Scammers are targeting Cash App users hoping for free money

A trite phrase but true: if it seems too good to be true, it probably is.

BEC scams: Number one cause for cyber-insurance claims in 2018

#CashAppFriday. A popular trend on Twitter, this hashtag is used to promote cash giveaways, with users offering rewards for those who like, retweet, or comment on their posts. 

Perhaps some of these "blessings" are legitimate. However, little comes in life for free -- and with the lure of cash spread across the Internet on Fridays, the theme has become a hotbed of scams. 

Cash App scammers are seeking to capitalize on #CashAppFriday, researchers from Tenable say, via Instagram and YouTube, with $10 to $1,000 being stolen from victims. 

Cash App Friday began as a legitimate giveaway. The person-to-person (P2P) payment service, owned by Square, launched the campaign as a promotional tool. Entrants use their Instagram and Twitter accounts to enter the sweepstakes by commenting or retweeting the company's posts. 

See also: Malicious lifestyle apps found on Google Play, 30 million installs recorded

In return, Cash App selects eight winners and gives them $500, no strings attached; 12 people receive $250, and 30 are given a $100 prize. 

On Instagram, hopeful entrants leave comments on Cash App Instagram posts. Scammers then jump on these posts using fake accounts pretending to be the legitimate firm, such as one named $cshfridayoffical, and request money for verification purposes. As an example, users would be asked to send $10 or $20 in order to claim $500. 

Other fraudsters take another approach. Rather than targeting #CashAppFriday directly, they will look for commenters and follow them, hoping to entice users into fake cash flipping scams. 

These cash 'flippers' claim they can turn small amounts of money into far larger amounts -- such as $7 into $120 -- and may also use limited-time only deal offers to ensnare Instagram users.

In one example, a user under the name "Money Flip Queen" said that participants in cash flipping needed to have at least $25 stored in Cash App or a bank account. Likely doctored images displayed on the profile apparently show the successful money flips, and given this incentive, it is possible some fall for the ploy. 

CNET: Facebook's Libra cryptocurrency gets a 'hell no' from Twitter CEO Jack Dorsey

In these situations, the scam artist would pretend to have some key knowledge of how to tamper with online app transactions, and once they receive payment from the victim, they would promise to 'flip' the funds and boost their bank balance, all out of the goodness of their hearts. 

Naturally, once the money has been handed over, the scammer walks away with the proceeds and no such 'flip' occurs. 

YouTube, too, has become a hotbed of #CashAppFriday scams. A quick search reveals countless uploads promising to show viewers how to hack Cash App. 

Videos tend to tell the same story -- a Cash App with $0, a visit to a website asking for a Cash App $cashtag ID, and the selection of how much money they want, ranging from $10 to $999, and the successful generation of money out of thin air in return for doing nothing more than installing and executing a few mobile apps. 

TechRepublic: Top 5 ways organizations can secure their IoT devices

It is the mobile applications, which may masquerade as games or utilities, that may generate illicit funds for scam artists -- such as through malvertising or commission per installation models -- or if they contain malicious code capable of compromising victim devices. 

A lure that fixes itself directly in the heart of many, free money, is difficult to ignore. But as the saying goes, if it's too good to be true, it most likely is. 

Cash App will never ask you for money to 'verify' your account and this technique is an old one used across phishing schemes the world over. Some cash giveaways may be legitimate, but if you choose to enter them, never hand over sensitive financial information or your own money -- no matter how good the deal seems to be. 

A Cash App spokesperson told ZDNet:

"We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that seek to take advantage of our customers or infringe our intellectual property rights (eg: use our name or logo without permission).

As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer's PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, @cashapp and @cashsupport, both of which have blue, verified check marks. If you believe you have fallen victim to a scam, you should contact Cash App support through the app or website immediately."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0