Business Digital Banking Hero
Return to Insights

Don't fall for this payment app fraud


Many of us use digital payment applications such as Venmo, Cash App, Zelle® and Paypal. As these apps become more popular, they also increasingly become a target for cybercriminals.

Cybercriminals are targeting digital payment app users by sending text messages that look like a fraud alert from your bank. Once you respond to the message, the fraud perpetrators will call you and ask you to reverse the money transfer. In actuality, you will be sending a payment to a bank account under the control of cybercriminals.

Watch out for this scam

The latest round of fraud involving digital payment apps is complicated and cybercriminals have gone to great lengths to make it seem like you’ve received texts and calls from your bank. These schemes use sophisticated phishing and social engineering tactics that convince you to send money using digital payment apps that are connected to your bank accounts. These apps allow you to transfer money quickly and from your phone, making them ideal for cybercriminals.

Here's an example of the scam:

  1. A consumer receives a text that appears to be from their bank. It will look like an account alert asking them to verify a recent payment, asking them to reply Yes or No.

  2. If the consumer replies to the text with “No,” they will receive a phone call that appears to be from a legitimate phone number.

  3. When the customer answers, they will be speaking with someone who claims to be from the fraud department at their bank. That person will talk the consumer through steps to seemingly halt the payment.

  4. The fraudster then instructs the customer to change their email address in their mobile payment app. The result is that when the consumer tries to “reverse” the transaction, they instead send money to an account controlled by the cybercriminal.

Understand how it’s done

This scam and many other recent ones have shown us that cybercriminals are becoming much more advanced. In these new techniques, the perpetrators are well-researched and employ professional language free of typos or misspellings.

These schemes are very targeted. Prior to texting and calling their victims, fraudsters already know their financial institution, addresses, social security numbers and last four digits of bank accounts, all obtained from prior data breaches at other third parties. They then use your personal information to gain credibility and make it appear like they are calling from your bank.

The other way cybercriminals gain credibility is by making the victims complete the transaction themselves. By having the victim use their bank’s mobile application, nothing seems out of the ordinary. The victim does most of the work such as changing the email, adding it to a bank account and initiating the payment. The victim believes they are sending this payment to themselves to reverse a fraudulent transaction. The entire process can take days and the victim won’t notice until they see a substantial amount missing from their bank account.

Protect your data and accounts

These scams are hard to spot, but there are a few things you can do to keep your accounts safe.

  • Don’t respond directly to texts or calls.

    If you receive a text or call about potential fraud, it is best to go directly to your financial institution website and find the phone number. This will ensure you are not calling a fake phone line set up by the fraudsters. Remember, cybercriminals can spoof numbers and make it appear legitimate.

  • Be wary of the information being shared with you.

    One of the biggest red flags is how much information the cybercriminal appears to know about you already. When you call the number and the person on the phone provides your email address and social security number, this may be a fraudulent interaction. Fraudsters use this information to appear legitimate. If the caller seems to know everything about you already, this can be a sign you are being targeted.

  • Enhance your account security

    We recommend enabling Multi Factor Authentication (MFA) for all financial accounts. This can provide your account with an extra layer of protection. Never provide your MFA codes to anyone, especially if they ask for it over the phone or in text.

  • Do not transfer funds.

    Your bank would never ask you to transfer funds to prevent fraud. If you suspect fraud, call the number on your card or from your bank’s website.