All I wanted was a swimming pool. What I got was a $31,000 lesson in Zelle fraud.
Gary — I changed his name so I could be as honest about him and his nipples as possible — spends his days working out of his pool warehouse, in an office covered desk-to-credenza in product manuals and spa brochures and invoices produced in gold-, pink-, and white-triplicate. A man trapped in the amber of another era, the type of guy who answers his phone yellllow and says bye now when he hangs up. But at this moment, Gary was not answering his phone at all. And I was desperate to reach him, because my wife and I had paid him a deposit of $31,500 to build us a pool, and he had apparently disappeared off the face of the earth.
"I'm sorry, Gary is not available right now," said Cheryl when I phoned that morning.
As best I could tell, there were three women who worked at Royal Palace Pools. Cheryl, Cheryl, and Sheryl. (Could be wrong on that.) The Cheryls didn't have offices. They stood point at the front of the store, behind the glass cases where the chlorine tablets and pool thermometers are displayed. There was a rumor that one of the Cheryls — Sheryl — was Gary's wife, but I couldn't imagine Gary making love, or having breakfast each morning with someone in his home. I believed the likelier scenario was that each night when the Cheryls went home, Gary climbed into an empty Jacuzzi shell with a bag of Funyuns and a worry-worn pad of invoices that served as his transitional object, pulled the thermal cover over himself, and waited in the dark with his eyes open until he could go back to the office. Regardless, if you wanted to get in touch with him, there was going to be at least one Cheryl between you and Gary.
"Do you know where he is?" I said. "This is urgent."
"Um. And who is this?" said Cheryl.
I gave her my name and her tone changed a bit.
"I see," she said tightly. "Well, I'll tell him that you called. Again."
"Please do," I said, trying to sound both grateful and angry. Then I hung up.
(Side note: Jeff grew up to be a heavy Facebook poster who writes screeds about how if people are so sure a man has a right to marry a man, then shouldn't a man have the right to marry a dog? He lives in Tennessee now with his wife, Krystal, whom he proposed to by having a trained dolphin swim up to her strapped with an engagement ring. Some people stay true to themselves.)
Originally, the pool work was supposed to commence in April 2020. But obviously that didn't happen, because that was when everyone was sealed in their homes rinsing groceries in a solution of three parts water to one part Clorox. But now it was 2021. The construction trade was beginning to lurch back to life. There were delays, of course. We were in the throes of the great pandemic renovation boom, and there weren't enough workers or materials. Container ships were lined up for miles at the ports, and the cost of lumber had become something normal people talked about. The New York Times was publishing hate-reads about people from cities moving to places like the Berkshires and building swimming pools and bringing their obnoxious, demanding, me-first city culture with them.
And so that March, we began calling Gary to say me first. Can you ensure we'll be first in line once the ground thaws? He'd try, he said. We took that as a promise.
We called him in April. We called him in May. The further into summer we got, the less responsive he became. If you've hired a contractor, this will sound familiar. Why answer the phone just to get yelled at by some people from a New York Times hate-read? June crept along, and Gary went completely dark. We were anxious. We felt wronged. We let our feelings be known: Gary, and here I'm paraphrasing our email, we Karen-ed our way into being first in line to build a pool in the spring and now here it is in the middle of summer and we literally cannot get ahold of you.
Finally, on July 5, we received a response. Gary emailed us that he was ready to begin. He said he could start within the week and reminded us that, according to the contract, we owed him $30K-plus before construction commenced. We checked the contract and saw that he was right. He sent another email with instructions for payment. Because a lot of bank branches were still closed, and the crew wanted their money, he requested that we transfer the money via Zelle. But because there are daily Zelle limits, he said, we should just transfer a little bit every day.
