Application security, Threat Management

P2P payment apps, users urged to curb COVID-19 advance fee fraud

Fraudsters posing as celebrities, philanthropists and do-gooders offering financial aid to everyday people struggling due to the COVID-19 epidemic are running scams on users of peer-to-peer payment applications such as Cash App and Venmo, but financial service providers and consumers can reduce the risk of becoming victims by implementing a few security measures.

Satnam Narang, staff research engineer, security response at Tenable, warned in a company blog post on Wednesday that scammers are asking targets to send an advance fee via P2P apps so that they, in turn, can process a much larger payment in return.

[Join us Wednesday, May 27, at 10 a.m. EST, for SC Media’s virtual conference: How Financial Institutions are Improving Cyber Security Policies and Procedures Amid the Pandemic. This two-day event will feature industry leaders from a range of financial industry disciplines who will discuss their companies’ experiences and solutions. Register now to attend.]

According to Narang, the scammers sometimes create social media accounts to respond to tweets from Cash App that promote cash giveaways or ask followers to post their $cashtags, which are unique identifiers for Cash App users. (Cash App is a product of Square, Inc.) In their own posts, the scammers claim that they will use one of several P2P payment services to send money to users who are willing to retweet them, which of course only further expands the fraudsters' reach.

In other cases, the scammers create fake social media and fake P2P accounts that impersonate famous personalities who have offered to charitably give away money, including PulteGroup founder and chairman Bill Pulte, beauty influencer Jeffree Star (as previously noted here), and YouTube personality David Dobrik.

Addressing how app operators can help fight scammers' behavior, Tenable suggests that P2P payment solution providers post warnings to users whenever they receive request for money related to giveaways, contests or offers to "flip" small amounts of money into larger returns.

"If users see this information up front when they receive requests for money within their preferred P2P payment app, they'll know right away that they shouldn't accept the request," says Narang in the blog post. "This could help thwart many of the incoming requests for money from scammers targeting those participating in giveaways."

"The same concept could be applied as part of sending money to users as well. Providing the end user with a warning message to the effect that 'anyone claiming they can increase your money for a small donation or upfront payment is a fraud' could potentially save some users from parting with their money," Narang continues.

Additionally, Tenable recommends that P2P service providers introduce account verification mechanisms, similar to what exists on Twitter.

For starters, Narage said CashApp itself "can and should verify their own account so users can visually see the difference between a transfer of money from Cash App versus a request from an impersonation of Cash App." And then these apps should also be able to verify accounts of notable users. "Cash App is already requesting information such as the last four digits of a social security number. They could also put a mechanism in place to verify these celebrities and other notable figures who are giving money away using their platform," he writes.

Finally, Narang told SC Media in a separate interview that P2P services should discourage users from publicly posting or sharing their $cashtags and app IDs, or at least not encourage them to do so.

"It's a double-edged sword. On the one hand, you have companies, celebrities and other notable figures offering to give money away to their followers, and, in order to facilitate this, they ask them to provide their payment IDs. [But] putting those in a public forum like Twitter or Instagram makes it easier for scammers to target these individuals," Narang told SC Media. "I personally think it would be better to just ask users to signal boost tweets and posts and DM them individually if they’ve won and collect their payment IDs that way. However, scammers will still be scammers and impersonate these organizations and individuals, DMing them and asking for their payment IDs. In the grand scheme of things, the less publicized these payment details are, the safer it will be for users of these services."

SC Media reached out to Square, Inc. and PayPal (which also owns and operates Venmo) for comment on the report, and asked if they would consider any of Tenable's suggested recommendations. PayPal later responded with the following statement: "PayPal and Venmo recommend users avoid payments to people they don’t know and remain mindful when being asked to participate in a transaction. We've always made preventing bad actors from using our platform a top company priority, but as we've seen with other localized crisis situations, the coronavirus pandemic has resulted in opportunistic cybercriminals attempting to exploit well-meaning people. PayPal and Venmo are combining cutting-edge technology with enhanced manual investigatory work to detect and stop these bad actors, as well as partnering and collaborating with law enforcement to prevent customer and platform exploitation."

Angie White, senior manager with TransUnion Global Fraud & Identity Solutions, believes it's important that P2P services "take a more holistic approach that protects consumers and fosters trust in their services if they want to ensure long term success" and avoid loss of consumer trust.

"At account setup, simply adding identity verification and device intelligence will help prevent fraudulent accounts from being created and stop serial abusers from returning," said White, who confirmed that TransUnion is "seeing an increase in digital fraud scams related to COVID-19."

Indeed, in a recently published global Financial Hardship Report, TransUnion reported that 29 percent of survey respondents (29%) said they had been targeted by digital fraud related to COVID-19. "P2P payment services, unfortunately, make these types of scams much easier to perpetrate," explained White. "The setup is very easy, there are few identity verification requirements to weed out fake or fraudulent accounts, and they lack consumer protections."

Meanwhile, consumers must also do their part to avoid falling victim to such scams – and it starts with understanding that no legitimate money giveaway promotion will ask them to send money in advance.

"Unfortunately, situations of crisis like this [COVID-19] create just the type of fear and urgency that scammers need to trick people into doing things they normally wouldn't – whether that's sending money, clicking a link or providing sensitive details over the phone," said Stephanie Carruthers, aka "Snow," chief people hacker at IBM X-Force Red, which has seen more than a 6,000 percent increase in COVID-related email spam.

"Advanced fee scams are extremely popular and have been demonstrated throughout history... Many people right now are desperate and focused on the end result, so a small fee upfront may not seem like a big deal to them," Carruthers continued. "...[G]eneral awareness of these scams is one key for consumers to avoid falling victim. If anyone is asking you to send money to verify your account, this is a huge red flag that it's a scam – never send money to people you don't know. If you’re getting information that appears to be from a credible source, do your research, cross check the sender/account names carefully to ensure they are authentic and verified. Never engage directly with unsolicited messages or links shared by unverified accounts – if in doubt, go directly to the institution"s website for more information."

White from TransUnion said that consumers take advantage of P2P services' two-factor authentication and one-time password offerings. She also said consumers should be aware of P2P payment services' specific terms of use (e.g. whether a particular service is intended for official business transactions), as well as leverage the Better Business Bureau to research any businesses requesting P2P transactions to ensure that they are not a scam.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds