CASH APPS
TOPICS BELOW
A Common Scam,
Zelle,
Venmo,
Cash App,
Paypal,
Taxes in the US,
Apple Cash
This page is about payment apps (aka pay apps) Zelle, Venmo, Cash App and PayPal.
If you paid a scammer with a cash app, report it to the FTC at ReportFraud.ftc.gov.
For any cash app, link it to a credit card for the protection they offer if you don't get the goods or services you paid for. Linking to either a debit card or directly to a bank account does not give you this protection.
The article How Private Is My Pay App? from The Markup (Nov 2020)
discusses the data these apps share. The apps that most protect your privacy are Google Pay, AppleCash and Zelle.
On the This Week in Tech podcast (November 20, 2022 episode) I heard good things about
Wise for transferring money between countries. I have no experience with it.
The Best mobile payment apps in 2023 by David Strom for CNN. Last updated Jan. 5, 2023. The tested apps were: Apple Pay, Google Pay, Samsung Pay, Venmo and Cash App. Zelle was not tested. The two clear winners were Apple Pay and Google Pay.
A COMMON SCAM top
Did someone 'accidentally' send you money on Venmo? You might be getting scammed by Jessica Roy for the Los Angeles Times (September 2022). A reporter writes, at length, about her identity having been stolen. In her case the scam message was:
Anna sent you $500.00 - Antique table - You now have $500.00 in your Venmo account
The article says that the best thing to do in these cases is nothing.
How the scam works: Bad guys steal/buy credit card numbers and attach them to accounts on cash apps like Venmo, Cashapp and Zelle. Using the stolen credit cards, the bad guys send money to hundreds or thousands of people at once. Then the bad guys request the money back. The initial victims, whose credit card numbers were stolen, will see the charges, get in touch with their banks, and likely have the transaction reversed. But any cash app user who sent the bad guys money gets screwed. Venmo declined to make anyone available for an interview for the story.
ZELLE top
- In the Zelle system, an email address can be your userid. If you can, create a new email address that is only used for Zelle and not for anything else. There is a page here on
Creating Multiple Email Addresses.
- Common Zelle scam: a text message from bad guys asks to confirm some banking activity. Bank customer says it was not them. Immediately, bad guys call the bank customer, pretend to be the fraud department at the bank and ask for assorted information to verify things. A customer that responds to this, immediately becomes a victim. You never know who called you on the phone or who sent a text message.
- Other Zelle scams trick the victim into transferring money to the bad guys. This typically involves text messages and phone calls spoofed to look like they came from the victim's bank. The scam convinces the victim that they are sending money to themselves. Victims can only be fooled if they do not understand the rules for Domain Names. The rules are explained on the Domain Name page of this site along with many common tricks that bad guys use to fool victims.
- Me-to-Me scam: bad guys convince a Zelle user to send money to their own phone number. Sounds safe. But, the bad guys have assigned the victim's phone number to their account.
- October 2022: Report: Big U.S. Banks Are Stiffing Account Takeover Victims by Brian Krebs. Senator Elizabeth Warren issued a report showing that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments. If a bad guys gains access to a victim account, the bank will typically restore any lost money. However, if the account owner is tricked into making transactions, tough luck Charlie. Three banks would not talk to Senator Warren - Capital One, JPMorgan and Wells Fargo. Those that did, reported repaying customers in roughly 10% of scam claims.
- The 'Zelle Fraud' Scam: How it Works, How to Fight Back by Brian Krebs (Nov 2021). Some victims have an active Zelle account and don't know they do. So, of course, they don't know how it works and they get scammed.
- Zelle hackers 'improve' their scam; banks won’t help - but victims have a new place to complain by Bob Sullivan (Nov 2021)
- Zelle fraud emergency kit and FAQ by Bob Sullivan (Nov 2019)
- FYI: Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo.
- FYI: The Zelle website is www.zellepay.com
VENMO top
- Venmo is owned by PayPal
- Configure an app run password. This is a 4 digit number that must be entered before the Venmo app runs. It is a great defense against a bad guy with access to your phone. I call this an "app run password", Venmo calls it a "passcode" when you click the app and get prompted to enter it, but, when you configure it, they call it a PIN. What morons they are. To create a Venmo-only "app run password" there are three click trails below. The last two are from the Venmo documentation
(PIN & Touch ID Setup), the first one is what I saw when testing with an iPhone running iOS 17.7.
me on iOS: Start at the Me tab in bottom right corner of the app -> gear icon in top right corner -> PIN -> Enable PIN
Venmo iOS doc: Start at the Me tab -> gear icon -> Face ID & PIN
Venmo Android doc: Start at the Me tab -> gear icon -> PIN code & biometric unlock
- November 3, 2024: You're overexposed online. This service fixes 223 privacy settings for you. Geoffrey A. Fowler for the Washington Post. The article is about an extension/service from a startup called Block Party. It is available on the Windows, macOS and Linux versions of Chrome, Firefox, and Edge. It works on the websites of Facebook, Instagram, Google, YouTube, X, LinkedIn, Reddit, Strava and Venmo. For these 9 companies, it reviews your privacy settings, recommends changes and can make the changes for you. There is a 7 day trial, after which the service is $20/year. I would add to the article that you might want to disable the extension when you are not using it. Quoting: "Tech companies want to collect as much of your data as possible, and, often, to share it widely. So they present privacy and other settings with so many confusing knobs and buttons that it feels like flying a 747. There are 44 different privacy settings on Facebook alone. Worse, apps move around settings - and keep adding new ones that find more ways to exploit your personal data."
- September 1, 2023: BBB Scam Alert: Don't send money to fake friends on Venmo from the Better Business Bureau. You get an out-of-the-blue Venmo request from a friend who needs money. Perhaps they lost their wallet. Could you send a couple hundred dollars to tide them over? It may sound reasonable and look legitimate, but no. The message could be from an account using, what seems to be, the friend’'s username and profile photo. But the name is a character or two off from the real Venmo account. Scammers are copying username and profile pictures to impersonate people. Using the information visible in Venmo's transaction history, they figure out from whom this person had previously sent or received money.
- April 2024: How to Avoid Getting Scammed on Venmo by Shan Abdul for HowToGeek. Summarizing: Avoid using Venmo with sellers that you do not trust. If someone sends you money and it seems like it was a mistake, do not refund the money instantly. This is a common scam involving stolen credit cards. If you receive urgent financial requests from a friend, double check. That is, contact them outside of Venmo. Never lend your phone to strangers. The article does not say anything about an app password, a huge omission.
- Consumer Reports warns that Venmo, is a particular target for financial fraud. A survey of theirs in 2024 found that roughly 1 in 10 peer-to-peer payment app users had lost money to a scam. The Better Business Bureau has warned of fake Venmo accounts being used to request money from users. They did not offer any tips on validating a legit Venmo user.
- Common Scams on Venmo from Venmo. Undated (of course). The scams: Fake Prize or Cash Reward, Call from Venmo, Text messages pretending to be Venmo, Call from Tech Support, Fake Payment Confirmation or Request for Tracking Details,
Pre-payment for Goods and Services, Stranger Posing as a Friend, Payments from Strangers, Offers to Make Money Fast, Paper Check Scam, Romance Scam and more.
- If you pay a scammer, Venmo recommends chatting with them through their app: Go to your profile -> Get Help. They also have a contact form and a phone number: (855) 812-4430.
- On their Identity Verification page, Venmo says that they do sometimes send emails if they need to verify your identity. Rather than try to determine in an email is a scam or not, they say to handle identity verification in the Venmo app. That is, treat the email as a notice to check in the app if they are really asking for an ID check or not.
- CONFIGURE PRIVACY SETTINGS
The settings are found in the gear icon in the mobile app. In Settings, click on Privacy, then:
- Future Transactions: Venmo makes transactions public by default. To change that, going forward: Default Privacy Setting -> Private. The bad options here are Public or Friends
- Past Transactions: To retroactively privatize Venmo posts: Go to the "More" section of Privacy and change "Past Transactions" -> "Change All to Private".
