article
Identity Theft: How to Prevent It & How to Repair the Damage
In 2017, identity theft cost Americans a total of $5.1 billion in losses. Learn what steps you can do to protect yourself and repair the damage.
$40 million.
That’s how much money Venmo lost during the first three months of 20181.
Meanwhile, users of other payment apps – such as Zelle® and Cash App – filed complaints of losing money as well.
The culprit?
Payment app fraud.
Scammers are now using peer-to-peer (P2P) payment apps to make fraudulent purchases and money transfers. They rely on the apps’ speed and ease – as well as users’ lack of knowledge – to steal up to thousands of dollars within moments. Worst of all, there is no guarantee that the fraud victims will be fully reimbursed for their losses.
If you’re a payment app user, be on the lookout for scammers. Below, we’ve outlined common scam scenarios plus tips on how to protect yourself.
“I’m sorry, ma’am – your card has been declined.”
Amber sat at her favorite restaurant, confused. She knew perfectly well that there was plenty of money in her checking account. So, why did her bank decline her payment?
“Will you excuse me for a moment?” Amber asked the waiter as she logged into her mobile banking app. This must be a mistake, she thought.
Unfortunately, it wasn’t. Amber’s checking account was completely empty.
Fraught with concern, she searched through her transaction history. There, she found a series of Zelle payments totaling $3,000.
“How is this possible?!" Amber asked herself. "I don’t even own a Zelle account!"
There are many forms, but, in the case of P2P payment fraud, an unauthorized fund transfer occurs when a thief uses stolen information to transfer money out of a bank account using a payment app.
While the above story is fictional, the scenario is quite common. In fact, consumers across the country have reported fraudulent Zelle payments ranging from $190 to $6,400. Although Zelle has taken much of the heat, payment apps such as Venmo and CashApp are equally susceptible to fraudulent fund transfers. Worst of all, none of these payment apps offer fraud protection for consumers.
Due to Regulation E, banks have a responsibility to protect consumers from unauthorized electronic transfers. However, once your money is stolen, it may take weeks to get it back. Plus, there is no guarantee that your bank will reimburse you for the full amount.
For each case, it isn’t always clear how the crime occurred. However, there are a few possible scenarios:
Credentials Stuffing: This describes when hackers acquire a list of legitimate login credentials from data breaches. Because many consumers re-use the same credentials across multiple websites, hackers can use these stolen credentials to access online banking accounts. Once access is granted, the hackers will set up fraudulent P2P payment accounts and use the stolen information to transfer money out.
Social Hacking: This describes when a thief contacts and manipulates a person to get access to private information. In the case of payment app fraud, a scammer typically calls or emails a person with a spoofed number from a bank to “confirm” secret information. This includes temporary passcodes, zip codes, or any information that could unlock a user’s financial account. The scammer will then use the hacked information to create a payment account.
Card Skimming/Stolen Card Numbers: Payment apps typically require users to verify bank information, but verification is not required for debit or credit cards. In the case of card skimming, a scammer will install an electronic skimmer to read and download credit or debit card information. However, electronic skimmers are not necessary for stealing card information – anyone with access to your credit or debit card can steal your information at any time. Once this information is stolen, the scammer will add it to an existing payment account and make fraudulent transfers.
“Borrowing” Phones: In this scenario, a scammer will fake an emergency and ask to borrow a smartphone to call a friend. With access to an unlocked phone, the scammer also has access to the phone’s mobile apps. Because most smartphone users enable auto-login for their apps once the phone is unlocked, the scammer can quickly log into a payment app to transfer money out of the linked account.
The main issue behind unauthorized fund transfers is the unauthorized access of private financial information. Payment apps are merely the vehicle to commit theft. With this in mind, use the following tips to ensure your financial information is safe:
Create strong passwords. This point is crucial. Hackers do not need to do mental math in order to gain access to your accounts – instead, they use bots and password cracker programs to do the heavy lifting for them. To protect yourself against these brute force attacks, you must use strong passwords. This means a password with more than eight characters and a combination of letters, numbers, and symbols. Do not use common words, as hackers have dictionary tools. If you must use a word, use an alphanumerical version instead. For example, use Un!c0rNn instead of the word, unicorn.
