CISO Update #45
Zelle Smishing


Many of us depend increasingly on our phones to do all kinds of things, from keeping in touch with friends to executing financial transactions. Cyberattackers follow the crowd, so if we spend more time on our phones, they will find more scams that target phone users. This month we will focus on a scam that was reported by security researcher Brian Krebs on his Krebs on Security site that combines two common ways people use their phones: texting and electronic payments. Two quick bits of background:

  1. Texting is technically called SMS for short message service, and sending fraudulent messages via SMS is called Smishing (a takeoff on phishing). See our guide for information on more varieties of phishing.

  2. Zelle is an online peer-to-peer payment service used by many banks. The scam we’re about to discuss involves Zelle, but we’re not implying that Zelle is in any way better or worse than its competitors.

In this scam, the attacker sends the victim a text pretending to be Zelle and wanting to verify a large cash payment that was supposedly initiated through Zelle. If the victim replies to the text, the attacker calls the user’s cellphone and asks them to provide the password to their online banking. (How did the attacker get the victim’s cellphone number? Maybe they just robo-dialed and got lucky, maybe the victim listed it on a social media account like LinkedIn, or maybe the cell number was exposed in one of the hundreds of data breaches that have occurred in the past few years. Any of these are possible.) 

In the background, the attacker initiates a password-change transaction against the user ID the victim just provided. The bank will probably send a text message to the user to confirm the transaction. The fraudster will claim they sent the code, and ask the victim to read it back, which the attacker then uses to complete the password change against the victim's account.

What can you do?

There are steps you can take to prevent falling victim to this scam. If you get a text or call from someone you don’t know and get even slightly suspicious, follow Krebs’ mantra: Hang up, look up, and call back. If you receive a call from someone warning about fraud, hang up. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.