Cash App 詐騙：正當贈品使投機詐騙者大行其道
Scammers target vulnerable Cash App users on Twitter and Instagram through fake requests, money flipping and mobile application referrals, while YouTube videos promote fake Cash App generators. Here’s what you need to know.
Cash App, the popular person-to-person (P2P) payment service application from Square, has been steadily growing since its debut in late 2013. The service’s growth has been fuelled by a promotion marketing campaign offering cash giveaways to those who engage with the brand on various social media platforms. The success of these promotions, in turn, is emboldening an army of scammers who employ a variety of cons to separate social media users from their hard-warned cash.
A look at the numbers makes it easy to see why Cash App is such a promising target for scammers. According to an August 2019 MarketWatch article, Cash App received a whopping 2.4 million downloads in July 2019. The same article notes Cash App has been downloaded 59.8 million times since its 2013 launch, outpacing its biggest competitor, Venmo, which has been downloaded 52.7 million times.
Music has played a role in fueling Cash App’s popularity, as 200 rap artists have namechecked the app in song lyrics and used the app to give money to fans, whether “just because,” as Lil B did, or as part of a giveaway promotion for scoring a number one album, as Travis Scott did.
Some consumer brands have also activated marketing campaigns using the service. For example, Burger King began its Whopper Loans promotion by teasing a giveaway using Cash App.
got student loans? what's ur $cashtag?— Burger King (@BurgerKing) May 22, 2019
This two-part series details the practices I uncovered while researching these scammers from July to September 2019. This research is not meant to be a comprehensive overview of all such scams; rather it’s an analysis of behavioral trends among a group of scammers targeting the popularity and interest around one particular application.
Here, in part one, I explore how Cash App’s soaring popularity is attracting opportunistic scammers and their methods of operation on Twitter and Instagram. In part two, I provide further details on the tactics used by Cash App scammers on Instagram, as well as examine videos hosted on YouTube, which claim to provide ways to earn “free money” and “hack” Cash App. In addition, I provide guidance and advice on how users of the P2P payment service can avoid being conned.
#CashAppFriday and #SuperCashAppFriday Giveaways
Since 2017, Square has been running a weekly giveaway to Cash App users under the hashtag #CashAppFriday and, in one instance, #CashAppWednesday. The premise is very simple: Cash App will post about the giveaway every Friday using #CashAppFriday or #SuperCashAppFriday on Instagram and Twitter, and users can enter the giveaway by sharing to their story, retweeting or replying to the posts with their $cashtag, a unique ID for users and businesses to make it easier to send and receive money. The company randomly selects winners and deposits an unspecified amount of money into their Cash App accounts. More recently, the company launched another giveaway called #SuperCashAppFriday, offering total prizes from $10,000 to $75,000, depositing anywhere between $100 to $500 into Cash App user accounts.
Needless to say, #CashAppFriday has been extremely popular. Each week, it is one of the top trends on Twitter, receiving thousands of tweets during each event.
On Instagram, a recent Cash App giveaway of $75,000 resulted in Instagram limiting comments on the post, showcasing just how popular these Cash App giveaways are.
Unsurprisingly, Cash App’s legitimate giveaways are a breeding ground for scammers.
Seeding #CashAppFriday Scams
The most obvious place to find Cash App scammers is in the replies to Square’s Cash App social media accounts on Twitter and Instagram during #CashAppFriday and #SuperCashAppFriday.
Cash App scammers tend to post some variation of the same theme: Giving away “X” amount of dollars to the first “Y” number of users to retweet this tweet. They’ll also ask users to reply with and/or send them a Direct Message (DM) with their $cashtags.
However, not all Cash App scammers reply directly to @CashApp on Twitter. Instead, they’ll “ride the hashtag” because Cash App’s hashtags always trend on Twitter.
In the course of my research, I’ve also encountered some Cash App scammers not using any of the Cash App hashtags whatsoever. These typically involve the same promise of a giveaway to the first X number of users who retweet and include their “cashapp name” ($cashtag).
Check The Replies
In the tweets from Cash App scammers, you’ll often find a sea of $cashtags from users in the replies, similar to what you’d find in the replies to the real @CashApp Twitter account. Interspersed through these replies, you’ll see the Cash App scammer replying with “Dm me” messages to potential victims.
