Scammers looking to piggyback on the #CashAppFriday trending topic on Twitter are stealing between $10 to $1,000 from each victim that falls for their efforts.
According to researchers at Tenable, the scams include phishing (with some links garnering up to 500 clicks each), a hoax called “cash-flipping” and user impersonation (some have even impersonated Twitter and Square CEO Jack Dorsey), among others.
The legitimate Cash App Friday is a marketing ploy; the money-transfer app (owned by Square) tweets out a picture, and people are supposed to comment on the posting and include their “cashtag” (user ID) for the app. The company then randomly selects users on the thread to give money away to in what it calls “a blessing.” It’s attracted a lot of notice; the Cash App Friday promotion has garnered 1.2 million Twitter mentions, with a reach of 1.4 billion in the past year alone, according to Tenable stats.
Tenable researcher Satnam Narang said that on the phishing front, scammers will direct message (DM) those who have commented on the legitimate posting, claiming that they’ve won the #CashAppFridays giveaway and sending them a website link.
If the target clicks on the link, it takes them to a website says that the cashtag “$cash” has “initiated a deposit of $1,000 to your Cash App.” Then, “the website uses a valid SSL certificate from Let’s Encrypt, a non-profit certificate authority, to ask for the email or phone number used to sign into the Cash App,” Narang wrote. “When the user provides the information, a ‘payment failed’ notification pops up on a fake webpage.”
Pulling statistics from two of the phishing URLs, Tenable identified that each link received over 500 clicks each, mostly from U.S. users.
Another scam involves DMing users about “cash-flipping,” promising to modify (or “flip”) a transaction to change the value of money housed in Cash App. The victims are asked by the scammers to send them a certain amount of money, which can range from as little as $10 to as much as $1,000. The scammers claim they have special “software” that will allow them to change the value, and say they will only take a small cut for their services. In reality, they simply steal the money.
— ryan (@lavaburst1989) October 5, 2019
“Money flipping isn’t new to social media; it’s been pervasive on Twitter, Facebook, Instagram and Snapchat for years,” according to Narang’s research, released on Thursday. “What makes this particular form of money flipping so nefarious and successful is that it capitalizes on a legitimate giveaway proposition from a reputed company — Square and its Cash App product — and then victimizes people who are hoping to be selected in this legitimate giveaway. In a perverse indicator of their success, it seems the legitimate Cash App giveaways are fueling other money flipping scammers to switch over to Cash App as their product of choice.”
For impersonation scams, fraudsters will claim to be famous Instagram models, celebrity executives or Cash App customer service representatives supposedly posting offers for #CashAppFriday, according to the Tenable research. “These efforts use “official image assets from Cash App, or images that are similar but not exactly the same. In some instances, they’ll even use real photos of people, oftentimes business headshots of entrepreneurs that appear professional. One scammer calling themselves ‘Patrick Bowker’ used ex-Google CEO Eric Schmidt’s headshot for his Twitter profile picture.”
If users DM a scammer, they’re given the same cash-flipping spiel, and are told that they can alter transactions into “larger amounts” on Cash App.
“While legitimate giveaways from Cash App and artists and celebrities may pique your interest, it is important to proceed with caution, because Cash App scammers are like sharks in a pond,” according to the research.
To avoid falling for scams, Cash App fans should take note that “flipping” is not a real phenomenon, and that neither Cash App nor any artist or celebrity offering to give away money will ever ask someone to send money as a form of verification. In addition, users should be wary of any links randomly sent via DM.
For its part, Cash App issued a statement: “We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that infringe our intellectual property rights (e.g.: use our name or logo without permission) or seek to take advantage of our customers. As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer’s PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, @cashapp and @cashsupport, both of which have blue, verified check marks. If you believe you have fallen victim to a scam, you should contact Cash App support through the app or website immediately.”