AURORA, Colo. (KDVR) – A local woman is out hundreds of dollars. Now, she wants to warn others about a scam that is circulating that involves the popular money transfer platform, Venmo.
In a matter of seconds, the victim’s bank account was drained by scammers, but she never gave away any personal information, just a six-digit code.
“I pay a lot of my bills on Venmo. If I’m out to lunch, it’s easy to pay back someone,” Mariah Smith said, adding, "You just feel violated and taken advantage of."
On Feb. 13, Smith got a call from a man claiming to be with Venmo. He alerted her that she may have fraudulent activity.
“He said, 'I’m calling on behalf of Venmo. We think there was fraudulent activity. We don’t think it was you. Did you pay this amount of $430 to someone in San Diego?' Right away, I was like, 'No, not me. Absolutely not,'” Smith said.
Smith said the caller then offered to stop the transfer and offered her a free protection plan. He said he was sending a six-digit code then instructed her to read it back.
“Just told me to verify this six-digit code that was sent to me through text. I verified it. I stayed on the phone for an hour," Smith said.
But the next day, her bank account which is linked to Venmo was emptied out.
“I did all the right things. I didn’t give them my personal information, don’t tell them anything personal,” Smith said.
So, how did that happen? The Problem Solvers talked to a cyber security expert who said the criminals intercepted the two-factor authentication, which is a second layer of security that requires you to enter a code that is typically sent from the company to your phone.
“The attacker goes to the website they click on 'forgot my password.' Venmo sends a one-time code to the registered phone of the account. In this case, she got socially engineered to go off and give that one-time code to the hacker,” Mitch Tanenbaum, Chief Information Security Officer with CyberCecurity LLC said.
“If you get a call that’s unsolicited, hang up and go to the known origination and look up the number,” Tanenbaum said. “You want to pick a good password, set up alternative forms of authentication and set up notifications and fraud texts.”
FOX31 reached out to Venmo for comment. The company provided the following statement:
“The security of users and their account information is always a top priority and we take all the necessary steps to protect our customers. Nonetheless, we encourage users to always be vigilant of who calls and messages are from to protect themselves when sharing information, clicking links, and opening attachments. For additional background, Venmo never sends users requests of this nature without clear language instructing the user to never share their code, and that if someone asks for the code, it's a scam. Further, whenever someone suspects they are the target of spam or a potential scam that may be, for example, posing as Venmo, they can contact firstname.lastname@example.org and our dedicated security team will review the information and take action as needed. Additionally, we encourage users to contact Venmo Support for assistance -- our teams are always available to help look into matters.
As for Smith, it's a hard lesson but she is working with Venmo to get her money back and hopes this will prompt others to be careful.
“Check all of your information because you never how they’re going to get in,” Smith said.