We Zelle-ed $3,500 on the 6th, $3,500 on the 7th, $5,000 on the 8th and again on the 9th. Now that he was getting his money, Gary was more responsive. Do you have all the materials you were waiting for, we asked in an email. Yep, mostly. Can you start next week? Yes. The emails were strange. We sometimes had to read them aloud: What if you put a period here, would it make sense then? What if there were a verb? But Gary's emails had always been weird. After all, you don't go into the Cheryls business because you care about the syntax in your electronic correspondence. This man ran his company from an AOL account, which I didn't even know you could still have.
After we Zelled more money, we got worried. What if Gary said he never got his deposit? We asked him to send us a signed receipt for the $23,000-ish we'd sent. Certainly, he said, I'm on a job, give me a few minutes. A few minutes later we got a signed receipt from Royal Palace Pools and Spas, printed on letterhead and photographed. All we had to do was send another $3,500 on the 12th and another $5,000 the 13th, his start date. If things went our way, the construction would be finished in a few weeks.
And then July 13 arrived. Early that morning we received an email from Gary that he was down the road with his crew and would be there imminently. But hours passed, and he didn't show. That's when we reached Cheryl and she said, "Oh, it's you," and told me she'd get him a message. We started calling every 15 minutes. This guy had taken our money and who knows when — or if — he was ever going to start building us a hate-read-worthy swimming pool.Then, early that afternoon, we got Gary on the phone. Yellllow he said. We asked him where he was. He was confused by that. He was at the office, he said. But you told us you were on your way here, we said. You emailed us and said you were already on the road.
Gary was silent for a moment.
"I haven't emailed you in a month," he said.
Then my wife said holy fuck.
Like so many things I use to conduct the most critical tasks in my everyday life with a carefree obliviousness, I didn't really know what Zelle was. I now know it's an entity wholly owned by a company called Early Warning Services LLC, which is itself owned by a consortium of America's largest banks: Chase, Bank of America, Wells Fargo, PNC, Truist, Capital One, and US Bank. The reason for this byzantine structure is that 1) it's pretty hard for a bunch of enormous banks to own something together without forming a separate company to own that company and 2) it allows the banks to not be liable for losing someone's 30 grand.Perhaps the most significant thing to know about Zelle is the people who own it probably wish they hadn't been forced to invent it. For years, Silicon Valley venture capitalists funded PayPal and other "peer-to-peer" payment apps as a kind of Trojan-horse play to disrupt the extremely lucrative and quasi-oligarchic banking industry. The idea was mostly to lose money on the P2P apps (they're free to use) in order to grow as quickly as possible. It worked: As P2P apps accrued enormous numbers of customers, banks began to view them as an existential threat, and Zelle was born. Just as Disney and NBC and Warner Bros. knew they must chase Netflix on a downward spiral of shrinking revenue into the murky depths of oblivion, the big banks knew they had to launch Zelle to let their customers give one another money directly for pizza and rent (and pools) without paying any fees. Today Zelle is by far America's most used P2P payment platform, with twice as many transactions as Venmo.
Of course, another thing P2P apps are useful for is perpetrating fraud. The money transfers almost instantly, between people who may know each other only as a cellphone number or an email address. So Zelle, by default, became one of America's most popular platforms for tricking people out of their cash. Zelle isn't very forthcoming about how often that happens. The company told me that "more than 99.9%" of transactions on the network are executed safely. On one hand, that means that the chances you're getting scammed are very low. On the other hand, Zelle reported that it processed 2.3 billion payments last year, and less than 0.1% of that puts us at somewhere less than 2.3 million transactions that maybe were not executed quite so safely. Besides that 99.9% figure, Zelle says it doesn't share fraud numbers "in an effort not to tip off fraudsters," though I'm not sure how telling me how many people are getting scammed would "tip off" anyone.
When I asked Chase to discuss Zelle fraud, I received an email saying, "Unfortunately, we don't have anyone available for an interview." Presumably because the 240,000 people who work for JPMorgan Chase were all in the same meeting that day.
