October 11, 2020 | technology | No Comments
Charee Mobley, who teaches middle school in Fort Worth, Texas, had just $166 to get herself and her 17-year-old daughter through the last two weeks of August.
But that money disappeared when Ms. Mobley, 37, ran into an issue with Square’s Cash App, an instant payments app that she was using in the coronavirus pandemic to pay her bills and do her banking.
After seeing an errant online shopping charge on her Cash App, Ms. Mobley called what she thought was a help line for it. But the line had been set up by someone who asked her to download some software, which then took control of the app and drained her account.
“I didn’t have gas money and I couldn’t pay my daughter’s senior dues,” Ms. Mobley said. “We basically just had to stick it out until I got paid the following week.”
In the pandemic, people have flocked to instant payment apps like Cash App, PayPal’s Venmo and Zelle as they have wanted to avoid retail bank branches and online commerce has become more ingrained. To encourage that shift, the payment apps have added services like debit cards and routing numbers so that they work more like traditional banks.
But many people are unaware of how vulnerable they can be to losses when they use these services in place of banks. Payment apps have long had fraud rates that are three to four times higher than traditional payment methods such as credit and debit cards, according to data from the security firms Sift and Chargeback Gurus.
The fraud appears to have surged in recent months as more people use the apps. At Venmo, daily users have grown by 26 percent since last year, while the number of customer reviews mentioning the words fraud or scam has risen nearly four times as fast, according to a New York Times analysis of data from Apptopia, a firm that tracks mobile services.
Driving the surge is the apps’ ease of use. People need just an email address to create a Cash App account and a phone number to make a Venmo account. That simplicity has made it seamless for thieves to set up accounts and to send requests for money to other users, something that was not possible with traditional bank payments.
The apps’ instantaneous transactions — compared to the two or three days needed for a standard bank transfer — have also meant that Venmo and Cash App have less time to detect whether a transaction is fraudulent.
“Fast payments equals fast fraud,” said Frank McKenna, the chief fraud strategist for the security firm PointPredictive. The apps, which are sometimes known as peer-to-peer payments services, “are super convenient for customers but that also makes them ripe targets,” he said.
Square, PayPal and Zelle do not disclose the rate of fraud on their apps. PayPal takes steps to “limit potential fraudulent activity and mitigate any customer impact,” a spokeswoman said, but she did not address whether it had seen more cases of fraud.
Zelle, which was founded by a coalition of banks, appears to have experienced less fraud because it has more robust authentication for new users and more legal protections in case of loss, security experts said.
“Protecting consumers from abusive scams and fraud is a top priority for Zelle,” said Meghan Fintland, a spokeswoman for Early Warning, the company that runs the app.
Of all the payment apps, fraud issues have been particularly acute for Square’s Cash App. As the number of people using the app daily has grown 59 percent over the last year, the number of reviews about it that mention the words fraud or scam has risen 165 percent, according to Apptopia.
The Better Business Bureau also said it had received more than twice as many complaints about Cash App as Venmo over the past year. That is significant given that Venmo has twice as many users as Cash App, according to Apptopia.
Lena Anderson, a spokeswoman for Square, said the company was “aware that there has been a recent rise in scammers trying to take advantage of customers using financial products, including Cash App. We’ve taken a number of proactive steps and made it our top priority.”
Square, which is led by Jack Dorsey, who is also chief executive of Twitter, introduced Cash App in 2013. While the San Francisco company was founded as a payments platform for small businesses, Cash App has become its largest source of revenue. In the second quarter, the app generated $1.2 billion of Square’s $1.9 billion in revenue.
But Cash App has been more vulnerable to fraud partly because of how it handles customers, security experts said. Square has until recently offered only email support for the app, not a phone number for its customers to call. That led some customers to fall for fake help line numbers, like the kind that Ms. Mobley confronted. Venmo, in contrast, has a chat line on its app that customers can use for a quick response.
Ms. Anderson said Square began rolling out a phone line for certain customers on Oct. 6. It plans to make the phone line available to all customers over time.
Cash App also appears to be more prone to fraud because of how Square has built the business, industry analysts said.
In 2017, Square began a marketing campaign called “Cash App Fridays,” which gives money to Twitter users who post their so-called $Cashtag or username. The campaign, security experts said, provided fraudsters with a phone book of potential victims.
It also led to copycat campaigns, where people claim to work for Cash App and say they will give away a large sum of money if users first send in a smaller sum. One Twitter account, @CashappG, has been online since 2019 with the tagline: “Hi welcome to Cash App give away! Send money and we will send you double back!”
“It gives scammers a ripe opportunity,” said Satnam Narang, a researcher at the security firm Tenable who has written about the fraud on Cash App.
Emily Bradford, an unemployed 21-year-old in Washington, said she lost $75 last month after getting a message through Twitter offering her $3,000 through Cash App if she paid an initial “clearance” payment. When she sent the money, the person who messaged her disappeared. She reached out to Cash App’s support email, but hasn’t heard back, she said.
“I figured since they were dealing with money, especially others’ money, they’d have a very good security system and customer service,” she said of Square.
Ms. Anderson, the Square spokeswoman, said the company had recently added warnings about copycats on its messages about Cash App Fridays.
In 2018, Square also introduced the ability for people to transact in Bitcoin on Cash App. That has made it easier to move illicit gains off the app because Bitcoin can be sent to anonymous addresses that are much harder to trace or reverse than traditional financial transactions. Venmo and Zelle don’t offer Bitcoin.
Cash App’s popularity for fraudulent schemes is evident from conversations and listings on dark net forums and markets, where criminals gather to do business. In August, Cash App was mentioned 10,577 times on dark net forums, up 450 percent from a year earlier, according to an analysis by the security firm Sixgill. Listings for Venmo and Zelle rose around 50 percent on the dark net in the same period.
Ashley Tolley, 31, a mother of three in Travelers Rest, S.C., recently experienced the criminal activity on Cash App firsthand.
In August, she said, she received requests on the app from addresses that appeared to be legitimate, but with a letter or two changed. While some of the transactions were rejected by Square, one went ahead without her approval. The thief took $560, which was a month of child support payments from the father of her two youngest children, from her account.
Square told Ms. Tolley that she could ask the fraudster to send the money back to her. But the person had already deleted their Cash App account.
“I’m the sole provider in my household,” she said. “For that to be gone — I broke down, I was in tears.”