An Upper East Side psychologist, recovering from anesthesia after a medical procedure, picked up the phone to a man who sounded exactly like a Citibank fraud investigator. He knew the last four digits of her Social Security number. He knew her checking account number. He was texting her alerts from what looked like her bank. By the time she realized what was happening, about twelve and a half thousand dollars had moved out of her account through Zelle. Her bank, reportedly, told her the transfers were authorized. She was on the hook.
The story of Dr. Karen Binder-Brynes was covered by Patch’s Upper East Side bureau, and it reads like dozens of others posted to r/Scams and r/personalfinance every week. What makes hers worth opening with is the specificity. She’s a practicing psychologist. She had just come out of a medical procedure. The scammer had enough real personal information about her that she believed he worked at her bank, and she said so out loud on the call.
“This guy was so smooth. He knew the last four digits of my social security number and the number of my checking account, he was sending me those alerts via text message and I told him, ‘Look, I just had a medical procedure, this better not be fraud.'”
— Dr. Karen Binder-Brynes, via Patch
Read that again. She told him, on the call, that she had just had a medical procedure and that if this turned out to be fraud, she was in no condition to fight it. He kept going. That detail isn’t a footnote. It’s the whole mechanic of how these scams work in 2025 and 2026. The scammer’s job isn’t to trick you into handing over a password. It’s to sound official enough, for long enough, that you approve the transfer yourself while your guard is down.
And then the moment of realization, which every victim of a Zelle or Venmo scam describes almost identically:
“As we were talking, I separately went into my account and could see that money was leaving it, and that’s when I freaked out and realized that this was fraud.”
— Dr. Karen Binder-Brynes, via Patch
She’s watching the money leave in real time. She’s on the phone with the person causing it. And the window between recognition and irreversibility is small enough to measure in seconds. Zelle transfers settle almost instantly. Unlike a wire, which sometimes sits in a pending window long enough for the bank to claw it back, a Zelle payment lands in the recipient’s account and is usually available immediately. By the time Dr. Binder-Brynes hung up on the scammer, the money was already gone.
Then came the part that turned the scam into a news story. Citibank, according to the Patch account, reportedly denied her fraud claim. The denial letter she received, as quoted in the piece, used language that’s now extremely familiar to consumer attorneys who handle P2P fraud:
“Based on our research and the information you provided, we are unable to honor your claim.”
— Citibank denial letter to Dr. Karen Binder-Brynes, via Patch
Twenty-two words. That’s the whole answer most fraud victims get. No breakdown of what the bank actually found. No explanation of which part of the claim failed. Just a sentence written by a compliance template.
Her reaction, quoted by the same outlet, is the kind of thing you hear on every call with someone who’s just learned what “authorized” means in the small print of their deposit agreement.
“I was devastated. I felt violated, I felt angry at Citibank.”
— Dr. Karen Binder-Brynes, via Patch
And she’s not alone. Over on r/Scams, the running threads about impersonation calls and Zelle transfers are full of the same arc. Someone calls claiming to be bank security. The caller already has pieces of your personal information, often harvested from an earlier data breach. They walk the victim through what feels like a fraud-prevention process. The victim approves a Zelle transfer, or is talked through “reversing a pending charge” that turns out to be a fresh outbound payment. The bank’s automated systems see a login from the customer’s own device and a transfer approved through the customer’s own app, and they code it “authorized.”
One poster on the thread put it in the bluntest terms I’ve seen a Redditor use:
“The bank won’t help you because technically you clicked the button. It doesn’t matter that the person on the phone was impersonating the bank. As far as they’re concerned, you authorized it.”
— commenter, r/Scams
That’s the sentence that made me stop scrolling. Because technically, they’re right. And that’s the part of the law that almost nobody understands until it’s happened to them.
What Banks Mean When They Say “Authorized”
Here’s the part most people don’t realize until a bank denial letter shows up in the mail. The federal rule that protects consumers from bank account fraud, Regulation E (12 CFR Part 1005), only covers transfers that are “unauthorized.” The regulation defines that term narrowly. An unauthorized electronic fund transfer is one initiated by someone other than the consumer, without actual authority, and from which the consumer receives no benefit.