- Note that while you can make transactions private, that does NOT apply to group payments. Those are treated differently.
- Contacts: Friend lists default to public. No other social network or service does that. For a long time, the identity of your friends could not be made private. Now it can.
Settings -> Privacy -> Friends List -> set it to Private
While there, also turn off "Appear in Other Users' Friends Lists"
- Do not share your personal contacts with Venmo
Settings -> Friends & Social -> Phone Contacts to OFF
A gray dot is OFF, a green check mark is ON
If Facebook is installed there should be other options in this section too: Facebook Connect and Facebook Contacts. I would also turn those off.
- Location: Venmo wants to know your location but it is not needed. You can deny the app location access in both iOS and Android using the Operating System settings. The app can take you to the appropriate OS settings. Again, click on "More" in the Privacy section, then Location.
- October 17, 2024: How to Make Your Venmo Information Private by Derek Kravitz for Consumer Reports. There are three sections to the article: To Make Future Venmo Payments Private, To Make Past Venmo Payments Private and To Make Venmo Contact Lists Private.
- October 17, 2024: Who Can See What You Do on Venmo? You’d Be Surprised. by Derek Kravitz for Consumer Reports. A very long article. Venmo has for years resisted calls from both privacy groups and regulators to make accounts private by default. So, with just a little digging, Consumer Reports found a surprising amount of information about some very famous people: celebrities, politicians, and business leaders. The dollar amounts of transactions are never made public. You can tell when payments are public by the 'world' icon next to the transaction date. Open/public accounts put their owners at increased risk of stalking, fraud, and cyber attacks such as spear phishing.
- Venmo privacy settings to change now by Heather Kelly for the Washington Post. January 31, 2024
Below is an earlier version of the same article
Venmo privacy settings to change now by Heather Kelly for the Washington Post September 2021
- A few stories about secrets that were leaked by public Venmo transactions: 'She’d been sending herself payments from me': Venmo users on discovering secrets on the app by Alaina Demopoulos for The Guardian. March 14, 2023. Quoting: "... because the Venmo app has a 'home feed', an endless scroll that shows payments between users, it's also a sneaky form of social media. You can see how your friends spend their money - and who they spend it with ... Though users have the option to make their payments private, many forget to. When Daily Beast journalists snooped Matt Gaetz's transactions, they discovered the Florida Representative had paid an accused sex trafficker through the app ... A study conducted by experts at the University of Southern California found that two in five Venmo users publicly reveal 'sensitive information' on the app."
- FYI: We Found Joe Biden's Secret Venmo. Here’s Why That’s A Privacy Nightmare For Everyone by BuzzFeed News (May 2021). Quoting: Privacy advocates and journalists have warned about Venmo’s privacy problems for years, yet the PayPal-owned app has persisted with features that can place people at risk.
- Venmo Exposes Old Profile Photos, With No Way To Remove Them by Katie Notopoulos of BuzzFeed News (May 2021)
- From the Venmo Security page
- Nobody at Venmo will ever contact you to request a password or verification code to your account. If you have any questions about security, email support@venmo.com
- If you've lost your phone or suspect that it is being used in an unauthorized way, you can prevent your phone from accessing your Venmo account.
Go to Venmo.com -> Settings -> Security -> remove the session associated with your phone
- Venmo Users Are Being Inundated With Payment Requests From Strangers by Nicole Nguyen of BuzzFeed News. About the dangers of public transactions, which at the time, was the default behavior. A popular TikTok video was released that showed people how to spam Venmo users who make public transactions. It explained the best ways to scam Venmo users. The article talks about a number of Venmo users who were spammed after making public transactions. December 2019.
- EFF and Mozilla to Venmo: Clean Up Your Privacy Settings a Press Release from The Electronic Frontier Foundation. Popular Payment App Reveals Sensitive Data by Default. August 2019
- Venmo's Public Feed Is Bad And They Should End It by Katie Notopoulos of BuzzFeed News (July 2018)
- How to Venmo Without Being a Monster by Angela Lashbrook
at Medium. January 2020. A medium account is required to view the article, so, eh.
