Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Scams Exploit COVID-19 Giveaways Via Venmo, PayPal and Cash App

$
0
0

The economic impact of COVID-19, which is causing record unemployment, creates a golden opportunity for scammers looking to target vulnerable people desperate for cash to help pay their bills.

As Cash App steps up the frequency of its giveaways, and celebrities and other notable figures launch giveaways of their own, scammers are brushing off old tricks in a rush to exploit them.

Over the last few months, we’ve outlined how the novel coronavirus and COVID-19, the disease it causes, has been leveraged by cybercriminals, scammers and opportunists seeking to take advantage of global interest, fears and uncertainty surrounding the virus. In our summary about scammers, we highlighted how they have shifted gears to capitalize on the economic uncertainty posed by COVID-19.

Now, we’re seeing scammers doubling down on the technique known as advance fee scam or “flipping,” along with more blatant use of impersonation tactics of celebrities and notable figures. Scammers have also expanded their preferred platforms to include Venmo and PayPal, alongside the ever-present Cash App.

In October 2019, I shared my research into the underbelly of scams on Cash App, a popular peer-to-peer (P2P) payment service operated by Square, Inc., which reported having 24 million monthly active users earlier this year. In a two-part blog series, I highlighted how scammers are targeting Cash App giveaways on Twitter, as well as giveaways on Instagram and YouTube videos claiming to show users how to earn free money via Cash App. In the months since, these scammers have continued their efforts unabated. What’s changed, however, is the opportunity provided by the economic fallout of COVID-19.

Image Source: CNN

As unemployment “permeates the economy,” with over 30 million individuals filing for unemployment insurance in the United States between mid-March and the end of April, the economic impact of COVID-19 will be felt for some time to come.

With that in mind, organizations like Square as well as celebrities and other notable figures are trying to lessen the pain for some by giving money away using P2P payment applications such as Cash App, Venmo and PayPal through promotions on social media sites like Twitter and Instagram. While these efforts are noble and appreciated, they are putting many vulnerable individuals at risk of being taken advantage of by opportunistic scammers.

Two methods used to perpetrate advance fee scam in giveaways

It’s important to understand the general idea of the most prevalent scams that have persisted throughout Cash App giveaways over the last few years. Underpinning most of these giveaway scams is a confidence trick known as advance fee scam, in which a victim is asked to pay a smaller fee up front before receiving a greater sum of money in return. A victim typically pays the fee but never receives the promised payout. The advance fee scam originated with the Spanish Prisoner confidence trick in the late 18th century. The modernized version was first observed in 1922 and rose to prominence in the 1980s. The only difference today is the vehicle used to perpetrate this type of fraud, which is often referred to as “flipping” cash nowadays.

The built-in audience on social media provides fertile ground for scammers to target the vulnerable. Coupling that with the advent of P2P payment applications has made it that much easier for this type of fraud to take place at scale.

The core of the fraud is still the same: provide money up front, and the scammers claim they will be able to turn it into a larger sum, whether it’s twice or up to 10 times as much. There are two particular methods scammers leverage when perpetrating cash-flipping during these giveaways.

1. Signal boosting: The simplest way to entice users into participating

The most notable cash-flipping method involves scammers offering a particular sum of money — which could be fixed (e.g., $500) or variable (e.g., $200-500) — to users who signal boost their social media posts by retweeting and/or “liking” (favoriting) their content. This approach is extremely popular because it requires no upfront financial investment from the user, instead leveraging their social capital. By convincing users to retweet and like their content, the scammers use unsuspecting victims to spread their scam to a wider audience of people.

In addition to asking users to spread their message, the scammers also ask for their P2P payment identifiers (IDs). P2P payment applications have IDs like usernames (or as Cash App calls them, $cashtags) or short URLs (such as the PayPal.me URL) to make it easier to send and receive money.

The scammers will also ask users to send them direct messages (DMs), where the con takes hold.

Users who engage with these scammers via DMs will be asked to provide a fee up front (hence the term advance fee scam). They will either claim they are capable of “flipping” a transaction through a P2P payment application, turning it into a larger denomination (e.g., they’ll claim they can turn $50 into $500) or they will claim they need the user to provide them a “receiver’s fee” before they can access their money. In reality, these requests are part of the ruse to convince a victim to part ways with their money before the scammers block them on social media.

WARNING: If you come across tweets claiming to be giving away money to users that retweet (RT) and like (favorite) a tweet, don’t fall for it. It’s a scam.

2. Incoming requests from impersonators asking users to “verify” with a small fee

Since most of the giveaways on social media involve users sharing their P2P payment IDs in a public forum, the scammers don’t have to do a lot of legwork to target their victims — it’s there in plain sight. The scammers act like predators waiting for their victims at a proverbial watering hole.

