Apps like Zelle, Venmo and others are being used to drain smartphone users' bank accounts

If you use mobile payment apps like Zelle, Venmo, and Cash App, you need to be concerned about a scheme used by criminals to drain money from your bank account. Unauthorized users are able to get access to an unlocked device and use it to make purchases with the mobile payment apps by using financial data from them to open new accounts. This has led Manhattan DA Alvin Bragg Jr. to send letters characterized by Newsweek as "scathing" to the CEOs of the three aforementioned mobile payment app firms demanding that the companies take immediate action to protect consumers.

With some users of these apps experiencing financial hardship after using the peer-to-peer mobile payment apps, Bragg Jr. said, "No longer is the smartphone itself the most lucrative target for scammers and robbers—it's the financial apps contained within. Thousands or even tens of thousands can be drained from financial accounts in a matter of seconds with just a few taps. Without additional protections, customers' financial and physical safety is being put at risk."

Bragg Jr. is the Manhattan DA, but what he is describing is actually a nationwide problem. In his letters to the CEOs of Zelle, Venmo, and Cash App, Bragg Jr. wrote   , "Just in the past year, there have been thefts stretching from Los Angeles, where several people were robbed of thousands of dollars through Venmo at knifepoint, to Orlando, where a woman had thousands drained from her Venmo after a child asked to use her phone. Similar thefts and robberies have been publicly reported in West Virginia, Louisiana, Illinois, Kansas, Tennessee, Virginia, and elsewhere across the United States."

Bragg Jr. explains that in one version of the scam, a stranger approaches a smartphone owner and asks to borrow his phone to make a call, and while in possession of the victim's device, the thief transfers a large amount of funds to himself using the victim's financial app. In another ploy, the stranger asks for a donation for a specific cause and offers to transfer the money himself using the victim's smartphone. But once the phone is in the scammer's possession, he transfers a large amount of money to his own account.

Bragg Jr. wrote in his letter to the CEOs that "further security measures to prevent unauthorized access to unlimited use of your financial services would have prevented such crimes." The easiest way to prevent getting ripped off by such schemes is never to hand over your smartphone to anyone. Don't get suckered into giving up control of your handset. If someone approaches you with a sob story about why they need to borrow your phone, say no, or make the call yourself.

A spokesman for Zelle's parent company, Early Warning Systems, played down the number of incidents even while admitting that it was aware of the criminal activity mentioned in Bragg Jr.'s letter. The company said, "Less than one-tenth of one percent of transactions are reported as fraud or scams, and that percentage keeps getting smaller."

A Cash App spokesman said that the firm was "committed to building trust with our customers and investing in areas that help build a safe and secure platform." It went on to say that it works "proactively and diligently to safeguard our customer's money and mitigate against the risk of fraud on our platform through a combination of preventative controls like multi-factor authentication, account transaction limits, fraud detection, and consumer education."

Bragg Jr. said that mobile payment apps need to institute security measures similar to the Stolen Device Protection feature that Apple recently installed on iPhone models eligible to receive the update to iOS 17.3. The feature requires the use of Face ID or Touch ID to allow certain sensitive activities to be performed on the phone if it is in an unfamiliar location.

The new feature also requires that an hour pass between the time an iPhone user makes certain important changes to the FindMy app, Face ID, the Apple ID password, and more. After the hour, the user's identity must be verified by Face ID or Touch ID.