Zelle Invoice Redirection Fraud
Criminals intercept or spoof B2B payment communications and substitute fraudulent Zelle account details for the legitimate payee's, diverting invoice payments to an attacker-controlled bank account before the substitution is discovered.
Part of: Invoice Redirection Fraud
Last reviewed: 7 June 2026
Zelle's bank-to-bank instant payment capability is increasingly used by small businesses to pay suppliers and contractors quickly without wire-transfer fees. This growth has made Zelle-denominated payment details an attractive target for invoice-redirection fraud, where attackers substitute fraudulent account information for the legitimate payee's details.
The attack typically involves compromising or spoofing the email of either the supplier or the buyer. The fraudster sends a message explaining that banking details have changed and that the next invoice payment should be directed to a new Zelle-enrolled email address or phone number. Because the message arrives from a trusted email address (or one that appears trusted), the accounts-payable team updates their records and the next payment is made to the wrong account.
Zelle's instant settlement is an advantage the attacker exploits: once funds arrive in the fraudulent account, they can be withdrawn almost immediately. By the time the legitimate supplier chases the non-payment and the fraud is discovered, the funds have moved beyond easy recovery.
How this scam works on the Zelle brand
A legitimate business that accepts Zelle payments communicates its Zelle-enrolled email or phone number through established, verified channels — not through sudden email announcements of a change. Any notification of a change to payment details, regardless of the sender, should be verified through a known, independently confirmed contact method before the records are updated.
The substituted Zelle details look identical to legitimate ones: they are simply an email address or phone number enrolled at a real US bank account. There is no visual difference between a legitimate Zelle recipient detail and a fraudulent one — the difference is only in whose bank account it leads to.
Some campaigns are highly targeted: the attacker researches the supplier-buyer relationship, knows the typical invoice amounts, and times the email to arrive just before a scheduled payment run. The timing and apparent familiarity with the business relationship makes the message more credible.
Common red flags
- An email announcing a change to a supplier's or contractor's Zelle payment details
- The change request arrives via email without out-of-band confirmation
- The new Zelle email or phone number is different from any previously used
- The requesting email domain has a subtle typo or uses a lookalike domain
- A new contact person is introduced simultaneously with the banking change
- The change request arrives just before an invoice payment is due
- The supplier does not acknowledge receipt of payment when funds were sent to the new details
How to protect yourself
- Verify any change to payment details by calling the supplier at a number you have independently confirmed
- Implement a policy that no payment-detail change takes effect without dual authorisation
- Never update payment details based on a single email — even from a trusted domain
- Confirm that the registered Zelle recipient name matches the business name before sending payment
- Brief accounts-payable staff on this attack pattern regularly
- Request signed invoices on company letterhead for payment-detail updates as additional verification
- Check that the domain of the requesting email matches the supplier's usual address character by character
How to report it
- Call your bank's fraud line immediately if a Zelle payment went to the wrong account
- Contact the legitimate supplier to alert them and co-ordinate the recovery effort
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to the FBI's IC3 at ic3.gov — business email compromise is a primary IC3 category
- File a report with local police for documentation and insurance purposes
Frequently asked questions
Can a Zelle payment be reversed if sent to the wrong account?
Zelle payments are instant and generally not reversible once sent. Your bank can contact the receiving bank and request a voluntary return of the funds, but this depends on the receiving bank's co-operation. Report immediately — speed matters.
Is Zelle suitable for B2B payments?
Zelle offers speed and low cost for B2B payments between trusting parties. However, for any new or changed payment details, strict verification procedures should be in place before funds are sent, because the instant and irreversible nature of Zelle offers no protection against misdirected payments.
What email security steps reduce the risk of invoice redirection?
Implementing DMARC, DKIM, and SPF on your company domain makes it harder for attackers to spoof your email address to your clients. Encouraging your suppliers and clients to do the same reduces the attack surface from both directions.