CASH APPS
This section is about payment apps (aka pay apps) Zelle, Venmo, Cash App and PayPal. Not here (yet) are Apple Pay and Google Pay.
If you paid a scammer with a cash app, report it to the FTC at ReportFraud.ftc.gov.
The article How Private Is My Pay App? from The Markup (Nov 2020)
discusses the data these apps share. The apps that most protect your privacy are Google Pay, AppleCash and Zelle.
On the This Week in Tech podcast (November 20, 2022 episode) I heard good things about
Wise for transferring money between countries. I have no experience with it.
The Best mobile payment apps in 2023 by David Strom for CNN. Last updated Jan. 5, 2023. The tested apps were: Apple Pay, Google Pay, Samsung Pay, Venmo and Cash App. Zelle was not tested. The two clear winners were Apple Pay and Google Pay.
TAXES IN THE US
UPDATE December 24, 2022: At the last minute, these reporting requirements were relaxed. But, next year...
People using mobile payment apps like Venmo, PayPal and Cash App are required, starting with income earned in 2022, to report commercial transactions totaling more than $600 per year to the IRS. Cash apps in the US must report payments to the IRS of more than $600 a year received for goods and services. Under the old rule, these cash services only provided their users a 1099-K form if they received more than $20,000 and had more than 200 transactions. Money received from friends and relatives as personal gifts or reimbursements for expenses is not taxable. If, however, there’s a mistake and personal payments get misclassified, the IRS says to sort it out with the app company.
A COMMON SCAM
Did someone 'accidentally' send you money on Venmo? You might be getting scammed by Jessica Roy for the Los Angeles Times (September 2022). A reporter writes, at length, about her identity having been stolen. In her case the scam message was:
Anna sent you $500.00 - Antique table - You now have $500.00 in your Venmo account
The article says that the best thing to do in these cases is nothing.
How the scam works: Bad guys steal/buy credit card numbers and attach them to accounts on cash apps like Venmo, Cashapp and Zelle. Using the stolen credit cards, the bad guys send money to hundreds or thousands of people at once. Then the bad guys request the money back. The initial victims, whose credit card numbers were stolen, will see the charges, get in touch with their banks, and likely have the transaction reversed. But any cash app user who sent the bad guys money gets screwed. Venmo declined to make anyone available for an interview for the story.
ZELLE
- Common Zelle scam: a text message from bad guys asks to confirm some banking activity. Bank customer says it was not them. Immediately, bad guys call the bank customer, pretend to be the fraud department at the bank and ask for assorted information to verify things. A customer that responds to this, immediately becomes a victim. You never know who called you on the phone or who sent a text message.
- Other Zelle scams trick the victim into transferring money to the bad guys. This typically involves text messages and phone calls spoofed to look like they came from the victim's bank. The scam convinces the victim that they are sending money to themselves. Victims can only be fooled if they do not understand the rules for Domain Names. The rules are explained on the Domain Name page of this site along with many common tricks that bad guys use to fool victims.
- Me-to-Me scam: bad guys convince a Zelle user to send money to their own phone number. Sounds safe. But, the bad guys have assigned the victim's phone number to their account.
- October 2022: Report: Big U.S. Banks Are Stiffing Account Takeover Victims by Brian Krebs. Senator Elizabeth Warren issued a report showing that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments. If a bad guys gains access to a victim account, the bank will typically restore any lost money. However, if the account owner is tricked into making transactions, tough luck Charlie. Three banks would not talk to Senator Warren - Capital One, JPMorgan and Wells Fargo. Those that did, reported repaying customers in roughly 10% of scam claims.
- The 'Zelle Fraud' Scam: How it Works, How to Fight Back by Brian Krebs (Nov 2021). Some victims have an active Zelle account and don't know they do. So, of course, they don't know how it works and they get scammed.
- Zelle hackers 'improve' their scam; banks won’t help - but victims have a new place to complain by Bob Sullivan (Nov 2021)
- Zelle fraud emergency kit and FAQ by Bob Sullivan (Nov 2019)
- FYI: Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.
- FYI: The Zelle website is www.zellepay.com
CASH APP
- If someone who knows the passcode to unlock your phone, steals the phone, the best defense is to force them to authenticate before running some apps, such as financial apps. Cash app can do this as they document in this undated support article: Enable Security Lock Require a PIN or Touch ID or Face ID to make payments from your Cash App.
- They Were 'Calling to Help.' Then They Stole Thousands" by Becca Andrews in Wired (Feb. 2022). About a women who was scammed. One part describes the problems trying to get control back of the Cash App.
VENMO
- Venmo is owned by PayPal
- If you pay a scammer, Venmo recommends chatting with them through their app: Go to your profile -> Get Help. They also have a contact form and a phone number: (855) 812-4430.