CASH APP top
- November 11, 2024: Probably not a good app to use. In 2024 they paid $15 million to settle a lawsuit. The deadline for filing a Cash App settlement claim is days away by Mark Huffman for Consumer Affairs. In 2022, Cash App disclosed a data breach that occurred in 2021. That prompted a class-action lawsuit, with plaintiffs claiming Cash App and its parent company, Block, had crappy security. Worse, the suit alleges that Cash App was unresponsive to complaints about security.
- August 19, 2024: An earlier article about the lawsuit being settled: Do You Use Cash App? You Could Be Entitled to a $2,500 Payout by Dua Rashid for Gizmodo. This article says that a former company employee accessed customer accounts in 2022. And, in 2023, an unauthorized user accessed some accounts using the numbers linked to the first security failure. Cash App also faced allegations of being negligent in their security-related obligations to users and failing to put in place appropriate measures to control fraud. And Cash App undermined several user complaints and failed to resolve them. It also refused to take responsibility for any problems that it caused.
- The cash app settlement official website: Salinas, et al. v. Block, Inc. and Cash App Investing, LLC
Case No. 22-cv-04823 District Court for the Northern District of California
- If someone who knows the passcode to unlock your phone, steals the phone, the best defense is to force them to authenticate before running some apps, such as financial apps. Cash app can do this as they document in this undated support article: Enable Security Lock Require a PIN or Touch ID or Face ID to make payments from your Cash App.
- They Were 'Calling to Help.' Then They Stole Thousands" by Becca Andrews in Wired (Feb. 2022). About a women who was scammed. One part describes the problems trying to get control back of the Cash App.
PAYPAL top
- October 2, 2024: PayPal's data sharing controversy: New setting raises privacy concerns by Ashwin for Ghacks.net. Quoting: "A report by 404 Media claims that PayPal has opted in users, without their explicit permission, to share their data with marketers. Why? Well, the company wants to offer users a 'personalized shopping experience'." The change seems to be region specific, indications are that this is primarily in the U.S. To opt out:
Settings -> Data & Privacy -> Manage shared info -> Personalized shopping -> OFF
From Paypal: Notice of Amendment(s) to the United States PayPal Agreement(s) Last updated September 23, 2024
- SCAM INVOICES FROM PAYPAL
This is really bad: a compromised or fraudulent PayPal Business account is used by bad guys to send emails and invoices that could not look any more realistic.
- February 9, 2023: Time to say goodbye to Paypal by David Strom. Quoting: "I have been a user of Paypal ever since, well, forever, but certainly for at least 25 years by my guess. Today I closed my account, thanks to having gotten several invoices from fraudsters." This article is about the same issue Brian Krebs covered in August 2022. Strom makes an excellent Defensive Computing suggestion: to firewall your banking infrastructure. Quoting again:
"...you should have a separate bank account that is just used as a repository for your online transactions. Ideally, it should be at a different bank than your 'real' accounts. Just keep a small balance there when you need it. Or use credit cards and accept the 3% processing fees are the cost of using them."
- August 2022: PayPal Phishing Scam Uses Invoices Sent Via PayPal by Brian Krebs. The scam emails are actually being sent by Paypal. The scam invoices that the emails link to are hosted on the real Paypal website. Yet, fraudulent. The scam part of the emails is the phone number to call to dispute the phony charge in the phony invoice. In one case, the only tip-off that this was a scam was when the bad guys tried to install remote control software on the victim's computer.
- October 2022: YouTube video Don't be FOOLED by this PayPal Scam! by
BlackBeltBarrister (6 minutes). A bit long-winded but useful for the screen shots. Initial email is actually from Paypal. The link in the email takes you to the real Paypal website, at
paypal.com/invoices/etc.etc.etc.
Clicking on either button in the Paypal web page starts a conversation with the bad guys. They may ask for personal details or to install remote control software on your computer.
