Account Takeover Fraud,
Fraud Management & Cybercrime,
Litigation
Zelle Provider Enabled $1 Billion in Fraudulent Transactions, Court Documents Reveal
The New York Attorney General’s office has filed a lawsuit against Early Warning Services (EWS), the operator of the Zelle money transfer app, alleging prolonged deficiencies in cybersecurity measures leading to substantial fraud losses. The suit claims that EWS facilitated over $1 billion in fraudulent transactions due to inadequate protective measures against cyber threats.
Notably, this legal action follows an earlier attempt by the federal government to address similar concerns, which was halted under the Consumer Financial Protection Bureau during the Trump administration. The New York lawsuit targets EWS directly, highlighting its ties to major financial institutions like JPMorgan Chase, Bank of America, and Wells Fargo, alongside several others.
According to state prosecutors, EWS reportedly overlooked necessary security protocols to gain a competitive edge against other digital payment platforms like PayPal and Venmo at the time of Zelle’s launch in 2017. The complaint emphasizes that while EWS introduced some security measures in 2019, it wasn’t until 2023 that these were fully optimized and implemented, largely due to mounting pressure from regulatory agencies.
The legal filing also indicates that the Zelle network witnessed a considerable decrease in consumer vulnerability only after EWS adopted comprehensive security safeguards mid-2023. The lawsuit underscores that the banks behind Zelle have not taken responsibility for victims of fraud, with Attorney General Letitia James asserting that no individual should suffer financial repercussions after falling prey to scams.
In response, a Zelle spokesperson accused the Attorney General of engaging in a politically motivated campaign, claiming that over 99.95% of all transactions occur without reported fraud. Despite an impressive volume of transactions—over $1 trillion in 2024—the underlying risks, particularly in the signup process, remain concerning. This process allows fraudsters to exploit the platform by associating multiple identification tokens with a single bank account.
The lawsuit elaborates on how fraudsters can manage several accounts linked to diverse tokens, facilitating repeated scams targeting different users. Such vulnerabilities extend to email registrations that mimic legitimate institutions, allowing malicious actors to solicit funds deceptively.
Two prominent fraud types connected to Zelle include impersonation fraud and account takeover. The suit details cases of induced fraud, where scammers posed as utility company employees, and takeover fraud, where individuals were manipulated into providing account credentials. EWS is accused of being aware of extensive fraudulent activities on its platform yet failing to implement effective countermeasures.
This lawsuit aims for judicial mandates to enhance network security and antifraud measures, restitution for affected individuals, and for EWS to relinquish profits gained through alleged fraudulent activities. The case spotlights the essential need for robust cybersecurity frameworks, referenced against the MITRE ATT&CK Matrix, illustrating potential adversary tactics such as initial access and persistence that may have facilitated these breaches.