These scammers harvest P2P identifiers and utilize the “request money” feature built into most P2P applications to ask their victims for money. They do so by first creating fake profiles on these P2P applications. These profiles typically impersonate an organization, like Cash App, or a user, oftentimes a celebrity or other notable figure. Because P2P payment applications do not have a way to differentiate between a scammer and a person or organization who is legitimately giving money away, some users are duped into accepting the request and sending money to the scammer. The scammers typically ask for a small fee, which ranges from $1 to $20, though it’s possible the scammers may ask for more. A low “fee” increases the likelihood that the victims will actually follow through with it. This is because, for some victims, the prospect of getting back 10 times the amount of money being requested is worth the risk of being left high and dry.

WARNING: If you receive a request for money on @CashApp, @Venmo or @PayPal asking you to “verify” in order to win a giveaway, don’t accept the request. It’s a scam to steal money from you.

These two methods make up the bulk of the cash-flipping scams I’ve seen over the last few years.

Cash App giveaways increase during pandemic

Historically, Cash App has launched giveaways as part of its Cash App Friday or Super Cash App Friday initiatives, with a few giveaways sprinkled in between. Since the pandemic, Cash App has been posting giveaways more regularly. This activity began on March 18, when Cash App tweeted “We want to help,” implying that it was looking to help individuals who are struggling during this time.

Naturally, the increased activity from Cash App’s official Twitter account with these regular giveaways has provided Cash App scammers a consistent stream of opportunities to target vulnerable individuals.

If you look at any of Cash App’s giveaway tweets, you’ll find it littered with replies from scammers seeking to capitalize on the interest in the giveaways.

These tweets showcase the signal boosting method outlined earlier. One user notified me personally that they had reached out to one of these scammers, who asked them to send $525, claiming they would multiply the transfer times eight, which amounts to $4,200. The scammer also went out of their way to say that they weren’t “one of those scammer types” and that they don’t “want to portray [themselves] as one.” Once this user called out the scammer, they were promptly blocked.

In one instance, a scammer claimed they could offer the user nearly $10,000 if the user first paid “a receiver's fee.”

Irrespective of the amount the scammers claim they will return to their victim, whatever “fee” they ask from their victim will never be returned and they’ll block them once the victim confirms receipt of the transaction.

As I noted in my original research, scammers not only respond to Cash App’s tweets, they also ride the popularity of the Cash App hashtags as they’re trending. For example, Cash App recently began promoting a giveaway by asking users to put their Cash App in their own bios with the hashtag #cashappinbio.

Not long after this tweet was published, it began to trend on Twitter.

Unsurprisingly, scammers seized on the trending hashtag and used it in their signal boosting tweets, in addition to several other popular hashtags like #CashAppFriday, #CashAppBlessing and of course, #COVID19.

Celebrities and notable figures open up their pockets

While Cash App has regularly provided giveaways for a few years now, celebrities and other notable figures have been opening up their wallets as well during these difficult times in an effort to help those struggling financially.

One of the more notable donors is popular beauty influencer Jeffree Star.

Jeffree Starr’s $30,000 giveaway in March was met with enormous interest, with nearly 1 million retweets, over 600,000 likes and more than 100,000 replies.

Scammers quickly seized on the opportunity provided by Jeffree Starr’s giveaway, as detailed in a story from Quartz, which highlighted these types of scams and shared the tale of how one stranger reached out to a participant in the giveaway, offering them $250 but not without asking for a “fee” up front. In this case, the victim was told it would be a “donation” instead of a “fee,” preying on the victim’s kindness.

Jeffree Star managed to become the number one trending tweet on Twitter on multiple occasions, with an untold number of Twitter users replying to his giveaway using “#JeffreeStarApproved” hoping to win money from him.

Star has also participated in giveaways with Bill Pulte, a philanthropist and self proclaimed inventor of “Twitter Philanthropy,” who regularly does giveaways on Twitter.

Since promoting giveaways on his timeline, scammers try to leverage Jeffree Starr’s Twitter following by offering to give away money within the replies.

While scammers aren’t shying away from leveraging signal boosting in giveaways from celebrities and other notable figures, they tend to prefer to impersonate these figures on the various P2P payment applications so they can abuse the “request money” feature.

In addition to targeting Cash App users in North America, some scammers are requesting funds from users in British pounds (£).

As mentioned earlier, the requests from these impersonators are purposely set to a lower dollar value because they believe someone would be more willing to part with $5 rather than $500, and their calculation is often right.

