Account Takeover Fraud
,
Fraud Management & Cybercrime
,
Litigation
Zelle Provider Allowed $1 Billion of Fraudulent Transactions, Prosecutors Say

The state of New York is suing the privately held fintech company behind the Zelle money transfer system in a complaint that alleges years of poor cybersecurity and protections against fraud.
See Also: How is Your Organization Mitigating Account Takeover?
The lawsuit picks up where the federal government left off after Consumer Financial Protection Bureau under President Donald Trump dropped in March a similar suit initiated during the Biden administration.
The New York complaint targets Early Warning Services, the company behind the money transfer app. Its largest owners are JPMorgan Chase Bank, Bank of America and Wells Fargo, although Capital One, PNC Bank, Truist Bank and U.S. Bank have shares.
State prosecutors allege EWS ignored safeguards in a bid to outpace nonbank payment apps such as Paypal and Venmo, which at the time of Zelle’s launch in 2017, were dominant methods for electronic money transfers. EWS allowed more than $1 billion in fraudulent transactions to occur over Zelle, they say.
Not until 2019 did EWS develop “a suite of modest, yet critical, security enhancements and changes to the rules governing the Zelle network that, working in combination, would reduce fraud over the Zelle network,” the lawsuit reads. EWS didn’t fully adopt those rules until 2023, in response to outside pressure from the Senate and the Consumer Financial Protection Bureau, prosecutors allege.
The payment network experienced a “drastic reduction in consumer harm” that prosecutors say is substantially attributable to “EWS’s belated adoption of the full suite of basic network safeguards by the middle of 2023.”
The banks behind Zelle – not named as defendants in the New York suit – refused to make numerous fraud victims whole, prosecutors say. “No one should be left to fend for themselves after falling victim to a scam,” said New York Attorney General Letitia James. “I look forward to getting justice for the New Yorkers who suffered because of Zelle’s security failures.”
A Zelle spokesperson accused James of “a political stunt to generate press” and said “more than 99.95% of all Zelle transactions are completed without any report of scam or fraud.” Consumers and small businesses sent more than $1 trillion over Zelle during 2024, the company said earlier this year.
State prosecutors say the ease of signing up for a Zelle account can still facilitate fraud. Zelle refers to an email address or phone number as a “token,” and allows multiple tokens to be associated with a single bank account.
“As a result, a fraudster can engage in multiple ongoing frauds targeting multiple consumers using different tokens linked to the same bank account,” the complaint reads. If a Zelle customer reports fraud associated with one token, the fraudster can switch tokens. The lawsuit states that EWS allows up to five tokens to be associated with a single bank account, a reduction from an earlier limit of up to 20 emails or phone numbers.
EWS allows users to switch bank accounts, allowing fraudsters to “move tokens among bank accounts at different participating banks, limiting the risk that a single participating bank will identify a particular token as linked to continuing fraud.”
Prosecutors also say EWS allowed fraudsters to register emails that appeared to be associated with banks, government agencies or even Zelle itself.
Bank customers are at risk of two different types of Zelle fraud. Induced fraud involves impersonation. In one case described in the lawsuit, a purported Con Edison employee in 2021 scammed a New York individual into sending nearly $1,500 to an account named “Coned Billing” to settle an electricity bill. Takeover fraud occurs when criminals obtain improper access to a user account through SIM swaps or social engineering victims into giving up account information. Prosecutors depict another case that occurred in 2023 when a Citibank customer reported a $2,500 unauthorized transfer from his checking account.
“EWS was aware of these and millions more instances of fraudulent activity perpetrated over the Zelle network,” the lawsuit asserts. The complaint asks for judicially-mandated network safeguard and antifraud measures, restitution for scammed New Yorkers and for EWS to “disgorge all profits from the fraudulent practiced alleged.”