a real person and who they say they are. Additionally, such accounts appear legitimate up until the point when they are shut down—so if banks are not monitoring accounts for synthetic identity fraud, then the fraudsters behind those accounts will continue to cause harm.
As depicted in the graphic below, the sooner a financial institution can detect a synthetic identity and prevent or remove it, the sooner Zelle fraud can be blocked from occurring within the bank’s own ecosystem or on other platforms where the bank’s customers are linking bank accounts. One of the strong foundations of any P2P platform should be that every participating bank employs strong third-party and synthetic identity fraud detection controls at onboarding and throughout the account lifecycle. Otherwise, every user of that P2P platform is exposed to unnecessary P2P fraud risk, with potentially devastating results like what is happening with Zelle fraud.
According to the Federal Reserve, synthetic identity fraud is the fastest growing financial crime in the US. A 2021 report from Aite-Novarica Group explains that the goal behind a synthetic identity is to develop a full consumer and credit profile, so it can appear to be a “normal” customer and operate under the radar of fraud controls. In addition to opening bank DDA and Zelle accounts, it may also secure a mobile phone, create a social media presence, and apply for credit cards. There are even instances where synthetic identities donated money to charities. (It’s in the process of applying for credit that a profile for this new, but synthetic, identity is created at the credit bureaus.)
Aite-Novarica further reports that the COVID-19 pandemic drove a sharp increase in application fraud and that synthetic identity fraud represents a significant subset of the total. Of the financial institutions participating in the Aite-Novarica survey, 74% reported seeing rising occurrences of synthetic identity fraud since prior to the pandemic.
How Socure can help
Traditional synthetic identity fraud models are not effective in predicting synthetic identity fraudTraditional identity fraud models are not effective in predicting synthetic identity fraud, because those models are not built to detect people who are not real—which is why Socure has adopted the best practices recommended by the Federal Reserve both with regard to defining synthetic identity fraud, as well as mitigation strategies. As stated by the Federal Reserve: synthetic identity fraud is not a problem that any one organization or industry can tackle independently, given its far-reaching effects on the US financial system, private industries—such as healthcare, automotive, and insurance—public sector, and consumers.
In alignment with Federal Reserve mitigation best practices, Socure’s Sigma Synthetic solution:
- Utilizes robust graph-defined machine learning (ML) and artificial intelligence (AI) technology that supports fuzzy matching, the ability to match a name (such as a nickname) or other PII variations with established identity profiles.
- Incorporates hundreds of redundant third-party data sources, resulting in PII risk analysis and correlation.
- Assimilates quality-based consortium data across credit lines, accounts, and companies—with vigorous linkage and velocity capabilities.
- Applies manual synthetic identity fraud investigations to verify synthetic fraud occurrences and anomalies.
- Leverages electronic Consent Based Verification Service (eCBSV) provided by the Social Security Administration to check whether an individual’s name, SSN, and DOB match official records.
In its newest model iteration, Socure differentiates its solution with strict standards around the quality of synthetic identity fraud labeling related to customer consortium data, which dramatically increases accuracy performance. Beyond increased performance, the new model and resulting scores emulate the Federal Reserve’s synthetic identity fraud definitions and provide indicators to distinguish synthetic identities as either “manipulated” or “fabricated,” aiding customers tremendously in decisioning strategies.
Validating email, phone, and address risk signals and correlating those elements to an identity, as well as using native device signals as an additional layer of assessment, are also part of Socure’s comprehensive approach to synthetic identity fraud detection. PII and device features and anomalies—such as missing name to DOB or SSN, missing name to email, non-existent addresses, out-of-area or proxy IPs—pinpoint higher risk for synthetic identities.
Socure is committed to continuously enhancing mitigation strategies to eliminate synthetic identity fraud, including ongoing technological advancements, labeling improvements, and data sharing expansion.
Socure has over 19800 customers across the financial services, fintech, cryptocurrency, ecommerce, gaming, and other industries, as well as the public sector—with experience in helping them understand and identify fraud patterns to prevent financial loss and establish secure ecosystems. If you are a bank participating in P2P payments looking to strengthen synthetic identity fraud detection, contact us. Socure’s extensive team of experts stands ready to collaboratively explore your needs and focus on a solution to this elusive and damaging category of synthetic identity fraud.
Brenda Gilpatrick is senior director of product marketing at Socure. She helps to lead go-to-market strategies for the ID+ fraud product suite. Previously, she was an independent consultant in the payments and fintech industry, working with companies of all sizes on marketing, technology, operations, and business development initiatives.