The Cash App phishing website uses a valid Secure Sockets Layer (SSL) certificate obtained from Let’s Encrypt and asks for an email or mobile number
A Cash App user tweeted at , asking him about the giveaway and posting a screenshot of a Cash App request for $20 they received. The message said “congrats you won verify real account to get $1,000.” This is similar to the fake Cash App accounts sending incoming requests that I noted earlier.
So even if the Cash App scammers aren’t creating impersonation Twitter accounts, they have found it much easier to simply create an impersonation account through Cash App.
Outside of direct impersonations of the Cash App brand, its CEO and notable figures, I believe it is safe to assume the majority of Cash App scammers are using stolen images and video content to create fake personas.
Cash App Phishing
During my research, I also encountered attempts at phishing Cash App users. A user named was riding the #CashAppFriday hashtag, DMing users about winning the giveaway, sending the payment along with a link to a website, saying “go on and receive it.”
Unlike most apps and services, Cash App does not ask for a password. Instead, it asks for an email address or phone number as the username, which triggers a request for a one-time use “login code,” also known as a one-time password (OTP). The code is delivered to the user’s email address or mobile phone, as moved here seen in the image below.
In the example above, the Cash App phishing website prefaces that the cashtag “$cash” (which isn’t affiliated with Cash App) has “initiated deposit of $1000 to your Cashapp.”
It is followed by a second screen, which asks the user to provide their OTP. Inputting an invalid OTP results in an error message, which implies there may be some type of verification happening to ensure the user provides their valid OTP. To safeguard my privacy during this research, I did not provide my OTP.
However, I did observe a Twitter user who proceeded to provide their information to one of these Cash App phishing websites and reached a fake webpage saying “Payment Failed.” The error message would likely trick the user into believing there was merely a technical problem in sending the so-called giveaway payment, rather than a scam.
I was able to identify at least two Cash App phishing links, both of which used the Bitly URL shortening service. Statistics from those two links showed they each received over 500 clicks, mostly from users in the United States with a few clicks from the United Kingdom, Nigeria, Philippines, Australia and Guatemala. While Cash App is available outside the United States, the giveaways for #SuperCashAppFriday and #CashAppFriday are limited to U.S. participants.
Tenable notified Cash App about our research findings prior to publication. A spokesperson for Cash App provided us with the following statement:
“We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that infringe our intellectual property rights (eg: use our name or logo without permission) or seek to take advantage of our customers.
As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer’s PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, and , both of which have blue, verified check , you should contact Cash App support through the app or website immediately.”