Sen. Elizabeth Warren, the financial industry regulator banks most love to hate, has been petitioning Zelle to find out exactly how much fraud there is. And the data she's collected suggests there's probably, technically speaking, a whole fucking lot. According to Warren's office, US Bank — a single institution in the consortium — reported 45,000 incidents of Zelle scams last year. That's triple the number from 2021. It's certainly possible, if the criminals keep at it, work hard, and show some grit, they can triple the amount of fraud again by next year.
The point here isn't that Zelle is worse than all the other places that invented this fun, frictionless way to accidentally transfer your net worth and brittle sense of sense of control in the universe to someone Gary Kruglitz supposedly told you to pay. It's just that Zelle is bigger. And that nobody — not the banks, not the police, not the Feds, not the Association of Pool and Spa Professionals — feels it's their job to go after the criminals when it happens. The bazillion-dollar fraud industry that preys on the likes of me and my wife basically operates with impunity.
We were in the kitchen when we hung up with Gary. My wife and I exchanged a look, and in that look was contained a universe of knowledge: The scales fell and the gauze unwound and everything we for some reason couldn't see in the previous two weeks fell into a terrible, humiliating focus. The way we had been goaded every day for two weeks to send the max Zelle amount. The way the email messages from Gary were subliterate in a completely different way from the way a classic Gary email is subliterate. The receipt we'd made him email, which, when we opened it now in our kitchen, we realized didn't really look like the other receipts we'd gotten from Royal Palace Pools and Spas. The letterhead had typos on it.And the email addresses. Jesus, the email addresses.
Now is when I need to make some confessions. When Gary Kruglitz told us to Zelle him, he didn't really tell us to Zelle him. He told us to Zelle two people we had never met before. What I'm confessing is that we sent $30,500 of our hard-earned money to sunshineyasmin48@gmail.com and personalbreezy@gmail.com. Yes, someone emailed us and said, "Hey, will you Zelle 30 grand to a perfect stranger who goes by the name Personal Breezy and has no identification except for a Gmail account?" And our response was: Done!
Sitting there in the kitchen, we instantly understood our role in this drama: In a world of marks and cons, we were … complete fucking idiots. We were the people who write $10,000 checks to Sri Lankan princes who'd been wrongly imprisoned in Amsterdam but were lucky enough to get your phone number from a friend of your son. We were our own clueless elderly parents whom we make fun of because they are such naive morons, and they were us.
So yes, we fell victim to some highly suspect shit. But let me ask you this: If your contractor seems like they're doing something a bit dodgy, would that really surprise you? Don't you kind of assume your contractor has angles? Don't you suspect that every contractor is subtly fleecing you, while also subtly fleecing the people who work for him or her, in a velvet-gloved mafioso kind of way that everyone has tacitly approved? Isn't our national OK-ness with Donald Trump a subconscious admission that we assume everyone in the building trades is on the grift? And isn't what a lot of us actually look for in a contractor someone who's a little suspect? Who can maybe find a way to not have to get the permits? Who's maybe going to pay some folks under the table? Would you bat an eye if your contractor asked you to make your check out to his wife instead of him (which has happened to me)? Or if he told you to just Zelle the money to Personal Breezy?
Maybe you would. But we didn't. Because the emails were coming from Gary's actual email account. But there in the kitchen, we understood that there's no guarantee that anything you're doing most of the time in your life is what it seems. There is no assurance that anyone is who they say they are. It became clear just how foundational trust is to the economy of my life, which essentially consists of countless transactions with people I have never seen, every transaction requiring a faith that a set of numbers or letters actually corresponds to a person of pure intention. And now the intentions of even the best of us — even the Gary Kruglitzes, with their bifocal glasses and their shirt-nipples and their loyal contingent of Cheryls — had been called into question. And it made, for us, everything suspicious. Every email in my inbox, every transaction on my credit card, all of it seemed a little infected and evil.
And, like lots of victims of crimes of intimacy, we felt like it was somehow our fault. Hadn't we been emailing with these people wantonly, with abandon? Hadn't we kind of asked for it? Our accounts had been in a kind of transactional congress that was consecrated, in some sense, by ourselves.