Not every impersonator completes their transformation into Jeffree Star. In one case, the impersonator forgot to swap out their own profile photo.

Scams on Venmo and PayPal

While most of the giveaway scams I’ve observed have centered around Square’s Cash App, scammers are also targeting giveaways using other platforms.

Popular social media content creator David Dobrik, who has nearly 5 million Twitter followers and nearly 17 million YouTube subscribers, posted a tweet on March 27 offering to provide people with “extra cash,” asking that they respond by sharing their Venmo username and his team would “send something over.”

Scammers seized on Dobrik’s giveaway by creating fake accounts on Venmo and leveraging the second most common method of sending requests for money by targeting those leaving their Venmo IDs in the replies.

Once again, the amount of money the scammers will request can vary, but it is often a smaller denomination. In the example above, the scammers asked for $20. In another example, one particular scammer asked for $2.99. Unlike Cash App, which offers a limited amount of characters in the note when requesting money, the Venmo request clarifies why the scammers are asking for this advance fee upfront. They say it’s for “an account verification to ensure money is sent to valid accounts.”

Venmo isn’t the only target scammers have their eyes on. Because some users aren’t on Cash App or Venmo, they’ll share their PayPal IDs instead.

Some users received requests on PayPal asking for a $10 advance fee, with the promise of receiving $510 in return. The scammers also use the note field to instruct their victims to use the “Friends and Family” option when sending their payment, because the “Goods and Services” option takes “up to 48 hours” to process and that’s enough time for the transaction to get flagged.

Even though Dobrik mentioned that he was going to be giving away money on Venmo, that didn’t stop scammers from also requesting money via Cash App.

Scammers have also been impersonating Pulte across each platform, abusing the same “request money” feature.

Cash App 

Venmo 

PayPal

Popular YouTube creator Ethan Klein has also offered to generously give away $100,000 over a period of 100 days.

I suspected that with this giveaway, the prevalence of users sharing their P2P payment IDs for their PayPal accounts would result in scammers seizing on this opportunity. After all, 100 days of giveaways is a consistent stream of P2P payment IDs and the hope of being selected makes it all the more possible that people will get duped out of their money.

Sure enough, the scammers did target participants in Klein’s giveaway. Klein has since posted a warning to his followers about it, even providing an example screenshot of the requests for money that scammers are sending.

Directing “winners” to contact an “agent”

In some cases, the scammers are impersonating these same celebrities and notable figures on Twitter and Facebook, messaging their victims and instructing them to contact their “agent” via text message.

This is merely a way to get users off the social media platform and onto one like SMS, where it’s a lot harder to stop a scammer with a mobile number.

As the example below shows, when you contact one of these so-called “agents” they once again ask you to provide a “fee” for verification purposes.

Stealing financial information is the holy grail

While the scammers tend to zero in on cash giveaways and leverage the P2P payment applications, that hasn’t stopped them from trying their luck to go after the holy grail: bank account information.

In some cases, scammers are using an image from Cash App saying their bank “declined this payment. Please update your card or contact your bank for more information.” They use this image as a way to trick their victims into believing they can’t send the money via Cash App, which is why they need the user to provide their login credentials for their credit card application.

If users say they can’t pay the so-called “fee” to the scammers, they will be asked if they have a bank account. Once they confirm the existence of a bank account, the scammer will say they can “deposit a check” into the account, but first they need the username and password for the account. This is a retro take on phishing, because instead of directing the users to a fraudulent website that looks like their bank’s website, they’re just merely asking them to provide their login credentials without batting an eye.

Besides directly asking for login credentials, the scammers may also ask users to provide sensitive information, such as their account number, routing number and name on the account.

While the routing number is a piece of public information, your bank account number is not. Having both of these pieces of information would enable the scammer to transfer money out of your account. In this case, they’re not chasing after a small sum of money by abusing the request money functionality of P2P payment apps, they’re looking for the biggest piece of the pie that they can take a bite of.

In-product warnings for users could thwart these scams

While it’s commendable that Jeffree Star and Ethan Klein have tweeted warnings about scammers targeting their giveaways, that can only do so much to help protect vulnerable users. It’s imperative that the P2P payment providers like Cash App, Venmo and PayPal take extra steps to caution their users. I believe this could be achieved by inserting a warning within every request for money received through their applications as a starting point.

We’ve created mockup images of what this could potentially look like. Please note these are not currently implemented in any of the P2P payment applications nor are we aware if they have considered anything of the sort.

Cash App Mockup Warning Message

Venmo Mockup Warning Message

PayPal Mockup Warning Message

If users see this information up front when they receive requests for money within their preferred P2P payment app, they’ll know right away that they shouldn’t accept the request. This could help thwart many of the incoming requests for money from scammers targeting those participating in giveaways.

