Without warning, hackers drained every dollar of cash, stock, or bitcoin out of accounts linked to Cash App, Square’s (SQ)’s popular payments platform, six of its customers told Yahoo Finance.
Cash App functions as a substitute bank for many of its more than 36 million monthly users.
“I had to sell my car seat that I just bought for my baby that I’m going to have in a couple of months, so that I could feed my kids, because I have no money now,” Shania Jensen, 24, a Cash App user from Utah, said about her account shortly after it was drained of nearly $3,000.
Jensen, one of six Cash App customers who recently told Yahoo Finance they were targeted by unauthorized transactions, said when she went to bed on the evening of March 5 her money was in her account, and by 7 a.m. the next day, it was gone. She said she filed a police report, a complaint with the Better Business Bureau (BBB), and reported the matter to Utah’s attorney general.
Mobile payment platforms such as Cash App, as well as PayPal (PYPL), PayPal’s Venmo, Google Pay, and bank owned Zelle, have seen a rise in downloads during the COVID-19 pandemic, and with the increase, a jump in the number of app reviews mentioning the word “scam” or “fraud” for all except Zelle, according to mobile intelligence firm Apptopia.
Cash App — which accounted for nearly half of Square’s profit in the most recent quarter — stands out for its wide range of available transactions. It accepts direct deposits for paychecks and government stimulus funds, processes peer-to-peer transfers, offers its own branded debit card, and permits users to buy and sell stock and bitcoin (BIT-USD) within the app (as of March 17, it lets users send bitcoin to other Cash App users for free).
The six Cash App customers said repeated efforts to talk directly with a human being at the company to help them get their money back were largely unsuccessful, exhausting, and stressful. Cash App acknowledges that it has no live phone support “generally available,” but says it views fighting fraud as critically important and has invested in technology to flag potential scams.
‘85% of the apps we look at have some sort of security or privacy issue’
Over the past year, the Better Business Bureau (BBB) has “closed” or looked into 2,485 complaints concerning Cash App, and 3,532 concerning Square, where customers have also logged Cash App complaints. Complaints handled concerning Venmo for the same timeframe totaled 928, for Zelle 83. PayPal, which has 377 million active accounts, had 7,215 complaints.
Though the BBB does not disclose its volume of pending complaints, Lori Wilson, president and CEO of the BBB’s San Francisco Bay Area and Northern Coastal California chapters, said the number of closed complaints is “probably” the metric that best reflects total complaints.
According to the Consumer Financial Protection Bureau (CFPB), over the past three years, the agency received 1,559 complaints concerning Cash App’s parent company, Square, under which any Cash App complaints are filed. The majority of the complaints involved money transfer, virtual currency, or money services issues.
Mobile intelligence firm Apptopia says certain payment apps have been flooded with scams since the pandemic. Total mentions of the words “fraud” or “scam” in app user reviews jumped 335% for Cash App in February 2021, compared with February 2020. PayPal saw a 191% increase and Venmo saw a jump of 84%. Zelle, however, declined 9%.
Of course, mere mentions of the words fraud or scams in reviews can’t reveal precisely how vulnerable an app is, according to computer forensics expert Andrew Hoog of mobile app security firm NowSecure. Still, it makes sense that Zelle might have fewer instances of fraud given the cohort of big banks invested in improving the platform.
“What I’ve generally seen is that the security and privacy of the app increases significantly under the scrutiny of a large, mature institution,” Hoog said.
Hoog said mobile apps and mobile websites, in general, are particularly vulnerable to hacks. “85% of the apps we look at have some sort of security or privacy issue,” he said. “What I’ve seen for over 10 years, and rather depressing since I’ve been working on this problem for so long…that metric hasn’t really changed.”
In response to questions about the users’ concerns over Cash App’s security vulnerabilities, a Cash App spokesperson told Yahoo Finance that it continues to invest in fraud-fighting staff and technology resources.
“We are constantly improving systems and controls to help prevent, detect, and report bad activity on the platform,” a company spokesperson said, adding that Cash App recently released an AI-driven feature to flag potential scams and began sending SMS text messages to alert customers of suspicious login attempts.
Hoog said while Cash App’s parent company Square is not comparable in its security sophistication to a tier one bank, it is highly respected within the app development industry for its application programming interface (API), back end programming features that allow different apps to talk to each other.
“Sick to my stomach” over Cash App hack
While Square’s API is regarded as respected, the allegations of scams on Cash App’s platform are alarming. Britt Soderberg, a California business owner, said he was scammed out of approximately $21,000 on Cash App. Soderberg said starting in August, hackers repeatedly generated false refunds in the app, from his bank account to his authentic contacts. Once his authentic contacts returned the money to his Cash App account, hackers seized the cash to purchase bitcoin, then transferred it to an unknown bitcoin wallet, Soderberg said.