Use unique passwords. Reuse of login credentials allows hackers to gain access to additional accounts through credential stuffing. Create a unique password for each website. Instead of trying to remember each password, use a password manager to store them. Be sure to change your passwords at least once per year.
Use multi-factor authentication whenever possible. If a hacker gains access to your account credentials, multi-factor authentication ensures they do not get too far. If using a temporary passcode for multi-factor authentication, be sure to keep this information private. Your bank will never ask you to provide this information.
Stay away from public Wi-Fi. By using public Wi-Fi, you expose your devices to malicious behavior. If you must use public Wi-Fi, be sure to use a virtual private network (VPN) to keep your data secure.
Opt for using credit cards with your P2P apps. If a thief uses your payment account to make fraudulent purchases and transfers, you’ll have an easier time getting reimbursed with a credit card. While banks have a responsibility to assist customers with fraudulent charges, there is no guarantee that the full amount will be reimbursed to you.
Disable auto-login. If someone gains access to your mobile device, they have access to your mobile apps as well. Prevent scammers from inflicting damage on your finances by disabling auto log-in for all financial apps. If possible, enable fingerprint lock instead.
Jason was heartbroken.
Concert tickets for his wife’s all-time favorite band were sold out. Now, his wedding anniversary plans were ruined. How was he supposed to tell his wife that he procrastinated until it was too late?
Desperate, Jason searched Craigslist for ticket resales.
2 TICKETS FOR QUEENS OF THE STONE AGE - $180
Perfect, Jason thought to himself. Perhaps our plans aren’t ruined after all.
He contacted the vendor to arrange an exchange.
“Do you have a Venmo account?” the vendor asked. “If you send the money to zaphod.beeblebrox@gmail.com, I’ll email you the tickets when the payment is received.”
“Not a problem,” Jason replied. “Just sent the payment over.”
Ten minutes passed. Jason hadn’t received the tickets.
He emailed the vendor.
“Hey – I haven’t received the tickets yet. Did you receive my payment?”
“Yep - I just emailed the tickets. You should see them in your inbox now.”
Jason checked his inbox – no tickets.
“Hey,” he replied. “I still don’t see them.”
No response.
He emailed again. “So, when are you sending the tickets over?”
No response.
“Crap!” Jason yelled. He immediately picked up the phone to call Venmo’s customer support team.
“Hi - a scammer used your platform to steal $180 from me. Can you refund my payment?”
At the representative’s request, Jason explained the incident at length.
“Sir, I’m so sorry, but we cannot refund your payment.”
“What do you mean, you cannot refund my payment? Someone used your platform to steal my money!”
“Yes, sir, but you authorized the payment.”
A seller scam describes when a thief offers to sell fake goods and disappears once the payment is received. Unfortunately, seller scams are quite common with payment apps. Because these apps were not built for buyer/seller relationships, the P2P payment companies do not offer recourse for the crime. Furthermore, because the buyer initiated the transaction – and banks are only responsible for unauthorized transactions – victims cannot seek support from banks either.
In these scenarios, a scammer will offer to sell goods on classified websites like Craigslist or Facebook Marketplace. To be clear, there is nothing inherently malicious about Craigslist or Facebook Marketplace. However, the malicious behavior occurs in the receiving of payment. Instead of using legitimate seller services that offer fraud protection – like PayPal, Ebay, or Stubhub – the seller will instead request a P2P payment.
Once the payment is received, the seller disappears and often closes the P2P payment account.
You should always use the following tips when purchasing goods from strangers:
Never send or receive P2P payments from someone that you do not know personally.
Stick to payment services that offer buyer protection. Examples include PayPal (this also works well for in-person purchasing), eBay, Amazon, Etsy, or StubHub.
