Businesses using apps to make transactions quick and easy are attracting more than new customers, as fraudsters find ways to cash in on the digital payment systems.

Companies are increasingly turning to so-called “cash apps” such as Venmo, Zelle and others that allow their customers to send and receive funds through digital Internet transactions.

Small businesses are the biggest users of the technology, but large organizations are finding the apps to have a place in their operations as well. While consumers have gotten used to paying small merchants through a peerto-peer app, it is now possible to buy an airline seat, order from a national pizza chain and shop at major retailers that accept digital payments. It’s a convenience for customers who like the ease of immediate cashless transactions, experts note.

And businesses may find the apps an easy way to make small vendor payments or complete such internal transactions as employee expense reimbursements.

But With Convenience Comes Risk

New York’s Department of State’s Division of Consumer Protection cited statistics that indicate more than $390 million in losses were attributed to payment apps in 2024, an increase of more than $100 million from the year before.

“What makes payment apps attractive to businesses are speed, convenience and instant transfers,” said Sagar Shah, director, strategic initiatives with Travelers’ cyber risk control team. “But those are the same things that make them attractive to fraudsters.”

Thieves didn’t have to invent news ways to steal when targeting cash apps, Shah said, because the old tricks are sometimes still effective.

“It’s around creating urgency, impersonating someone and getting the business to act before they can verify,” he said.

Fraudsters often rely on social engineering — through phony emails, for example — to fool employees to release funds. Ryan Kratz, head of cyber for North America at MSIG USA, said it starts with an email from someone claiming to be a vendor, contractor or someone else that the business works with, requesting payment through an app.

Sagar Shah, director, strategic initiatives with Travelers’ cyber risk control team

Employees not trained to spot such bogus requests will complete the transaction.  “They think they’re doing everything right,” Kratz said. “There’s no hack, there’s no malware; they’re just asked to process an invoice.”

“Everything is on the Internet now, and an attacker can research the supply chain that a business is using” and easily impersonate a vendor, Shah said. The fraudster then sends the fake email asking for payment or uses such tactics as claiming the vendor’s bank account has changed.

“The goal is to redirect payments so that they come to the threat actor’s account,” he explained.

The apps have come under fire for not doing enough to prevent fraud, and some have faced stiff penalties.

Block Inc., the operator of peerto-peer payment app Cash App, was ordered by the Consumer Financial Protection Bureau earlier this year to refund fraud victims up to $120 million and pay $55 million to the agency’s victim relief fund. The CFPB said Block allowed fraud to proliferate and its investigations into customer disputes were “woefully incomplete.” Cash App said in a statement that “while we strongly disagree with the CFPB’s mischaracterizations,” the company settled the matter “in the interest of putting it behind us and focusing on what’s best for our customers and our business.”

Zelle’s fraud protection has also drawn scrutiny, with its operator Early Warning Services sued in August 2025 by New York’s attorney general, who charged the payment app was designed without critical safety features and allowed fraudsters to steal more than $1 billion between 2017 and 2023. Zelle called the suit a “political stunt to generate press,” claiming the attorney general “wants to hand criminals a blueprint for guaranteed payouts with no consequences, opening the floodgates to more scams, not less.”

Some organizations have welcomed the chance to make payment transactions easier, while others have said the apps have no place in their operations. JetBlue said last year it became the first airline to accept Venmo for online bookings, calling it a “seamless payment option for customers.”

Domino’s Pizza last year began allowing customers to check out with Cash App, saying in a statement that “convenience and speed are non-negotiables for the next generation of consumers.” The University of Colorado in late 2025 prohibited the use of Venmo, Zelle, Cash App and other peer-to-peer apps after its bank designated Venmo payments as high-risk. “While P2P apps are convenient for personal use, they are not suitable for institutional transactions,” the school said in a statement. “They lack verifiable receipts, do not provide tax documentation or facilitate W-9 reporting, pose reconciliation challenges, and can expose the university to fraud, (Payment Card Industry Data Security Standard) violations and data security risks.”

“Going forward, it is prohibited to pay individuals through any P2P platform either using a university-issued commercial card or personal payment/reimbursement. Instead, departments must use approved processes such as the CU Marketplace (including Requisitions/Pos or Payment Vouchers for independent contractors), the Travel & Expense System for allowable reimbursements to non-employees/non-contractors, or through official merchant apps linked to authorized business accounts(e.g., Uber, Lyft). Limited exceptions may apply when a registered business profile (not an individual) is the payment recipient (e.g., PayPal Business, Square).

“Always be sure to include a detailed business purpose description in your expense reconciliations. This formalized policy guidance strengthens compliance, protects institutional resources and data, and improves audit integrity across all purchasing and expense activities,” the university went on to say. Fraud via payment apps doesn’t always originate outside the organization, sources note.

“We’ve seen some internal theft of funds,” Kratz said, when employees have used apps to transfer money from the organization to themselves. “That’s less common, but we’re starting to see it a bit more.”

That’s the type of claim that landed on Robin Ann Nowicki’s desk. She is a senior vice president, national cyber and fidelity claims leader at HUB International. A business using PayPal saw several thousand dollars vanish when a bad actor diverted the funds by changing banking information. As it turned out, an internal investigation discovered that it was an inside job carried out by an employee. The company was lucky, in a sense, that an employee rather than an outsider stole from them, Nowicki said.

“I think they would have had a hard time finding coverage under a crime policy,” which, depending on how the funds were stolen, can be found lacking for such types of fraud, she explained. The business was able to recover its loss under its employee theft coverage. Nowicki said her initial reaction was to question why the company would keep so much money in a PayPal account.

One of the best ways to manage the risk is to keep the bulk of funds in the bank and away from thieves, she added. “The encouraging thing is, a lot of these attacks are preventable, and it’s not about buying new technology,” saidShah of Travelers. “It’s about building the right habits.”

Verify unexpected calls or messages that come through unusual channels, Shah advised. “Call the vendor directly, using a number you have on file to verify the request. That single habit can really prevent a good chunk of the social engineering attacks.”

Underwriters want to know what sort of controls are in place, Kratz said. They include such risk management practices as a segregation of duties in processing invoices and dual authorization for outgoing transfers. “It shouldn’t be just one person who has the keys to the kingdom,” he said.

Kratz urged businesses that use payment apps to make sure they have adequate crime insurance or cyber coverage. He pointed out that cyber insurance generally offers sublimits of $250,000 to $500,000 for such losses as those tied to phishing tactics or other methods of fraud. That’s coverage that could be inadequate, even for smaller organizations, Kratz said.

“If you don’t have crime insurance, make sure you have cyber insurance,” Kratz advised. Talk to a broker about the volume of business the organization handles, average dollar value of transactions, etc. “You should be hyper-focused on making sure with your broker that you’re adequately insured, particularly as a small business,” he said. &