Or so we thought. Because actually there was a lot of time to waste.
When we called Chase, we were immediately shunted into the black box of voice-operated client sequencing. That is what a bank is now. An app and a dim void filled with a voice-menu system and a three-question survey. Our call was "answered" by a buoyant robot voice that had been engineered to keep us from talking to a person. We did the tricks you do to get to a human. Pressed zero. Said operator. We persevered. Eventually a woman with a Southern accent came online and said thank you for being a client and could she help us with something. Yes, we said, yes you can help us with someone stole $30,000 out of our Chase account and we need you to get it back. There was a pause as she typed something. In the background, I could hear what sounded like a 2-year-old playing close by. When the woman spoke again, she said this wasn't her area and could she give us the number of their fraud team.
We said no no no. If this life teaches you one thing, it's that you cannot let a phone agent hang up on you. You have to be vigilant. Because if you've been alive long enough, you understand that you have been pledged to a never-ending battle with customer service. It's right there in the chapter of their training manual titled: "Be nice, call them by their first name, but give them nothing. Unless they get really mad and demand to speak to a manager." It's the most salient truth of our time: The only way to get more SkyMiles or a free gin and tonic on your next flight — or get your money back from a cybercriminal — is to be an insufferable asshole to someone making $13 an hour while also caring for their 2-year-old at home.The phone agent shunted us onward. In a moment, a fraud specialist answered the phone in an indiscernible accent. He sounded very far away. I explained our situation and he told me he was very sorry. He sounded like he was the kind of sorry you are if you have to say sorry to hundreds of people a day. And why should he be more sorry than that? He was probably 6,000 miles away, where it was 3 in the morning, and he had to finish his shift at the call center in time to head over to the university to finish his econ degree. He told us that he would open up a case. The team was on it, and we would hear from them shortly.
At some level, I realize now, I expected someone at Chase to say holy shit that's crazy, hey everyone, stop what you're doing because we need to raise this one up to DEFCON 5 and send a drone over to Sunshine Yasmine48's house. But that is not what happened. We didn't hear much in the way of news from the fraud-investigation team for a long time. And when they got in touch it was to tell what by then we already knew: That money was long gone. That money was gone the moment we sent it.
So what did happen? How does someone steal $30,000 without anyone even looking for them? It actually requires a pretty complex operation, but one that has been industrialized so that anyone with a little moxie and a Tor dark-web browser can do it.
It most likely happened like this:
First, Gary was targeted. Not personally, according to an official at the Justice Department who spoke with me on the condition that I not use his name. Whoever did this, the Justice Department guy told me, probably went after the emails of a ton of people who had a Gary-ian profile. Pool guys in the Northeast. Contractors in Massachusetts. Relatively tech-unsophisticated folks who conduct transactions for large sums of money. People who routinely get Zelled $30,000 from relative strangers.Maybe they got Gary to give up his email password via the time-honored scam of phishing. "The guy probably clicked on a link he shouldn't have clicked on," said Evan Kohlmann, a cyber-intelligence expert whose company, Cloudburst Technologies, tries to predict crypto fraud before it happens by monitoring chatter on the dark web. "They send you a text message or an email message. You owe tax money, here's the receipt for the thing you bought at Best Buy. The emails look real, so you open it."
Or maybe the scammers got Gary's password the old-fashioned way: They bought it. Hacked credentials are relatively cheap to buy on the dark web. They're part of a vibrant shadow economy built to service a booming subculture of would-be fraudsters. It is precisely what tech has always delivered: the ability for the most average of us to do complicated, seemingly inexplicable stuff with the click of a mouse.
It takes a really long time to learn how to hack millions of passwords and only a small group of people can do it, for instance, but if you sell it as a service to the relatively much larger group of people who want to commit cyberfraud but lack the requisite coding skills — well, in capitalism, that's called scale. A former assistant US attorney who specialized in cybercrime told me, for instance, that there's a suite of software called Metasploit that's popular with cybercriminals. The software is designed to test a system's security, but lots of its tools — including its password-cracking feature — come in handy for hacking as well.