- Configuring an app password is great security, especially if your mobile device is lost or stolen. This is, basically, a password that must be entered
before the app is allowed to run. More from Venmo here: PIN & Touch ID
- CONFIGURE PRIVACY SETTINGS
The settings are found in the gear icon in the mobile app. In Settings, click on Privacy, then:
- Future Transactions: Venmo makes transactions public by default. To change that, going forward: Default Privacy Setting -> Private. The bad options here are Public or Friends
- Past Transactions: To retroactively privatize Venmo posts: Go to the "More" section of Privacy and change "Past Transactions" -> "Change All to
Private".
- Contacts: Friend lists default to public. No other social network or service does that. For a long time they could not be made private. Now they can. Click on
"More" -> Friends List and set it to Private. While there, also turn off "Appear in Other Users' Friends Lists"
- Location: Venmo wants to know your location but it is not needed. You can deny the app location access in both iOS and Android using the Operating System settings. The app can take you to the
appropriate OS settings. Again, click on "More" in the Privacy section, then Location.
- Configure: Settings -> Preferences -> Friends & Social. Turn off Facebook Connect, Phone Contacts and Facebook Contacts. A gray dot is OFF, a green check mark is ON.
- Venmo privacy settings to change now by Heather Kelly for the Washington Post (September 2021)
- FYI: We Found Joe Biden's Secret Venmo. Here’s Why That’s A Privacy Nightmare For Everyone by BuzzFeed News (May 2021). Quoting: Privacy advocates and journalists have warned about Venmo’s privacy problems for years, yet the PayPal-owned app has persisted with features that can place people at risk.
- Venmo Exposes Old Profile Photos, With No Way To Remove Them by Katie Notopoulos of BuzzFeed News (May 2021)
- How to Venmo Without Being a Monster by Angela Lashbrook (Jan. 2020)
- Venmo Users Are Being Inundated With Payment Requests From Strangers by Nicole Nguyen of BuzzFeed News (December 2019)
- EFF and Mozilla to Venmo: Clean Up Your Privacy Settings by The Electronic Frontier Foundation (August 2019).
- Venmo's Public Feed Is Bad And They Should End It by Katie Notopoulos of BuzzFeed News (July 2018)
- From the Venmo Security page
- Nobody at Venmo will ever contact you to request a password or verification code to your account. If you have any questions about security, email support@venmo.com
- If you've lost your phone or suspect that it is being used in an unauthorized way, you can prevent your phone from accessing your Venmo account. Just go to Venmo.com > Settings > Security and remove the session associated with your phone.
PAYPAL
- SCAM INVOICES FROM PAYPAL
This is really bad: a compromised or fraudulent PayPal Business account is used by bad guys to send emails and invoices that could not look any more realistic.
- February 9, 2023: Time to say goodbye to Paypal by David Strom. Quoting: "I have been a user of Paypal ever since, well, forever, but certainly for at least 25 years by my guess. Today I closed my account, thanks to having gotten several invoices from fraudsters." This article is about the same issue Brian Krebs covered in August 2022. Strom makes an excellent Defensive Computing suggestion: to firewall your banking infrastructure. Quoting again:
"...you should have a separate bank account that is just used as a repository for your online transactions. Ideally, it should be at a different bank than your 'real' accounts. Just keep a small balance there when you need it. Or use credit cards and accept the 3% processing fees are the cost of using them."
- August 2022: PayPal Phishing Scam Uses Invoices Sent Via PayPal by Brian Krebs. The scam emails are actually being sent by Paypal. The scam invoices that the emails link to are hosted on the real Paypal website. Yet, fraudulent. The scam part of the emails is the phone number to call to dispute the phony charge in the phony invoice. In one case, the only tip-off that this was a scam was when the bad guys tried to install remote control software on the victim's computer.
- October 2022: YouTube video Don't be FOOLED by this PayPal Scam! by
BlackBeltBarrister (6 minutes). A bit long-winded but useful for the screen shots. Initial email is actually from Paypal. The link in the email takes you to the real Paypal website, at
paypal.com/invoices/etc.etc.etc.
Clicking on either button in the Paypal web page starts a conversation with the bad guys. They may ask for personal details or to install remote control software on your computer.
- This is the Paypal service the bad guys are exploiting: Free Paypal invoicing service
- Force the entry of a pin code before the Paypal mobile app can be used. From How do I enable PIN login from PayPal's mobile app?. Steps:
log in to the PayPal app -> Settings cog -> Login and Security -> Change your PIN -> Enter a new 4-8 digit PIN, twice.
- Report suspect messages from PayPal (email, text, whatever) to phishing@paypal.com and/or spoof@paypal.com
- If you sent money to a scammer, contact PayPal at 888-221-1161 or use their Resolution Center
- How to Spot a Fake PayPal Email from Paypal (Sept 2021).
They do typically use email to contact their customers about both their PayPal and Venmo accounts.
- How to Keep Scammers From Gaining Access to Your Account with PayPal from PayPal (July 2021)
APPLE