Venmo has become a ubiquitous platform in recent years, reportedly approaching one hundred million users. As one of the leading P2P digital payment apps, its popularity presents a significant target for threat actors. Consequently, we anticipate an increase in attacks aimed at deceiving unsuspecting users.
While Venmo's security measures are evolving, users must stay vigilant against scams and phishing attempts. In 2024 alone, consumers reported losing over $12.5 billion to various scams. Educating users on safe practices, such as verifying payment requests and avoiding sharing sensitive information, is crucial in mitigating risks.
One recent email phishing attack targeting Venmo users stated a bank associated with the recipient’s account had been removed. The emails contained a link to review recent activity. Of course, the link did not direct to the Venmo site and the address the message was sent from was not an official Venmo address. The threat actor instead relied upon the ‘Display Name’ in the ‘From’ header to spoof the popular brand. Display Names are often spoofed as they are not covered by sender verification checks such as SPF or DMARC.
Upon clicking the URL, the recipient would be directed to sessionsactive[.]org where their email address would automatically be pre-filled via the URL from the original message. If the recipient supplied their credentials, they would be checked by the site to ensure they are valid and posted locally via PHP for the threat actor to conduct further financial fraud.
It should go without saying at this point but if you receive an email claiming to be from any of your financial institutions, it is never a good idea to follow the link within the email. If you are unable to verify the authenticity of the email and believe the call to action may have some validity it is always best to navigate directly to the website/app, without using anything contained within the email, and investigate any alerts/messages regarding your account.
Email is not the only method threat actors use to gain access to Venmo accounts. Be equally cautious with unsolicited SMS/texts claiming to be from Venmo, as attackers are using this avenue to obtain credentials.
Call center scammers are also active, often targeting users after obtaining their username/password combinations. Many reports indicate that users receive phone calls asking to confirm their two-factor authentication (2FA) codes through various deceptive tactics. In these scenarios, it is highly likely that the attackers already possess some