Once whoever it is was in Gary's email, they could look through correspondence between, say, Gary and my wife, familiarize themselves with our contract, and see exactly how much we owed. They now had everything they needed to ask for money.
But if you don't want to get caught perpetrating fraud, it's best not to have victims send you anything directly. So the next step is to hire people to receive the money — your Personal Breezys or your Sunshine Yasmines — folks who are more often than not dupes themselves. Sometimes they're part of a "work from home" scam, people who think they're moving money to and from bank accounts as part of a legitimate business. Or maybe all they know is they get 10% of the money if they forward it to another Zelle account, and they don't ask any questions.
Or often they're part of what's called a romance scam. "That's when someone believes they are sending their money to a loved one," the Justice Department official told me. "These people in the middle are often incredibly sympathetic and incredibly non-culpable. Someone who really believes: 'My fiancé is overseas and they were in an oil explosion and if I can send him the money, they can get help. Even though we've never met, even though I've only met them on Instagram or Facebook.' An FBI agent can sit down and show them evidence of fraud, that they are a victim, and they will still continue to talk with the fiancé."
But Personal Breezy, whatever his or her motivation, was only the briefest step on the journey. Breezy most likely immediately passed our money on to another account. It may have gone through Paxful, a P2P app out of Estonia that converts money into crypto. Or whoever got the money next used it to buy Target gift cards, which were resold on the dark web, at a discount, for crypto. One way or another, our money was almost certainly converted into crypto, and then, at some point, back into fiat currency, to be spent as the fraudster liked.
"Once it's in crypto, it's fucking gone," Kohlmann, the cyber-intelligence expert, told me. "You won't get it back."
People have always used anonymous payment methods to conduct illicit business. Historically this payment method was called: lots and lots of cash. But over time, the flow of cash through financial institutions became more regulated. "It's the SWIFT system," Kohlmann explained. "Tracked by banks. Illicit money flows could be tracked, even in cash. Then comes crypto. Anonymous. Guess who looked at this and said, 'Hey, this is for us!' Criminals. North Korea, the Mafia. All these folks jumped into crypto. So now comes the problem. That cannot persist. It's an imbalance in the system. You can't have a form of money where you're totally anonymous to the IRS."
And yet, we do.
We called the FBI. We called the Massachusetts State Police. We called the Massachusetts attorney general. We called the police department in Monterey, Massachusetts, where we live, population 1,095. We found out it's harder to get someone to answer the phone at the FBI than it is to get someone to answer the phone at Amazon. Especially if you want to find out who to talk to if you were tricked out of money on Zelle. Eventually we learned that we needed to fill out a form online if we wanted to alert the federal authorities of the crime that had been perpetrated against us. So we filled out the form and clicked "submit." It has been two years since we submitted that form, and we have never heard from the FBI.The first person I talked to at the attorney general's office told me the best bet would be to have the state police begin an investigation. After a series of calls I was able to speak with a Massachusetts state police detective who told me his unit once took down a ring of people who had perpetrated internet fraud. Great, I said. Let's get into it. He said that's not how it works. First, as far as he knew, that was the only time it happened. And second, I needed to start with my local police department. They, in turn, could call on the state police to aid in the investigation if they needed it.
We got in touch with the Chief a couple of days later, and he told us he was planning to call Gary. He did try to get the state police involved. But as far as I know, that never happened. We did not call the Monterey Police Department back. It seemed unkind.
We tried calling Zelle, which proved to be harder than calling the FBI. "The banks say go to Zelle," a staff member from Elizabeth Warren's office told me. "And Zelle says go to the banks. But what the banks don't tell you is that the banks own Zelle."
The truth is that this was essentially no one's problem. It was not the FBI's problem or the state police's problem or the problem of the local police or Chase or Zelle or Gary Kruglitz, who just went right on yellow-ing through the rest of the summer pool season, because what the fuck else was he supposed to do? This was a crime that no one would investigate. One federal prosecutor told us they lacked the resources to chase down the vast majority of fraud cases. Unless you've had millions of dollars stolen, it's essentially like living in a lawless world.