Interestingly enough, some of the Cash App scammers use their other scam accounts to foster fake engagement by liking, retweeting or replying in an effort to create a sense of legitimacy around their scams.
Case in point: A Cash App scam account named “Eva” tweeted out a giveaway to the “first 900” people. In the replies to Eva, three separate Cash App scam accounts responded claiming the offer is legitimate, even including screenshots from Cash App to support their claims. A few red flags are presented here.
First, the screenshots include dollar values less than or greater than the offered amount of $900. Second, the screenshots are from the perspective of the scammer, which is unusual. This is because it says a dollar amount “was instantly deposited to your bank account,” which means money was transferred from Cash App to a bank account, not to a Cash App user. It is unusual because most of the Cash App scammers I’ve observed tend to post screenshots with examples of money being sent to unidentified users.
Finally, and most importantly, look closely at the dollar amount being offered and the number of users eligible for the giveaway. In this case, it is $900 for 900 users, which equals $810,000. When Cash App itself does giveaways, it normally offers a more modest sum of money — as low as $5 per person in some cases. Even in promotions where the giveaway amounts are higher — such as a #SuperCashAppFriday — the offer would never exceed $10,000-$75,000 in total. The math just doesn’t add up, and in most Cash App scam giveaways, it never will.
There are even some instances where different Cash App scammers will encroach on the territory of other Cash App scammers, as seen in the screenshot above.
In addition to seeing such screenshots of Cash App transactions, I’ve also seen some Cash App scammers favorite and retweet videos and images of people holding large sums of cash, claiming they received them from the Cash App scammer. While not confirmed, I suspect these accounts are also owned and operated by the scammers.
Cash Flipping: A Timeless Con
Behind these so-called Cash App scam giveaways, there’s a timeless con at work. It is illustrated in an Abbott and Costello skit, called “Two Tens for a Five,” which begins with an unsuspecting Costello being asked by Abbott if he can exchange two $10 bills for his $5 bill, resulting in a $15 profit for Abbott and a $15 loss for Costello.
In the case of Cash App scams, they follow the blueprint of what’s called money (or cash) flipping. The victims are asked by the scammers to put up a certain amount of money, which can range from as little as $10 to as much as $1,000. The scammers claim they can modify (or “flip”) the transaction after it’s been posted because they have some “software” or because they are a customer service representative, allowing them to change the value in whatever payment service they use (in this case, Cash App). All they ask is that the victim provides them with a small cut for their “services.”
Money flipping isn’t new to social media; it’s been pervasive on Twitter, Facebook, Instagram and Snapchat for years. What makes this particular form of money flipping so nefarious and successful is that it capitalizes on a legitimate giveaway proposition from a reputed company — Square and its Cash App product — and then victimizes people who are hoping to be selected in this legitimate giveaway. In a perverse indicator of their success, it seems the legitimate Cash App giveaways are fueling other money flipping scammers to switch over to Cash App as their product of choice.
It Goes Down In The DM
When users are asked to DM these Cash App scammers, they’ll be told that there’s one more required step before they receive the giveaway prize.
The Cash App scammers claim to be “customer service representatives” at Cash App and talk about how they can “flip transactions from my system.” They then talk about example dollar amounts that can be flipped to higher amounts, starting at the lower end (e.g. $50), all the way up to a larger amount (e.g. $100). They also claim they have proof. If pressed with further questions, the scammers will stop responding.
If a user agrees to the con, they’ll be asked to send the initial payment to the Cash App scammer. The reality is that the Cash App scammer will receive the payment and never respond back to the user after they’ve received the initial payment, leaving the user out in the cold. However, I speculate that in some instances, certain Cash App scammers may offer a smaller “flip” in order to gain the trust of the user first. For example, they may actually deliver on a promise to turn $2 into $20 to prove the “flip” works. It is a minimal investment from the Cash App scammer’s perspective in order to earn the trust of the victim. From there, the scammer will ask the user to try sending them a higher dollar amount, from $50 to $100. This type of trust-gaining flip is likely fairly rare; in my estimation, the majority of users will send a certain dollar amount to the Cash App scammer, never to hear from them again.