Fund your payment with a credit card. If you need to dispute a charge, it will be much harder to do so with a debit card.
For the past month, she had been eyeing a sleek new laptop for her graphic design work. Unfortunately, she couldn’t bring herself to make the purchase – her current laptop was still working, after all. But Jessica told herself that if she could find a buyer for her current laptop, she would go ahead and splurge on a new one.
Lucky for her, she found a buyer through Facebook Marketplace. After a brief conversation, Jessica and the buyer agreed to meet at a coffee shop the following Saturday.
“Hi – are you Jessica?”
Jessica arrived at the coffee shop to find an eager young woman accompanied with another woman of similar age.
“Yes! And you’re Kayla, I presume?”
“I am, nice to meet you. I brought my friend along to help me look at the laptop. She knows more about computers than I do.”
“No problem!” Jessica said as she handed Kayla the laptop. “Here, have a look.”
After twenty minutes of examination and questions, Kayla agreed to purchase the laptop.
“Can I send you the money through Venmo?” she asked.
“Sure! My username is JessRabbit2077.”
“Great – I’m sending you the payment now.”
Jessica checked her Venmo account and found a payment of $2,250.
“Perfect – just received it! Thanks for doing business with me.”
Immediately after the exchange, Jessica drove to the electronics store to purchase her new laptop with glee.
Unfortunately, two days later, Venmo informed Jessica that the $2,250 payment was cancelled. Puzzled, she called Venmo’s customer support team.
“I don’t understand!” Jessica exclaimed. “The money was in my account – where did it go?”
“Yes, ma’am, but unfortunately there was a chargeback on the card. It appears the card owner filed a fraudulent claim.”
“So what am I supposed to do about my stolen laptop?”
“Unfortunately, ma’am, our platform is built for peer to peer payments, not the exchange of goods and services. For this reason, we cannot reimburse you for the laptop.”
A buyer scam occurs when a thief uses a payment app to purchase an item, then disputes the charge, which results in a “chargeback.” To be clear, buyer scams are an issue across all payment platforms. However, because there are no seller protection policies in place, sellers are particularly vulnerable when using P2P payment apps for selling goods.
Scammers rely on users’ lack of knowledge about payment apps to commit their crimes. When a user receives a payment, it only appears that the money is in the user’s payment account. However, payment apps will display the new balance on the assumption that the payment will process successfully.
With respect to exchanging goods, if a buyer user disputes a charge with the app company or their bank, the seller is responsible for ensuring the money is still available, even if the buyer received the goods.
Selling goods always poses a risk, no matter the chosen platform. With this in mind, there are a few things you can do to minimize the occurrence of a buyer scam.
Never send or accept P2P payments from someone you do not know personally.
Choose a platform that offers seller protection, such as eBay or PayPal.
Document everything. Describe the item in full detail and request a description confirmation from the buyer. Before shipping the item, photograph the item and purchase shipping insurance. Send the buyer all tracking information, including the shipment photos.
If the buyer disputes the charge, dispute the chargeback and send your documentation to all involved parties.
Do not accept any form of payment except cash. All other forms of payment – including checks, money orders, and wire transfers – can be reversed.
Arrange to meet in a police department parking lot. Across the country, police departments are offering their lots as “safe exchange zones” to help mitigate buyer and seller fraud. Regardless of whether your local department has an official program, most – if not all – police parking lots are well-lit and have 24/7 surveillance. This can help to deter scams.
When it comes to protecting your financial assets, a healthy dose of skepticism is your greatest defense. When making transactions, always proceed with caution, no matter how “safe” a seller or buyer appears to be. If you use our tips and keep your guard up, we’re confident that you can sell and buy online with confidence.
1. Liao, Shannon, “ Venmo lost millions from fake payments this year,” The Verge, November 26, 2018.
This insight was published by UFB Direct on October 21, 2019 and last updated on October 21, 2019.