"It's a very low-risk crime," Kohlmann says. "It's very popular on the dark web, and the only people who get caught are very greedy. Law enforcement doesn't give a shit. For the Justice Department it has to be millions for them to care. I'm pretty sure Zelle cares. Loss is an issue. It hurts their brand name. They have to engage in some process. But how many employees do you think Zelle has? And how many working on this? I would guess Zelle has fewer than 20 people working on fraud. How are they going to manage this problem with 20 people? Plus Zelle will say: How is it our responsibility to track down criminals?"
For the moment, Zelle is right: They have no responsibility for what happens to your money on their platform. That's because, Zelle argues, they're a platform, just like Meta and X and all the other Silicon Valley behemoths who operate by the argument that none of the bad and scary shit that takes place on the frictionless networks they built and maintain and profit from is their problem. Their job is to be iconoclastic technological innovators who facilitate bringing new worlds together, and governments and institutions and everything in the old guard are just trying to slow them down.
That we could require Zelle to protect users from fraud is, of course, not exactly an idea without precedent. "The context I use for Zelle is my credit card," the staffer from Senator Warren's office told me. "If someone steals my credit card, I'm protected. If someone fools me to pay with my credit card, the same thing holds. But it's important to remember that when credit cards were introduced, they didn't have those protections. The Fair Credit Billing Act built in those protections."
Senator Warren would very much like to have something like the Fair Credit Billing Act for peer-to-peer payments. But because there doesn't seem to be any political will for banking regulation at the moment, and Zelle certainly isn't going to just volunteer, it doesn't seem likely to happen anytime soon.
A few weeks later, after I'd told them I was a reporter writing about Zelle, Chase emailed to let me know they'd found Personal Breezy. In an agreement between the banks, they shut down Breezy's account. There was some money in it, which we would have rights to. In the end, I believe $278 was transferred back into our account, and the case was closed.This was not a tragedy. Out of all the kinds of money, money to build a pool is probably the very best kind of money for the world to suffer the loss of. I put the likelihood at 100% that the people who stole our money needed it more than we did. But the fact remains that it was the theft of $30,000. The fact remains that there is a huge river of money flowing out of people's accounts and into the hands of … well, we have no idea. Armies of phishermen and lovelorn mules and crypto exchangers and people who buy Metasploit and passwords on the dark web. It's possible that the government will eventually be moved to safeguard consumers against Zelle fraud. But the greater issue is one that will plague us for a long time: the dilemma of knowing who is real and who is not, and assigning responsibility for the consequences. The arms race between those trying to prove realness — whether through passwords or two-factor authentication or biometric scans — and those trying to evade realness is moving at breakneck speed. Someone at Clear, the identity-protection company that helps people skip the lines at airports, told me they've built technology they call "liveness detection." To prove you're you, you not only have to possess all the information and devices that prove who you are, but also that you are actually alive, in the instant in the place where a transaction is happening, by doing stuff like moving in a humanlike way.
This is what security has come to — proving an instant of existence. And while knowing if Gary is Gary or I am me or Breezy is the Breeziest Breezy on the internet is getting harder and harder, the pull to decouple ourselves from any real-world identity — the anonymity of crypto, the maybe-someday-plausibly lifelike simulation of the metaverse, the evolving deepfake of AI — gets even more powerful. Knowing who anyone really is seems like it's going to become a philosophical question, not to mention a practical one. Anything can be true. Nothing is real. The simulation is reaching its singularity.
We did get the pool. We saved for another two years and hired Gary, who never apologized, and never seemed even slightly perturbed that someone had stolen our money by pretending to be him. We asked him if he had changed his password, and he looked at us like we were speaking in Romanian. He blinked and said everything was fine. We paid him by check.
Devin Friedman is a writer who lives in Los Angeles.