Gift Card Scammers Find New Home in Cash App Giveaways
In other cases I’ve observed, some Cash App scammers will ask the recipient to gain their trust by asking them to go to a website or a brick-and-mortar store and purchase a prepaid “gift” card.
In a 2018 article from the United States Federal Trade Commission (FTC), the agency observed a staggering 270 percent increase in the demand for gift card payments from scammers since 2015. Therefore, it is not surprising to see remnants of this trickle into the world of Cash App scams, because it’s a lot harder to trace back theft of funds from a gift card than it is to identify a Cash App scammer using the platform with an associated $cashtag and telephone number.
Abuse of Referral Bonuses
Besides gift cards, another Cash App scam involves the promise of a “blessing” in exchange for the user signing up to cashback services, like Dosh Cash, and price drop monitoring service Waldo, neither of which is affiliated with Square’s Cash App.
Dosh Cash and Waldo incentivize referrals, offering $5 per referral for users who sign up using a referral link or code and link a credit or debit card. As seen in the tweets above, one Cash App scammer convinced a user to sign up to both services. In the DMs, you’ll see this user say “I did my part you need to do yours” and “You told me to do that with the last link and you still didn’t cash app me.” The Cash App scammer this person has engaged with has been operating this particular scheme since at least 2018.
Incoming Requests from Cash App Scammers
Typically on #CashAppFriday, Cash App will randomly send money to users replying to its tweets or Instagram posts. Users lucky enough to be recipients of a real “Cash App Blessing” will sometimes share screenshots and thank the company.
The screenshot above shows a genuine interaction from a user who actually received $5 from the real Cash App account. You can tell the requests are coming from the real Cash App account because the $cashtag here is $cashapp.
Still, that hasn’t stopped Cash App scammers from impersonating the company. Instead of sending money to unsuspecting users, the Cash App scammers will use the “request” functionality of Cash App to ask users for money for “verification” purposes.
In the example above, a user initially thought they’d received a “blessing,” but instead were asked to send $10 for “verification” in order to receive $500. The Cash App scammer in this instance used the same profile photo as the real Cash App, but did not have the same name.
In another instance, a Cash App scammer used the same “request” functionality, but their account had a different profile image and the name included a space between the “C” and “ash” in the word Cash. Cash App prevents users from assigning “Cash App” to their Full Name in an effort to squelch name impersonation. Yet, that clearly hasn’t stopped scammers from finding workarounds.
Impersonation Persists in Cash App Scams
I’ve previously reported on the phenomenon of impersonation on social media apps like TikTok. So it’s no surprise to see scammers are using impersonation tactics in Cash App scams in a few ways. The most obvious impersonators in Cash App scams are those posing as the real Cash App or claiming to be customer service representatives at Cash App.
Some impersonation accounts use official image assets from Cash App. Others use assets that are similar, but not exactly the same.
The other interesting aspect of the impersonator above is their claim to also accept payments via Apple Pay, which includes a screenshot of an Apple Cash card with over $2,000 on it. Apple Cash is Apple’s own P2P product designed to compete with Venmo and Cash App
Some impersonators claiming to be Cash App representatives use photos of real people. In the case above, this impersonator calls themselves Nickoli Foxworth. In actuality, Nickoli is using a photo of a Czechoslovakian entrepreneur named Pavol Krúpa.
No impersonation would be complete if Cash App scammers didn’t impersonate Twitter and Square CEO Jack Dorsey.
This same Jack Dorsey impersonator on Twitter was also operating their scam on Instagram, where they had gained nearly 3,000 followers. The impersonator claimed they were “hacked” at 16,000 followers, but it is more likely that Instagram removed their previous impersonation page.
Outside of so-called “Cash App Representatives” and Jack Dorsey impersonations, many of the Cash App scammers are likely using stolen photographs and images of real people to create their accounts.
For instance, one Cash App scammer was using photographs and impersonating an Instagram model named Valentina Adall.
The Cash App scammer, who had 12,000 followers, would post offers for #CashAppFriday. When users would DM them, they’d be given the same spiel about being able to alter transactions into a “larger amount” on Cash App or Apple Pay.
In this instance, the Cash App scammer is asking for $300 right off the bat, which is a lot more than most Cash App scammers ask for initially.
Valentina Adall does have a Twitter account and she specifies in her bio that it is her “ONLY account,” which implies she’s been impersonated on Twitter before.
