CryptocurrencyInvestingBanksReal Estate

There are new scams on mobile payment apps—and teens aren’t immune

September 22, 2021, 9:00 AM UTC

Peer-to-peer payment apps—mobile apps like Venmo and Cash App that allow users to send payments directly to other users—are surging in popularity, and data from education technology provider Everfi suggest that a large number of teenagers are creating accounts on these platforms.

Everfi surveyed over 26,000 students spanning middle and high school who completed an online course about modern banking and identity protection: 39% of those students reported currently using a peer-to-peer payment app, and another 32% of them planned to get one.

These apps may be a convenient way to split the bill at a restaurant or get paid for odd jobs, but they come with serious risks, and teenagers are hardly immune, despite their presumed facility with digital devices.

The pandemic has helped accelerate the growth of peer-to-peer payment apps—thanks to an increasing demand for cashless payments—but it has also unleashed a new wave of scams that capitalize on the current zeitgeist of anxiety and tumult.  

“Everybody’s off-kilter,” said Ari Lightman, professor of digital media and marketing at Carnegie Mellon University. “There’s so much misinformation, so much anxiety and stress associated with how we’re going to get back to some sense of normalcy…When people are off their guard, when they’re disoriented, they’re susceptible to attacks.”

According to the Better Business Bureau (BBB), peer-to-peer payment scams can take many forms. For example, scammers might connect a stolen credit card to a peer-to-peer payment app, send money to a random user, and request it back, claiming the transaction was a mistake. They will then disconnect the stolen card and replace it with one of their own. When the credit card company recoups the stolen funds, they’ll be withdrawn from the victim’s payment app. 

Lightman points out that scammers can also easily exploit the fact that the Venmo platform defaults to public sharing of users’ transaction history. 

“If I wanted to follow you and get a history of what sort of things [you’re purchasing], what sort of amounts you’re paying, and the frequency of payment, that is information that I know about you that I can then exploit,” Lightman said.

Indeed, the BBB describes a scam in which a perpetrator views a user’s public profile and creates a username that looks nearly identical to that of a legitimate contact. The perpetrator then requests funds from the victim for a seemingly ordinary expense and pockets the money.

The BBB’s 2020 Scam Tracker Risk Report confirms that these scams aren’t isolated incidents affecting a small number of users. Online payment systems (a category that includes PayPal and peer-to-peer payment apps) were second only to credit cards as the most common payment type used in scams, and their prevalence is increasing. In 2018, they were the payment method of choice in only 13% of scams; that number rose to just over 32% in 2020.

That same report also indicates that young adults are highly susceptible to fraud and are losing significant amounts of money to scammers. For the first time since the report was initially published in 2017, people ages 18 to 24 had the same median monetary loss ($150) as those 65 and older, with online purchase scams posing the greatest risk to the younger group.

Nicole Zhangallimbay, 17, has personal experience with this type of scam. She listed a dress for sale on Poshmark, an online marketplace where users can buy and sell used goods. A potential buyer contacted Zhangallimbay about the dress but asked to pay for it with Cash App rather than through the Poshmark app.

“I thought I could get more profit [by using Cash App], because those apps [like Poshmark] always take out money when you sell something,” Zhangallimbay said. “So at first I was so excited.”

But there was a catch. The would-be buyer insisted that she could only transfer funds if Zhangallimbay gave her access to Zhangallimbay’s Cash App account. Zhangallimbay gave the buyer the email address associated with her Cash App account, but the buyer continued to ask for Zhangallimbay’s password as well.

Fortunately, Zhangallimbay saw through the attempted scam and cut off contact with the perpetrator.   

It would be easy to believe that Zhangallimbay’s experience is the norm, and that teenagers, as lifelong digital denizens, are savvy enough to avoid being ensnared in online scams. However, research from Stanford University’s Graduate School of Education suggests that this is not the case.

Professor Sam Wineburg and a team of researchers at the Stanford History Education Group have published studies demonstrating that teenagers are, in his words, “abysmally lacking” in their ability to judge the veracity and credibility of information they find online.

In a 2021 study, researchers partnered with classroom teachers to administer an assessment to over 3,000 high school students. Students completed six open-ended response questions designed to test a range of “civic online reasoning” skills, such as evaluating evidence on social media. Students struggled to ascertain misinformation across all tasks. Though the tasks focused on misinformation of a civic nature, the results suggest that teenagers may have a hard time telling fact from fiction in a variety of online situations.

To be fair to teenagers, Wineburg noted that adults also struggle to evaluate misinformation online; however, the danger lies in adults’ preconceived notions that young people are naturally adept in this domain and therefore need little oversight or training.

“The fact that you can operate a digital device doesn’t mean that you understand the scams, the bad actors…the fraudulent appeals that proliferate on these platforms,” said Wineburg. “We impute to teens a kind of digital savvy that they don’t possess.”

Given the prevalence of scams that make use of their platforms, many peer-to-peer payment apps are taking steps to combat fraud. Cash App has implemented several features intended to protect users from scammers, such as the ability to block senders or recipients in the app and a system that sends text messages to users when their login attempts look unusual. 

Venmo now gives users the option to designate payments that are for goods and services when sending money to a seller in the app. In a goods and services transaction, the seller pays a small fee, and the transaction is eligible for coverage under Venmo’s Purchase Protection Program, which may help protect both buyer and seller if the transaction doesn’t go as expected on either side. 

Many platforms also stress that part of the solution lies in user awareness and caution: They advise that users should never send money to other users they don’t know personally. 