The same concept could be applied as part of sending money to users as well. Providing the end user with a warning message to the effect that “anyone claiming they can increase your money for a small donation or upfront payment is a fraud” could potentially save some users from parting with their money.

Verified accounts on P2P payment platforms

The use of verified badges, which are used to confirm celebrity or brand authenticity on social media, is one way to help users avoid falling victim to impersonators. However, verified badges are not without flaws, as highlighted in a piece for The Atlantic by Taylor Lorenz. There are plenty of examples where verified accounts have been compromised and used to peddle scams, including a recent blog we wrote regarding cryptocurrency scams on Twitter.

P2P payment applications have had no verification mechanism in place. It’s a blank canvas, therefore there’s an opportunity for the companies in this space to start utilizing verification on a case-by-case basis. For example, Square’s Cash App is identified by their cashtag, $cashapp. They can and should verify their own account so users can visually see the difference between a transfer of money from Cash App versus a request from an impersonation of Cash App.

Similarly, the giveaways by celebrities and notable figures can be easily identified by these companies. For instance, Jeffree Star has reached out to Cash App to try to get “verified” in order to increase the limits put in place by Cash App when sending money.

Cash App is already requesting information such as the last four digits of a social security number. They could also put a mechanism in place to verify these celebrities and other notable figures who are giving money away using their platform. Because more often than not they announce their giveaways on social media. For instance, rappers Lil Nas X and Megan Thee Stallion gave away money using Cash App back in March, and of course, scammers quickly seized on their generous giving.

These are far from perfect solutions. However, a combination of in-product warnings along with verification badges for those celebrities and other notable figures doing giveaways could go a long way to help protect some users from being defrauded.

Digital philanthropy: The good and the bad

The efforts made by companies like Square (via Cash App), celebrities and other notable figures to give money to those struggling through this period of economic uncertainty should be lauded. At the same time, it’s important to recognize that these efforts also create an environment where scammers thrive. And it’s clear that their efforts are working, because if they weren’t, they wouldn’t be pursuing them any further. That’s why it’s important to disrupt their activities as much as possible. This won’t be achieved through user education and awareness alone. Product changes that can be introduced into the user interface of these P2P payment applications can play an important role in this process.

Until such product changes are considered and implemented, it’s up to users to do their part to stem the tide of scams. Here are six tips to help users protect themselves:

  1. Any time you’re asked to pay a fee to “verify” yourself, make a “donation” or any other reason that requires you to pay a fee up front (in advance), it is a complete scam.
  2. If you receive an incoming request for money in your Cash App, Venmo or PayPal to verify you’re real, ignore the request and report the user. Neither Cash App nor any celebrity or notable figure offering to give away money will ever ask you to send money as a form of verification.
  3. Be skeptical of people posting on Twitter and Instagram promoting their own giveaways using hashtags like #CashAppFriday, #SuperCashAppFriday, #cashappinbio, #BailoutHumansNow, #JeffreeStarApproved and #COVID-19
  4. If you’re asked to provide the login credentials to access your bank account or credit card account, don’t share those details with anyone. These users are trying to “phish” you of your sensitive logins and passwords so they can pull a large sum of money out of your account.
  5. If you receive a message from someone saying you’ve won a Cash App giveaway and they include a link to a website that asks you to log in to your Cash App, it is almost certainly a phishing site. Do not enter your mobile number or provide your “login code” into any website. Instead of clicking on a link in a DM or a social media post, visit the real Cash App, Venmo and PayPal websites or check your mobile applications instead.
  6. “Flipping” money isn’t real. There is no program or method to alter transactions to increase the value within Cash App or any other P2P payment service. If the proof offered to you is flipping $2 for $20, it means the Cash App scammer is using their own stash of funds to gain your trust in order to steal a larger sum of money from you.

While Venmo and PayPal currently do not offer such a feature, Cash App allows users to restrict who can send them an incoming request for money. This can be achieved by changing the setting to “Contacts Only,” which will thwart the Cash App scammers impersonating Cash App and other celebrities and notable figures through incoming requests, asking for money for verification purposes. Even with this setting enabled, you’ll still be able to send and receive money through Cash App normally.

As long as Cash App, generous celebrities and notable figures give away money on social media, these types of scams will persist. Since such giveaways won’t be stopped, the only way to truly stymie the efforts of these scammers is to put roadblocks in their way, such as the product-related changes we’ve proposed in this article.

Join Tenable's Security Response Team on the Tenable Community.


Viewing all articles
Browse latest Browse all 1935

Trending Articles