Read that one more time, because the whole legal fight sits in that sentence. If the scammer logs into your bank account using stolen credentials and sends a Zelle payment himself, that’s unauthorized. The bank generally has to make you whole under Reg E, usually within 10 business days of a proper written dispute. But if the scammer convinces you to log in yourself and approve the transfer, the banks’ position, which federal courts have mostly accepted so far, is that you authorized the payment. Reg E’s consumer protection doesn’t apply. The bank doesn’t have to refund anything.
That distinction is the whole loophole. It’s why so many Zelle and Venmo scam victims get identical-looking denial letters. The fraud was real. The loss was real. The transfer itself, on paper, wasn’t unauthorized in the technical Reg E sense, because the customer’s own fingers touched the screen.
The Consumer Financial Protection Bureau spent years arguing that banks should have to refund impersonation-scam losses anyway, treating them as functionally equivalent to unauthorized transfers when the consumer was induced by someone posing as the bank. In late 2024, the CFPB filed suit against JPMorgan Chase, Bank of America, Wells Fargo, and Early Warning Services, Zelle’s parent company, alleging the network had allowed more than $870 million in consumer fraud losses to accumulate without adequate fraud controls or reimbursement practices.
Then the administration changed, and the suit didn’t survive the transition. NPR reported in March 2025 that the CFPB, under new leadership, dismissed the Zelle case with prejudice, meaning it can’t be refiled by the federal agency. The banks named in the suit denied wrongdoing throughout. The federal consumer protection arm of the argument essentially went away overnight.
That’s where state attorneys general picked up the baton. In August 2025, New York Attorney General Letitia James sued Early Warning Services, the bank consortium that owns and operates Zelle, alleging the platform’s design had enabled more than a billion dollars in consumer fraud and that its operators had failed to implement basic protections other payment networks consider standard. The suit is still pending as of this writing. Early Warning Services has publicly disputed the characterizations. The case is being watched closely because New York’s Martin Act gives the state AG unusually broad authority over financial fraud, and a favorable ruling could effectively set a national standard even without federal action.
None of that helps Dr. Binder-Brynes directly. Her transfers cleared in late 2022. She’s been fighting about it ever since. The policy fight is useful for future victims. It doesn’t undo a denial letter that was already mailed.
The Numbers Behind the Loophole
Peer-to-peer payment app fraud isn’t a rounding error anymore. The Federal Trade Commission logged about $373.6 million in reported P2P scam losses in the first nine months of 2025, up roughly 35% year over year, according to the agency’s consumer sentinel data. And that’s just what gets reported. Industry estimates of actual losses are consistently higher, because a lot of people, like the psychologist in the Patch story, try the bank dispute path first and never file anywhere else when it fails.
The FTC’s aggregated reporting and the New York AG’s complaint both note the same pattern in the victim demographics: higher-dollar losses skew older and more professionally successful. Scammers aren’t targeting random strangers with generic phishing anymore. They’re buying breach data, matching names to account numbers, and cold-calling people whose money profile justifies the labor. A retired physician, a practicing psychologist, a small-business owner with a payroll account. The script is written around the kind of person who has enough money in checking to make a single conversation worth the scammer’s time.
Here’s a composite of a recurring story from r/Scams that tracks the Binder-Brynes arc almost exactly. One poster described getting a call from what sounded like a bank fraud department the day after their credit card had been compromised in a data breach. The caller already knew the card number. Knew the recent transactions. Walked them through a “verification” process. Twenty minutes later, they’d approved a Zelle transfer for $8,400 to what the caller said was a “secure holding account” in their own name. It wasn’t. It was the scammer’s account. The bank’s position, according to the poster, was identical to Citibank’s in the Patch piece. The transfer was marked authorized. The claim was denied.
What changes from case to case is the dollar amount and the emotional detail. The legal architecture is the same every time.
What You Can Actually Do If This Already Happened
Most people reading this don’t need the prevention lecture. They’ve already had the call. They’ve already approved the transfer. They’re sitting in front of a denial letter wondering what the next move is. The honest answer is that the path forward is slower than it should be and less guaranteed than it should be, but it’s not nothing.
Within 60 days of the statement showing the transfer, file a written Regulation E dispute with your bank. Do this even if a phone rep told you the claim was denied. A written notice restarts the procedural clock and creates a paper record the bank has to respond to. Send it certified mail, return receipt requested, or through the bank’s secure message system with a screenshot saved. Include the date and amount of each disputed transfer, the name of the recipient on the transaction, and a clear statement that you did not authorize the payments to that recipient and that the transfers were obtained through fraud and impersonation. The CFPB’s Reg E dispute procedures page walks through the technical requirements.