Unfortunately, that advice wouldn’t have helped Sadie Thorpe.  

In 2019 Thorpe, who was 19 at the time, was looking at her bank statement and noticed a $1,000 debit from Venmo. Thorpe hadn’t recently sent money to anybody on the platform, so she immediately called her father, with whom she shared an account, and they spotted two fraudulent transactions—$500 charges on each of their debit cards (which were both linked to the same Venmo account) to users in Texas for furniture and baby clothes.

Thorpe started by contacting Venmo’s customer service, but she ultimately had to get her bank involved in order to recoup the funds, and it was about three months before she and her father were refunded the full amount.

“Everybody else had [Venmo], and it was the easy way to send money, so I [thought], I’ll use it, it’s fine. But it definitely was not fine,” Thorpe said.

Not all victims of fraud on peer-to-peer payment apps are as lucky as Thorpe, and her story highlights a major risk inherent in the platforms: They aren’t banks in the traditional sense, and many of them won’t shoulder the cost of fraud in the same way a bank or credit card company would.

“When it comes to these payment apps…there are not regulations tightly controlling fraudulent transactions, like there are with your credit card or debit card,” said Lightman. “This is an area of exploitation we’ve seen across different platforms.”

Both Venmo and Cash App stipulate in their terms of use that users must be at least 18 years old and must verify their identity in order to use their account balance to pay other users. However, an unverified user could still receive funds, transfer those funds to a linked bank account, and make payments to others using a linked bank account, credit card, or debit card. 

Thorpe isn’t sure how her Venmo account was hacked, especially since she thought her password—a made-up word with a string of numbers—was strong.

Keatron Evans, principal security researcher at InfoSec Institute, a cybersecurity education provider, says that users’ accounts can be compromised if hackers launch an attack against the platform or if a user clicks on a malicious link by mistake. 

“That’s really all it takes—someone emails you something and you click on that link or even [a link in] an SMS text message,” said Evans. “That would allow [a perpetrator] to take control of [a user’s] phone or exploit the phone. That’s the most common way that people get compromised.”

Evans also describes another potential danger in peer-to-peer payment apps: They can be exploited by predators to groom children for abuse. Last year, he worked with a law enforcement agency that was investigating a case in which a predator sent sums of money and short messages to a child through a peer-to-peer payment app.

This concern is echoed by Tracy Foster, cofounder and executive director of Stand Together and Rethink Technology (START). START advises parents to keep watch over all of a child’s online accounts, including financial ones, and to watch for surprising amounts or payments from strangers, as these can be indications of grooming. 

“I’d advise parents to really understand why their child wants a [peer-to-peer payment] account and what they’re using it for,” Foster said via email. “Once children have an account, parents should sit with them regularly to go through account balances, both to avoid predatory situations and to promote financial literacy.”

Evans recommends several additional measures that teens and adults alike can take to protect themselves on peer-to-peer payment apps. He encourages users to keep phones up-to-date by installing software updates in a timely manner, to change passwords every 60 days, and to enable multifactor authentication, in which a user must present more than one piece of identifying information in order to access an account or perform actions on that account (for example, requiring an additional PIN or touch ID to send money). 

Rather than linking a bank account or credit card to a peer-to-peer payment app, Evans said that users can also consider using prepaid cards with limited balances. This limits both the personal identifying information and the amount of money perpetrators have access to in the event that an account is hacked.

Evans also urged more formal training for teenagers when it comes to recognizing misinformation online, particularly gamified instruction that has been created specifically for younger users.

“Some of the same security awareness training we do for adults we need to package for kids,” Evans said. “We gamify security awareness training at InfoSec. It makes a difference for young adults, when it’s more in line with something they’re interested in.”

Similarly, education technology provider Everfi offers free digital financial literacy lessons and curriculum to K–12 schools, districts, and teachers. Everfi’s Money Moves course gives students information about foundational financial concepts (for example, the difference between checking and savings accounts, the definition of interest, and how to track account balances), digital banking, identity theft, common scams, and ways to protect themselves online. 

Most Everfi courses include optional pre- and post-course survey questions for all participants who are at least 13 years old. Questions vary by course but generally assess students’ financial engagement and attitudes as well as their knowledge of course content. 

Survey data collected from the Money Moves course in the 2021–22 school year indicate that the training had a positive impact on participants’ knowledge and behavior. Prior to taking the course, only 47% of participants felt prepared to recognize scams on peer-to-peer payment apps; that number increased to 64% upon course completion. The course also convinced some students of the benefits of these apps: 10% of participants said on the post-course survey that they did not use a peer-to-peer payment app at the beginning of the course but now had an account or planned to get one.

Wineburg has similarly found in his research that when it comes to recognizing misinformation online, training does indeed make a difference. 

In a 2021 study led by Wineburg’s colleague Joel Breakstone, a research team embedded modules that taught online fact-checking within a remote asynchronous college nutrition course. These modules introduced a number of strategies to discern misinformation, including lateral reading—the practice of leaving a website and consulting other sources to evaluate claims on that website. The study found that after completing the fact-checking modules, 77% of students engaged in lateral reading, compared with only about 3% at the start of the course. 

“I think that we fundamentally need to change schools [in order] to recognize the digital society young people grow up in,” Wineburg said. “At the same time, that doesn’t mean that we can’t celebrate small victories…Fairly small shifts in how we teach people to approach digital information can have significant impacts.”

More finance coverage from Fortune:

Subscribe to Fortune Daily to get essential business stories delivered straight to your inbox each morning.