A Defensive Computing Checklist
by Michael Horowitz
This section is about payment apps (aka pay apps) Zelle, Venmo, Cash App and PayPal. Not here (yet) are Apple Pay and Google Pay.
The article How Private Is My Pay App? from The Markup (Nov 2020)
discusses the data these apps share. The apps that most protect your privacy are Google Pay, AppleCash and Zelle.
On the This Week in Tech podcast (November 20, 2022 episode) I heard good things about
Wise for transferring money between countries. I have no experience with it.
TAXES IN THE US
People using mobile payment apps like Venmo, PayPal and Cash App are required to report commercial transactions totaling more than $600 per year to the IRS. As of 2022, cash apps in the US must report payments to the IRS of more than $600 a year received for goods and services. Money received from friends and relatives as personal gifts or reimbursements for expenses is not taxable.
If, however, there’s a mistake and personal payments get misclassified, the IRS says to sort it out with the app company.
A COMMON SCAM
Did someone 'accidentally' send you money on Venmo? You might be getting scammed by Jessica Roy for the Los Angeles Times (September 2022). A reporter writes, at length, about her identity having been stolen. In her case the scam message was:
Anna sent you $500.00 - Antique table - You now have $500.00 in your Venmo account
The article says that the best thing to do in these cases is nothing.
How the scam works: Bad guys steal/buy credit card numbers and attach them to accounts on cash apps like Venmo, Cashapp and Zelle. Using the stolen credit cards, the bad guys send money to hundreds or thousands of people at once. Then the bad guys request the money back. The initial victims, whose credit card numbers were stolen, will see the charges, get in touch with their banks, and likely have the transaction reversed. But any cash app user who sent the bad guys money gets screwed. Venmo declined to make anyone available for an interview for the story.
- Common Zelle scam: a text message from bad guys asks to confirm some banking activity. Bank customer says it was not them. Immediately, bad guys call the bank customer, pretend to be the fraud department at the bank and ask for assorted information to verify things. A customer that responds to this, immediately becomes a victim. You never know who called you on the phone or who sent a text message.
- Other Zelle scams trick the victim into transferring money to the bad guys. This typically involves text messages and phone calls spoofed to look like they came from the victim's bank. The scam convinces the victim that they are sending money to themselves. Victims can only be fooled if they do not understand the rules for Domain Names. The rules are explained on the Domain Name page of this site along with many common tricks that bad guys use to fool victims.
- Me-to-Me scam: bad guys convince a Zelle user to send money to their own phone number. Sounds safe. But, the bad guys have assigned the victim's phone number to their account.
- October 2022: Report: Big U.S. Banks Are Stiffing Account Takeover Victims by Brian Krebs. Senator Elizabeth Warren issued a report showing that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments. If a bad guys gains access to a victim account, the bank will typically restore any lost money. However, if the account owner is tricked into making transactions, tough luck Charlie. Three banks would not talk to Senator Warren - Capital One, JPMorgan and Wells Fargo. Those that did, reported repaying customers in roughly 10% of scam claims.
- The 'Zelle Fraud' Scam: How it Works, How to Fight Back by Brian Krebs (Nov 2021). Some victims have an active Zelle account and don't know they do. So, of course, they don't know how it works and they get scammed.
- Zelle hackers 'improve' their scam; banks won’t help - but victims have a new place to complain by Bob Sullivan (Nov 2021)
- Zelle fraud emergency kit and FAQ by Bob Sullivan (Nov 2019)
- FYI: Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.
- FYI: The Zelle website is www.zellepay.com
- Venmo is owned by PayPal
- CONFIGURE PRIVACY SETTINGS
The settings are found in the gear icon in the mobile app. In Settings, click on Privacy, then:
- Future: The app makes transactions public by default. To change that, going forward: Default Privacy Setting -> Private. The bad options here are Public or Friends
- Past: To retroactively privatize Venmo posts: "Past Transactions" -> Change All to Private. You may have to scroll down to "More"
- Contacts: Friend lists default to public. No other social network or service does that. For a long time they could not be made private. Now they can. Click on
"More" -> Friends List and set it to Private. While there, also turn off "Appear in Other Users' Friends Lists"
- Location: Venmo wants to know your location but it is not needed. You can deny the app location access in both iOS and Android using the Operating System settings. The app can take you to the
appropriate OS settings. Again, click on "More" in the Privacy section, then Location.
- Configure: Settings -> Preferences -> Friends & Social. Turn off Facebook Connect, Phone Contacts and Facebook Contacts. A gray dot is OFF, a green check mark is ON.
- Venmo privacy settings to change now by Heather Kelly for the Washington Post (September 2021)
- FYI: We Found Joe Biden's Secret Venmo. Here’s Why That’s A Privacy Nightmare For Everyone by BuzzFeed News (May 2021). Quoting: Privacy advocates and journalists have warned about Venmo’s privacy problems for years, yet the PayPal-owned app has persisted with features that can place people at risk.
- Venmo Exposes Old Profile Photos, With No Way To Remove Them by Katie Notopoulos of BuzzFeed News (May 2021)
- How to Venmo Without Being a Monster by Angela Lashbrook (Jan. 2020)
- Venmo Users Are Being Inundated With Payment Requests From Strangers by Nicole Nguyen of BuzzFeed News (December 2019)
- EFF and Mozilla to Venmo: Clean Up Your Privacy Settings by The Electronic Frontier Foundation (August 2019).
- Venmo's Public Feed Is Bad And They Should End It by Katie Notopoulos of BuzzFeed News (July 2018)
- FYI: The Venmo Security page
- SCAM INVOICES FROM PAYPAL
This is really bad: a compromised or fraudulent PayPal Business account is used by bad guys to send emails and invoices that could not look any more realistic.
- August 2022: PayPal Phishing Scam Uses Invoices Sent Via PayPal by Brian Krebs. The scam emails are actually being sent by Paypal. The scam invoices that the emails link to are hosted on the real Paypal website. Yet, fraudulent. The scam part of the emails is the phone number to call to dispute the phony charge in the phony invoice. In one case, the only tip-off that this was a scam was when the bad guys tried to install remote control software on the victim's computer.
- October 2022: YouTube video Don't be FOOLED by this PayPal Scam! by
BlackBeltBarrister (6 minutes). A bit long-winded but useful for the screen shots. Initial email is actually from Paypal. The link in the email takes you to the real Paypal website, at
Clicking on either button in the Paypal web page starts a conversation with the bad guys. They may ask for personal details or to install remote control software on your computer.
- This is the Paypal service the bad guys are exploiting: Free Paypal invoicing service
- Report suspect messages from PayPal (email, text, whatever) to firstname.lastname@example.org and/or email@example.com
- How to Spot a Fake PayPal Email from Paypal (Sept 2021).
They do typically use email to contact their customers about both their PayPal and Venmo accounts.
- How to Keep Scammers From Gaining Access to Your Account with PayPal from Paypal (July 2021)
| This page: 6 views per day (over 46 days) Total views: 273 Created: October 24, 2022|
Copyright 2019 - 2022