- This is the Paypal service the bad guys are exploiting: Free Paypal invoicing service
- SCAM ACCOUNTS OPENED AT PAYPAL
Based on my personal experience, I would avoid Paypal. They are clearly a shit company. Here is some proof:
- Paypal lets bad guys open accounts using email addresses they do not own. The are fine with this, as they have allowed it for over a decade.
- In June 2024, Paypal and I were both scammed using one of my many email addresses. I was sent three emails on the same day by Paypal (I looked at the headers to validate that the messages really came from them).
- The first email subject was "Please confirm your email address". I did not respond.
- The second email subject line was "We need some information from you." Again, I did not respond.
- The third email subject was "Welcome to paypal".
- A bad guy was able to open an account despite Paypal never getting the information they asked for.
- Not knowing the extent of the rot at Paypal, I sent them the third email, and told them about the scam. They responded that it was a normal scam, sent by a bad guy. Their tech support is too stupid to realize that they sent these messages.
- I kept at it, pestering them via email. Their next response was that my main email address had no account associated with it. Of course it didn't. The person who responded to my 2nd email never read the first one. Now, they wanted a screen shot showing that their email was sent to my alias address rather than my main account. I do this.
- And, the incompetence continued: Next they wanted me to email them from my alias email address to prove I own it. I do so and that message is never responded to.
- The next day, after 4 emails with Paypal, they had still not closed the scam account. I know this because I got another email from them with this subject line:
"You've added a new email address to your PayPal account". They let the bad guy add this email address
4828864193998837635UEP@paypal.com to the scam PayPal account.
- I complained again. No response.
- I thought that perhaps the bad guy had hacked my email and was getting a copy of the same emails that I was seeing, so I asked my email provider, Fastmail about this. They responded that they were sure I was the only person getting emails to this alias address of mine. If you ever thought that email was not worth paying for, I disagree. Tech support from Fastmail is indeed worth paying for when things go wrong - and things always go wrong.
- As further proof that Fastmail is worth paying for, their tech support found that this has been onging since at least August 2018. Stephanie Dixon wrote about the same thing happening to her. See Unverified emails and security at PayPal. Quoting: "I discovered that Paypal allows people to open accounts without verifying the email address that the person provided." The initial response to her complaint was even stupider than the responses I got. Paypal told her to just block their emails. Clearly, Paypal is a shit company.
- In her article, Stephanie Dixon found others with the same complain going back at least 6 years. And, that was in August of 2018. So, now (June 2024) this has been an ongoing problem with Paypal for at least 12 years. Did I mention that Paypal is a shit company?
- Here is an article about this from July 5, 2012: My email add used by someone else
- Force the entry of a pin code before the Paypal mobile app can be used. From How do I enable PIN login from PayPal's mobile app?. Steps:
log in to the PayPal app -> Settings cog -> Login and Security -> Change your PIN -> Enter a new 4-8 digit PIN, twice
- Report suspect messages from PayPal (email, text, whatever) to phishing@paypal.com and/or spoof@paypal.com and/or unsolicitedemail@paypal.com
- Learn About Scams from Paypal
- If you sent money to a scammer, contact PayPal at 888-221-1161 or use their Resolution Center
- How to Spot a Fake PayPal Email from Paypal (Sept 2021).
They do typically use email to contact their customers about both their PayPal and Venmo accounts.
- How to Keep Scammers From Gaining Access to Your Account with PayPal from PayPal (July 2021)
TAXES IN THE US top
UPDATE December 24, 2022: At the last minute, these reporting requirements were relaxed. But, next year...
People using mobile payment apps like Venmo, PayPal and Cash App are required, starting with income earned in 2022, to report commercial transactions totaling more than $600 per year to the IRS. Cash apps in the US must report payments to the IRS of more than $600 a year received for goods and services. Under the old rule, these cash services only provided their users a 1099-K form if they received more than $20,000 and had more than 200 transactions. Money received from friends and relatives as personal gifts or reimbursements for expenses is not taxable. If, however, there’s a mistake and personal payments get misclassified, the IRS says to sort it out with the app company.
APPLE CASH top