The popularity of the person-to-person (P2P) payment apps Zelle, Venmo and CashApp was bound to have a downside, and it has now surfaced for all to see. The scam artists and fraudsters have discovered that the convenience of these apps and widespread use even among older adults is a ripe opportunity.
These apps enable consumers to easily send one another money across banks, networks and platforms, usually with little more than an email address or phone number. While P2P apps were initially designed for “person-to-person” payments, they have also gained adoption by small businesses. In Q2 2021, Early Warning Services, the company behind Zelle, reported that Zelle Small Business alone grew 157% year-over-year.
Three quarters of respondents to an AARP survey had used P2P payments, but half didn't know that once the money is sent, there is no way to undo it.
These mobile payments are only going to grow further. Allied Market Research predicts the rise in adoption of mobile banking will drive 17% growth in the P2P market between now and 2030. Given numbers like those it’s no surprise that more banks have incorporated P2P payment capability into their mobile apps.
P2P Soars… and the Crooks Follow
Inevitably P2P-related fraud has surged, with nefarious actors using phishing schemes, spoofing text messages, and various other tactics to exploit P2P payments. A 2020 Javelin ID Fraud study found that the number of P2P fraud victims had increased by 733% since 2016.
Security expert Brian Krebs, writing in KrebsOnSecurity, demonstrated a typical scenario where the phisher sends a message that appears to be from the bank. If the person responds yes or no, the scammer then calls the victim, pretending to represent the financial institution’s fraud department. The image below, from the blog, is an example of this.
Several other schemes exploit Zelle, according to Elliot Advocacy. A common one is where a fraudster lists fake items on Facebook Marketplace or another site, then seeks advance payment through P2P and never fulfills the order.
The FCC notes that many P2P apps specifically warn consumers to avoid using them to pay for goods or services. “Even a legitimate transaction can go wrong by entering an incorrect phone number or misspelling a recipient’s name, resulting in the funds going to the wrong person. Once the funds are transferred, the money is likely lost,” said the FCC.
No Compensation from Banks for Lost P2P Payments
While consumers clearly like the benefits of P2P platforms, some are discovering they lack the protections they typically have with card and ACH transactions.
A 2020 survey by AARP of adults 50 and older found nearly three-quarters of respondents had used some form of P2P. However, 53% said they had used P2P to pay someone they didn’t know, and 52% were not aware those payments could not be reclaimed if they were mistaken or fraudulent.
Paige Paridon, Senior Vice President and Associate General Counsel of Regulatory Affairs at the Bank Policy Institute, said on the company’s website that some detractors criticize P2P platforms because it’s challenging to get money back in the event of fraud or a mistake. Funds sent through P2P platforms should be thought of as cash, she said, echoing advice given by Early Warning Systems and other P2P providers.
Do you know the difference between 'fraud' and 'scam'? Even if you do, most consumers probably don't. It makes a big difference when money has been lost.
While customers have protection against operational errors or unauthorized account use, there is no way to cancel or undo a payment once it is sent. “Such payments are effectively irrevocable,” Paridon said, “just like when a fraudster or thief walks away with cash, never to be seen again.”
Zelle and other P2P platforms have security features such as data encryption, multifactor authentication, and fraud controls. Yet these features offer no protection when the consumer falls for a scam. Even when consumers make such payments through a P2P integration on their banks’ website, banks say they are not liable for fraud or mistakes, pointing to Regulation E, which only covers “unauthorized” transactions.
In many cases, what is “authorized” or not can often seem like a grey area to consumers who have been scammed. For example, while the customer may be protected if the fraudster accesses their P2P login credentials or compromises their account, they are not covered if they fall for a scam and make a payment to the fraudster, regardless of the reason. This puts the responsibility on the consumer, not on the bank, to validate the legitimacy of such transactions.
P2P Fraud Presents Reputation Risk for Banks
Regardless of where the law places responsibility, consumers increasingly point fingers at financial institutions when they get scammed. Many take their stories to the news media and onto social media, dragging bank names and brands into the spotlight.
While banks may not legally be on the hook for losses for those duped by scammers, consumer groups and regulators are asking for more accountability. In a New York Times article about fraud flourishing on Zelle, the paper noted, “banks have been reluctant to make fraud victims whole – despite owning the system.” (Zelle’s owner, Early Warning Services, is owned in turn by Bank of America, Truist, Capital One, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo.)
In October 2021, the Consumer Financial Protection Bureau announced it was conducting a probe into companies operating payment systems in the U.S., with a particular focus on platforms that offer fast person-to-person payments. It specifically mentioned Google, Apple, Facebook, Amazon, Square, and PayPal but did not mention Zelle and Venmo (Venmo is owned by PayPal).
“Consumers expect certain assurances when dealing with companies that move their money,” said CPFB. “They expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law.”
On April 25, 2022, Democratic Senators Elizabeth Warren and Robert Menendez wrote a letter to Early Warning Services about the rise of fraud on the platform. The letter said the increased activity on Zelle is “putting millions of consumers at risk as fraud flourishes.” It asked Early Warning to identify its procedures for rooting out scams, policies for determining refunds, and how many reports of fraud it had received.
Banks Respond to the P2P Criticism
Several banks are taking proactive measures to warn their customers about the potential for P2P fraud and what may not be covered. This often includes a clear distinction and definition between authorized and unauthorized payments. Here are three examples from big banks:
Capital One clearly notes the difference between P2P fraud and P2P scams on its website. While fraud involves unauthorized transactions, scams involve authorized transactions, it said. “The difference is important because the same protections aren’t available if a transaction is authorized. That means there may not be much that can be done to get your money back. Even if it was a scam or a simple mistake,” said Capital One.
In September 2021, Wells Fargo made an addendum to its Zelle transfer service agreement with several new notes around limitations of liability. It said neither the bank nor Zelle is liable for any losses or damages related to authorized payments, typos, or keystroke errors. It further added that users “should not use Zelle to send money to persons with whom you are not familiar or do not trust.”
Bank of America also notes neither it nor Zelle offer protection for any authorized payments using the platform. Like other banks, it recommends that users only use Zelle to send money to family, friends, or people they trust.
One thing to note: Many of the people commenting online about news stories covering someone losing money to a P2P scammer are incredulous that the person didn’t break off the communication and call their bank directly to confirm the validity of the request.