Banks will often deny these anyway, citing the “authorized” distinction described above. The denial isn’t the end of the process. It’s the end of step one.
File a complaint with the Consumer Financial Protection Bureau. The CFPB complaint portal routes your complaint directly to the bank’s executive complaint team, which operates separately from the regular fraud department. Banks are required to respond within 15 days. CFPB complaints get real results in a non-trivial number of cases, not because the agency forces a refund, but because the bank’s executive office reviews the file fresh and sometimes reverses the original denial to avoid the regulatory paper trail. Keep the CFPB case number. Reference it in any later correspondence.
File a report with the FTC at reportfraud.ftc.gov. This doesn’t get your money back by itself, but the FTC aggregates reports to identify patterns and the report becomes part of your documentation. If you end up in small claims court or state administrative proceedings later, an FTC report filed close to the fraud date is credibility evidence. It’s also free and takes about ten minutes.
File a local police report. Most banks require a police report number as part of any escalated fraud investigation, even though the local department will almost never be able to identify or prosecute the scammer. The police report is an administrative requirement more than a criminal prosecution move. Get the report number. Send it to the bank in writing along with the Reg E dispute.
File a complaint with your state attorney general’s consumer protection division. State AGs, especially in New York, California, Massachusetts, and Washington, have been significantly more aggressive on P2P fraud than federal regulators through 2025. New York’s consumer frauds bureau is actively taking Zelle-related complaints as part of the broader case the office is building against Early Warning Services. A complaint filed in your home state may not resolve your individual case, but it adds to the volume of evidence that drives settlements and policy changes for future victims.
Check your bank’s updated impersonation-scam policy. In mid-2025, several major banks, including Bank of America, JPMorgan Chase, and Wells Fargo, voluntarily expanded their reimbursement policies for impersonation scams, partly in response to the CFPB and state AG pressure. The policies are inconsistent, case-by-case, and usually not advertised prominently. Call the bank’s fraud line and specifically ask whether your case qualifies under any updated impersonation-scam reimbursement policy adopted after January 2025. If the first rep says no, ask to escalate. These policies exist but often aren’t surfaced in the first-line denial.
Talking to a consumer-rights attorney is free. If you’re looking at a letter, a lawsuit, or a decision you don’t understand, a quick consultation with a licensed attorney in your state is usually the fastest way to stop the damage. Our matching service connects you with attorneys who handle these cases on contingency — you don’t pay unless they win.
Consider a consumer attorney if the loss is meaningful. Several plaintiffs’ firms now run contingency-fee practices on Reg E denials and Zelle-related disputes. A good consumer finance attorney can sometimes reverse a denial simply by sending a demand letter on firm letterhead, because the bank’s cost of defending even a small case exceeds the refund. For losses under roughly $10,000, small claims court in your home state is often the practical path; the bank rarely sends counsel for small claims matters and the judge will evaluate the evidence fresh.
If the scam involved a fake “debt” you supposedly owed, treat that like any other collector contact and send a debt validation letter. Force the caller, or the company they claimed to represent, to put the claim on paper.
And this is the uncomfortable part. Even with all of the steps above done correctly, the recovery rate for Zelle and Venmo impersonation-scam victims runs well under half. The best outcomes usually come from victims who filed written disputes immediately, escalated to the CFPB within days, and engaged an attorney before the 60-day Reg E window closed. Victims who waited weeks, or who only communicated with the bank by phone without written records, have a much harder time.
The pattern of trust-then-drain shows up beyond payment apps. Our contractor scam guide covers the same playbook in a different setting — a plausible-sounding authority figure, social-engineered access, and an institution that treats the victim as the one at fault.
How the Scammer Actually Got In
The mechanics of an impersonation scam matter for the legal analysis because the specifics often determine which arguments actually work in a dispute. In most of these cases, including the one in the Patch story, the scammer had real personal information about the victim before the call ever started. Partial Social Security number. Checking account number. Recent transactions. The details aren’t guessed. They’re bought.
