In an economy that has become mostly digital in many countries, some payment providers cross over into social media by letting you choose a handle so that people can easily send you money. For example, my friend Meg Sploit has multiple usernames with payment providers that match her Twitter handle, @itsm3gg1spl01t
Both of these usernames match her social media handles on twitter, Reddit, YouTube… you name it. For Meg it’s really convenient that she can just reuse the same username everywhere. It makes it easy for her followers to send money to her as her payment options are “on brand”.
These handles for Payment Providers can, however, also be a potential method to steal money from unsuspecting people online. The most lucrative scenario would of course be to target high profile social media profiles with a big enough following to make your campaign worthwhile.
Note: if you’re a scammer, the next part is really complicated and a lot of work. It’s probably not something you want to do, because there are so many steps involved and none of them involve calling from a Delhi call center. So quit reading while you’re ahead.
All right, now that the potential thiefs are gone, let me explain how it works. For this scenario, Iet’s say that there is a social media minor celebrity with a fairly big following named Jane Doe who uses the media handle @JenThough
JenThough is fairly active on social media and has a following online. Jen has most of her bases covered, but she hasn’t snagged up her username for at least one payment provider. When the attacker looks up her page, he gets a result that tells him the username doesn’t exist wit the service.
With this knowledge he sets up an account with the payment provider and snatches up the username. The payment provider has no verification process in place. If you are able to setup an account with them, you are able to snag up any username that isn’t claimed.
Using his new snaggy username, the attacker can now start targeting people with the username. They will likely need to also setup additional puppet accounts but once that’s done they can start asking people to “please donate money” to Jen for something that’s dear to her heart. While the username with the payment provider is probably not enough to con the targets, it can help to create extra leverage.
Of course the payment providers all have mechanisms in place to report these “usernames”. So for the attacker, it’s now a race against the clock. He’ll want to collect and withdraw as much money as possible before:
- People get air of the scam and tackle it online
- Their payment provider username gets reported
- Before the Payment Provider kills their account.
In order to reach as big of an audience as possible, the attacker can try to create these “usernames” with multiple payment providers so as to offer their victims multiple options to “donate” to their “cause”.
Of course, the attacker doesn’t have to use exact media handles. If the social media person has covered their bases they could could on typo’s or people not paying enough attention to notice differences or mistakes in the payment providers’ username – or they can just bet on people not knowing what the real handle is to begin with.
The moral of this post is not how to commit petty fraud online. However, it might be worth considering sagging up “your” username with payment providers, even if you never plan on using them, just to cover your bases. Buyers, be aware, though. Some of these payment providers connect your real name to your username which isn’t something that everyone is comfortable with. It might be just your first name and last name, but PII is PII.
Clutch your purses and snag up “your” username with payment providers before someone else does!