Peer-to-peer (P2P) mobile payment services such as Venmo, Cash App, and PayPal have exploded in popularity thanks to their convenience and ease of use. It’s very simple to transfer money to friends and family with just a few taps on your phone.
But as these apps gain ubiquity in North America, they’ve attracted the attention of nefarious actors too; some users have lost tens of thousands of dollars due to social-engineering scams. It’s important to recognize the warning signs of a potential scammer and block them immediately.
[Get tips to protect your data. Subscribe to the ExpressVPN Blog Newsletter.]
Let’s take a closer look at common mobile-payment scams and ways for you to avoid them.
1. Phishing scams
One of the most common ways of initiating a scam is through a fake SMS. These are also referred to as “smishing” attacks as they encourage a user to click a malicious link through an SMS.
The message usually offers some sort of financial benefit that requires you to enter your personal information. The page itself will also try to closely impersonate that of the official payment app. However, it’s controlled by a hacker in search of your information. Once you enter details such as a credit card number or other identifying information, it can be used for illegal transactions or sold on the dark web.
@venmo this is spam right? #venmo #spam #phishing #2020 pic.twitter.com/Dt6aSXls1F
— Daniel Adam (@LoneStarCanuck) August 20, 2020
Phishing scams can also occur in the form of a malicious email. The same principle applies; phishing emails lure you into parting with your personal information either by impersonating someone you know or the payment app itself.
How to avoid phishing and smishing scams
PayPal warns against phishing attacks saying that if you receive an offer or a deal that “seems to be good to be true” then it probably is. It reminds you that apps will only contact you from their official email address and never ask for your personal information.
Ultimately, the onus is on you to carefully scrutinize any email or text message asking for personal details. If you receive such correspondence, it’s probably best to delete the message and block the sender. If you have a feeling that the request might be legitimate, be sure to check with customer support first.
2. Credit card reverse-charge scams
A credit card reverse-charge scam can occur when you’re attempting to sell something on an online marketplace such as Craigslist.
The interested buyer reaches out and offers payment via Venmo. They make the payment and you proceed to ship the goods. A few days later you get a notification that the credit card company has reversed the transaction due to it being via a stolen card.
Venmo’s official stance is that it’s purely a payment service between friends and family and is not meant to be used for business purposes. It doesn’t offer any sort of seller or buyer protection unless specifically registered for a business account. PayPal does offer protections but it usually sides with the seller in the case of a dispute.
How to avoid credit card reverse-charge scams
If you’re selling a one-off item on an online marketplace, then it’s better if you ask for cash instead of an online payment. You could also request that the buyer send you a wire transfer from their bank account to yours instead of through a third-party app.
3. Excess-payment scams
Many mobile payment apps warn against such scams. In this situation, a potential customer of your store “accidentally” wires you more money than they should have. For example, it’s possible that you’re selling an item online for 200 USD but receive a payment of 2,000 USD instead.
The person in question contacts you and says they sent the extra cash in error, asking to refund the 1,800 USD difference. You proceed to do so and ship them the product they asked for. A few days later you find out that the payment method used was fraudulent and you’ve lost the money as well as the item shipped.
How to avoid excess-payment scams
The chances of a legitimate buyer overpaying you, especially by a large amount, are almost zero. If you receive such a transaction, we recommend that you cancel it altogether and refrain from transferring the monies to your bank account.
4. Fake-charity scams
Individuals and corporations in the U.S. donated nearly half a trillion dollars to charity in 2019, so you can be sure that scammers are eyeing this pool of cash, too. Charitable donations usually spike after a natural disaster, refugee crisis, or war. They’re also quite prevalent during the holiday shopping season.
Fake-charity scams work in a similar fashion to phishing scams, except that they don’t try to impersonate someone you know or trust. They’ll likely ask you to make a one-time donation to help victims of some unfortunate incident, except the cash will end up in the scammer’s account. And you won’t be able to get a tax deduction, either.
How to avoid charity scams
If you come across an email or text message claiming to be from a charity that you don’t recognize, then be sure to check out its credentials first. Charity Navigator and Charity Watch are two independent charity watchdogs that testify to the validity of the non-profit organization. Another red flag is if the charity in question does not have a website or any mentions of its work online. That means it’s very likely a scam.
Further tips to avoid financial scams
In addition to the above tips, there are some extra steps you can take to further boost your security.
Set up two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security to your account by making you validate your identity beyond just the standard username/password combination. It can help guard against data theft such as if your mobile payment account has been compromised by hackers.
Use a VPN
VPNs set up an encrypted tunnel and route all your internet traffic through it, keeping your personal information safe and away from prying eyes. Use a VPN if you connect to public Wi-Fi frequently or even for everyday use. It adds security to all your devices, including phones, laptops, and tablets.
Always set up a strong password
Strong passwords entail a combination of alphanumeric characters and aren’t tied to any personal information. Never use your name or birthday in a password since you’re increasing the chances that it might be cracked. What’s more, try to set up a different password for each app or site you visit. Our random password generator can give you a good one.
Have you ever been the victim of a financial scam? What would you have done differently? Let us know in the comments!
Read more: Phishing and spearphishing explained
I have had at least 10 complaints against PayPal sellers, and won all of them.
Hi Osman, thanks for your article.
Last week I did have some sort of rouge attack attempt to my PayPal acct.
I use a password manager with 2FA generated within the app.
I noticed the 2FA code would be rejected, I clicked the change password recovery.
I managed to change strong password, and get into acct as usual, but the money I was trying to send would be blocked by my credit card bank (thankfully).
I double checked with bank for issues, no problem there.
I noticed a couple of phishing messages on my junk mail, suspiciously one had a time stamp right after one of my attempts.
I also noticed that 2FA would fail the next day, so, besides changing strong password every time I had this problem, I changed the app 2FA for Google Authenticator, and it worked. Still the bank would block the transaction.
I finally managed to make the transaction a couple of days later. The pasword manager support team suggested a rouge attempt. Later on I switched back to the app 2FA, and it works as it should.
This attack seemed to be sophisticated since, apparently 2FA would be compromised. The phishing mails were also so on time with events.
Around this area where I live, there have been news about rouge attacks to our ISP.
I also read that use of VPNs could trigger suspicion on behalf of banks, and other institutions. On my attempts I also tried with, and without ExpressVPN, to rule out culprits. I’m glad there where security layers from all sides, since using Express VPN, strong passwords, 2FA, and the bank, all in conjunction, spoiled this attempt.
A word of wisdom, change passwords once in a while, and if you can wait, leave that chore for another moment. In my case, the storm ended a couple of days later, probably when perpretators moved on somewhere else. Check with tech support, I did, there was a remote chance they could help, or at least be aware of the situation.