Most of that data comes from earlier breaches. The Equifax breach in 2017, the T-Mobile breach in 2021, the AT&T breach in 2024, and countless smaller incidents have put almost every American adult’s personal identifiers on the open market for years. You can buy a clean data package on a particular person, including name, address, date of birth, last-four SSN, and historical account numbers, for under $100 on certain gray-market forums. That’s the raw material of the call. Once the scammer has enough real information to sound like your bank, the rest is social engineering.
Combine that with caller ID spoofing, which the Federal Communications Commission has been trying to shut down through the STIR/SHAKEN framework for years with incomplete success, and the scammer can make the incoming call appear to come from the bank’s real fraud hotline number. Your phone literally displays “Citibank Fraud” or “Bank of America Security” because the scammer spoofed that caller ID. If you call the same number back, you’ll reach the actual bank, which makes the illusion even more convincing during the call itself.
That’s why “never give out information over the phone” isn’t quite the right instruction anymore. The scammer already has the information. The instruction that actually works is: never approve a transfer or move money during a call you didn’t initiate. If your bank’s fraud department genuinely needs you to approve something, they can wait while you hang up and call back on the number printed on your card.
Frequently Asked Questions
Can I get my Zelle money back after a scam?
Sometimes, but not as often as consumers expect. If someone gained access to your account and sent a Zelle payment without your involvement, Regulation E generally requires the bank to refund the loss after a proper written dispute, usually within 10 business days. If you were tricked into approving the transfer yourself (impersonation scam), banks historically denied these claims because the transfer was technically “authorized” under 12 CFR Part 1005. Several major banks, including Bank of America, JPMorgan Chase, and Wells Fargo, voluntarily expanded impersonation-scam reimbursement policies in 2025, so it’s worth asking the bank specifically about their post-January 2025 policy.
What is Regulation E and how does it apply to Zelle and Venmo?
Regulation E, codified at 12 CFR Part 1005, implements the federal Electronic Fund Transfer Act and requires banks to investigate and refund “unauthorized” electronic transfers from consumer accounts. An unauthorized transfer is one initiated without the consumer’s permission and from which the consumer receives no benefit. The protection generally does not apply when the consumer was induced into approving the transfer themselves, because the bank’s legal position is that the transfer was authorized in the technical sense. Written disputes must be filed within 60 days of the statement showing the transfer to preserve the full protections of the regulation.
Does my bank have to refund me if I got scammed on Zelle?
Not necessarily. If the transfer was unauthorized (someone else accessed your account and sent money without your participation), the bank generally must refund under Regulation E. If the transfer was a scam-induced payment you approved yourself, the bank is generally not required to refund under federal law. Some banks have voluntarily adopted broader refund policies for impersonation scams as of 2025, but these are case-by-case and not guaranteed. Filing a written dispute, a CFPB complaint, and a state AG complaint in parallel is the best-practice approach.
What happened to the CFPB lawsuit against Zelle?
The Consumer Financial Protection Bureau filed suit in late 2024 against Early Warning Services (Zelle’s parent) along with JPMorgan Chase, Bank of America, and Wells Fargo, alleging the network had allowed more than $870 million in consumer fraud losses without adequate controls. NPR reported in March 2025 that the CFPB dismissed the case with prejudice after a change in agency leadership, meaning the federal agency cannot refile it. The banks denied wrongdoing throughout. New York Attorney General Letitia James filed a separate state-level suit against Early Warning Services in August 2025, which remains pending.
How do I file a Reg E dispute with my bank?
Write a dated, signed letter to your bank that identifies each disputed transfer by date, amount, and recipient, and clearly states that you did not authorize the transfers and that they were obtained through fraud or impersonation. Send it by certified mail, return receipt requested, or through the bank’s secure message system with a screenshot saved. The bank must acknowledge the dispute and generally must complete its investigation within 10 business days (or provisionally credit the account and complete investigation within 45 days). The dispute must be filed within 60 days of the statement showing the transfer to preserve full Regulation E rights.
Should I call the police if I was scammed on Zelle or Venmo?
Yes, file a local police report even though the department will usually be unable to identify or prosecute the scammer. Most banks require a police report number as part of any escalated fraud investigation, and the report becomes part of your documentation for CFPB complaints, FTC reports, state attorney general filings, and any civil action. Include the report number in every written communication with the bank. The police report serves an administrative and evidentiary purpose more than a criminal prosecution one in these cases.