In another scam involving bitcoin, all $1,850 was wiped out from the Cash App-linked bank account of a Bay Area freshman pharmacology student, according to the student, who contacted Yahoo Finance on Twitter about his concerns, and asked to remain anonymous over fears that disclosing more personal information could compound his financial misfortunes.
The student said hackers converted the funds to Tesla (TSLA) stock, then to bitcoin (BIT-USD), then out of his account entirely. The ambush, he said, happened over a 10-minute span on Feb. 22, starting with a 10:17 a.m. “instant sign in” text message that appeared to come from Cash App.
The text seemed to be a genuine notice of a fraudulent attempt to log into his account, he said. At the time, he said he had been using the app for two years, without incident, and had activated security features including two-step authentication, face-ID, and a required pin entry for every transaction.
“It’s their official domain. It’s the Cash-dot-App domain,” he said about the URL within the message. At 10:21 a.m., a similar text followed with a link connecting him to his account, he said. There, he double checked that his security settings and accounts appeared as they should. At 10:27 a.m., hackers began a series of cash withdrawals used to buy Tesla stock — a first transaction processed $1,000 worth of shares, then $500, then $250, then $100. Immediately, the stock was sold and the proceeds were sent to a bitcoin wallet.
“When all this was going down I received no notifications whatsoever,” the student said, bewildered that the hackers also blocked Cash App from sending its regular transaction confirmations.
He said Cash App responded to his first report of fraud, via email, saying initially that only his bank could initiate a dispute over the withdrawals. He said repeated requests to talk with a Cash App representative were unsuccessful.
“I’ve literally been sick to my stomach every day because of this company…and it’s still happening, that’s the sad thing,” he told Yahoo Finance.
‘They’re completely ghosting you’
Cash App has been criticized by some customers, including on its Cash Support Twitter account and Reddit, who say they’re frustrated with its security breaches, nail-biting delays in response to reports of stolen funds, account deactivations, and largely automated customer service. The company has also been accused in a putative class action lawsuit of violating consumers’ rights to dispute fraudulent transactions under the Electronic Fund Transfers Act.
Cash App acknowledges that a phone number on its site prompts a recording instructing account holders to contact a Cash team member through the app. Customers say those options often spur a communication loop where bots rather than humans handle their reports of fraud.
“It’s almost like an abusive relationship where you’re trying to get a hold of somebody and they’re completely ghosting you,” said Jensen, the 24-year-old who says her account was drained overnight.
In Jensen’s case, Cash App successfully blocked two fraudulent attempts to withdraw approximately $2,600 from her account, she said. Minutes later, she said, the hackers withdrew smaller amounts of $1,600, $1,000, and $500.
“I don’t know how this didn’t get flagged,” Jensen said. To add to her frustration, she said, Cash App’s representatives were available only through call back requests, handled at Cash App’s convenience.
Cash App’s lack of readily available phone agents has also been exploited by fraudsters who set up imposter company contact numbers to steal customers’ account information, according to ABC’s WLS Chicago, WRIC Richmond and WTVD Raleigh.
Lance Gibson fell victim to the scheme.
On Jan, 26, he noticed $301 missing from his Cash App account and Googled a way to call the company. Not realizing his search generated an imposter customer service line, a fake company agent asked him to prove his identity using a verification app from the App Store. Within minutes of downloading the app, he said, $1,665 in his linked bank account had disappeared.
Gibson said four days after his bank credited him for his loss, he received an auto-generated email from Cash App informing him his case had been closed. To make matters worse, he said, his bank required him to relinquish the credited funds because Cash App declined to designate the disputed transaction as fraud, he said.
“I might have to take out a personal loan to pay my rent this month,” Gibson said.
Soderberg and the student, who both permitted Yahoo Finance to share their “$Cashtag” account identities with Cash App, said Cash App contacted them by email after Yahoo Finance relayed the information. While both said Cash App offered to assist, they’re unsatisfied with Cash App’s response so far.
While he says he lost $21,000, Soderberg said Cash App has so far deposited only a $267 “provisional credit” to his account. Meanwhile, the student said Cash App agreed to re-deposit certain stocks removed from his account.
Cash App has refunded Jensen’s money in full, she said.
Both Soderberg and Jensen said Cash App suggested, without explanation, that their accounts may have been accessed by way of their respective linked emails and that they allowed the unauthorized events to occur.
All of the users said they would like Cash App to explain exactly how their accounts were compromised.
Alexis Keenan is a legal reporter for Yahoo Finance and former litigation attorney.
Follow Alexis Keenan on Twitter @alexiskweed.
Why ‘vaccine passports’ could be tough to pull off in the US
Twitter’s Jack Dorsey sued over his dual role as Square CEO
Crypto price surge invites a torrent of crypto crime