She was made aware of the Cash App scammer’s impersonation account, sarcastically retweeting one of their tweets saying they look alike and “could be twins.”
Not all impersonations are direct impersonations. I’ve observed a Cash App scam account using photos and video content from Hollywood Dollz member Famous Ocean, but calling themselves “Essence.”
For example, the avatar image used by the Cash App scammer called “Essence” was taken from Famous Ocean’s Instagram page.
In another example, a Cash App scammer calling themselves Patrick Bowker claimed to be “blessing those in need via cashapp.”
In this case, Patrick Bowker is using an image of ex-Google CEO and Chairman Eric Schmidt.
Outside of #CashAppFriday, Cash App scammers also target giveaways not directly affiliated with Cash App but which happen to utilize Cash App as a platform to send money. Alfredo Villa, a popular YouTuber who goes by the name “Prettyboyfredo,” runs Cash App giveaways on his Twitter account for his nearly 400,000 Twitter followers.
When people see these giveaways, they instantly respond with their $cashtags. Responding with $cashtags provides scammers with the information they need to target these unsuspecting users.
A Cash App user tweeted at @Prettyboyfredo, asking him about the giveaway and posting a screenshot of a Cash App request for $20 they received. The message said “congrats you won verify real account to get $1,000.” This is similar to the fake Cash App accounts sending incoming requests that I noted earlier.
These unaffiliated Cash App giveaways appear to be a successful endeavor, as evidenced in the image above. So even if the Cash App scammers aren’t creating impersonation Twitter accounts, they have found it much easier to simply create an impersonation account through Cash App.
Outside of direct impersonations of the Cash App brand, its CEO and notable figures, I believe it is safe to assume the majority of Cash App scammers are using stolen images and video content to create fake personas.
Cash App Phishing
During my research, I also encountered attempts at phishing Cash App users. A user named @dropyourcashtag was riding the #CashAppFriday hashtag, DMing users about winning the giveaway, sending the payment along with a link to a website, saying “go on and receive it.”
Unlike most apps and services, Cash App does not ask for a password. Instead, it asks for an email address or phone number as the username, which triggers a request for a one-time use “login code,” also known as a one-time password (OTP). The code is delivered to the user’s email address or mobile phone, as seen in the image below.
Therefore, Cash App phishing websites will look different from a normal phishing website.
In the example above, the Cash App phishing website prefaces that the cashtag “$cash” (which isn’t affiliated with Cash App) has “initiated deposit of $1000 to your Cashapp.”
The Cash App phishing website uses a valid Secure Sockets Layer (SSL) certificate obtained from Let’s Encrypt and asks for an email or mobile number. It is followed by a second screen, which asks the user to provide their OTP. Inputting an invalid OTP results in an error message, which implies there may be some type of verification happening to ensure the user provides their valid OTP. To safeguard my privacy during this research, I did not provide my OTP.
However, I did observe a Twitter user who proceeded to provide their information to one of these Cash App phishing websites and reached a fake webpage saying “Payment Failed.” The error message would likely trick the user into believing there was merely a technical problem in sending the so-called giveaway payment, rather than a scam.
I was able to identify at least two Cash App phishing links, both of which used the Bitly URL shortening service. Statistics from those two links showed they each received over 500 clicks, mostly from users in the United States with a few clicks from the United Kingdom, Nigeria, Philippines, Australia and Guatemala. While Cash App is available outside the United States, the giveaways for #SuperCashAppFriday and #CashAppFriday are limited to U.S. participants.
Tenable notified Cash App about our research findings prior to publication. A spokesperson for Cash App provided us with the following statement:
"We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that infringe our intellectual property rights (eg: use our name or logo without permission) or seek to take advantage of our customers.
As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer’s PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, @cashapp and @cashsupport, both of which have blue, verified check marks. If you believe you have fallen victim to a scam, you should contact Cash App support through the app or website immediately."
In part two of this series, I provide details on how Cash App scammers similarly operate on Instagram and explore how scammers are creating YouTube videos claiming to offer ways to earn free money through Cash App by downloading apps. Part two also includes tips and best practices to help users avoid falling for these schemes.
輸入您的電子郵件地址，以便收到最新 cyber exposure 警示。