When Robyn Mathis, a 41-year-old food production plant worker from Brunswick, Georgia, stepped off a flight to Philadelphia last June, she expected an easy passage to her destination. She was set to pick up her rental car and charge it to her Chime card, as she had done several times before. For the last few years, the digital bank’s debit and credit cards had been her payment methods of choice. But at the Budget car rental desk at Philadelphia’s International Airport, Mathis got an unpleasant surprise.
Budget would not accept her Chime credit or debit card. Frustrated, Mathis, who was traveling with her two college-aged children, called other airport rental outlets—Enterprise, Avis and Dollar. All said they wouldn’t take her card. After two hours, Mathis finally gave up and called an Uber. Fintech had failed her. Upon returning home, she moved most of her money from Chime to her account at Bank OZK, a regional institution with more than 200 branches and roots stretching back to 1903.
Digital-first “neobanks” like Chime are one of the hottest sectors in the fintech revolution. They offer fast approval and low- or no-fee accounts, all without any brick-and-mortar branches—a powerful selling point during a pandemic. Chime grew from 7 million U.S. customers at the start of 2020 to more than 13 million by the end of this year, according to estimates by eMarketer.
Chime’s valuation hit a stunning $25 billion in August, and an initial public offering that could value the enterprise at $45 billion is in the works. Square’s Cash App, which began as a peer-to-peer money transfer service and has evolved into a digital bank, added 12 million users in 2020. Square’s stock has more than tripled since the pandemic began, and it now boasts a market capitalization of about $90 billion.
But the same “frictionless” signup and ease-of-use features that make digital banks appealing to customers have given crooks an opening to wreak havoc through various schemes. That includes “first-party fraud,” where customers (with accounts in their own names) do everything from racking up charges and yanking the money to pay those charges out of their accounts before a transaction settles to illegally collecting unemployment insurance in states where they don’t live or work.
Another tactic: exploiting America’s tortoise-like bank-to-bank transfer network by moving money from one account to another and then withdrawing the same funds from both accounts while the transfer is in process. Fintech providers also appear to be more susceptible to identity theft and “account takeovers,” where swindlers get access to another person’s account and start spending.
Take the case of Shayla King, a single mother of four from Tampa, Florida, who became a Chime fraud victim in July 2021. She first noticed the problem when she woke up on a Friday to see dozens of automated texts on her iPhone asking if she had made 62 transactions totaling $744 from different businesses in India. She texted back “no” and then got an automated text confirmation that the charges would not go through. King says she also immediately rang Chime’s customer support line to report the charges were fraudulent. But come Monday, her Chime account was nearly emptied.
“Companies used to build financial products starting with the risk … Everything today is built starting with marketing, and risk oftentimes comes way further down the funnel.”
King disputed the charges, but Chime denied her claim. She tried twice more, eventually copying an investigative consumer reporter at a local ABC affiliate on her email to Chime. Four days later, after the reporter contacted Chime, it returned the money, more than a month after King first reported the incident. (Chime admits it made an “initial error” in its dealing with King, but says it corrected the problem after King appealed, and not because of the TV reporter’s inquiry.)
“I will never in my life bank with an online bank again,” adds King, who says she spoke on the phone with more than a dozen different customer service reps during the ordeal. “That’s my car payment, my electricity bill … I’m a paycheck-to-paycheck person, and I’m still trying to climb out of that hole.”
According to data from Aite-Novarica Group, fintech companies like neobanks and robo advisors have an average fraud rate of roughly 0.30%. That’s as much as double credit cards’ historical rates of 0.15% to 0.20% and three times higher than debit cards’ less than 0.10% fraud rate. While these percentage differences might seem small, they’re significant given that banking profitability is measured in basis points or hundredths of a percent.
And these seemingly tiny percentages add up. In 2020, identity fraud alone caused $56 billion in losses across all U.S. financial services firms, according to research firm Javelin. Facing growing incidents of fraud, some merchants have begun limiting or even blocking the debit and credit cards being offered by Chime, Cash App and other neobanks.
“Companies used to build financial products starting with the risk,” says a fraud expert and executive at a San Francisco fintech company. “Everything today is built starting with marketing, and risk oftentimes comes way further down the funnel.”
Rental car agencies and hotels have so far taken the most consequential actions in response to fintech’s fraud problem. In March, Avis, which owns the Budget and Payless car rental brands too, blackballed Chime. Said one tweet to a customer, “Only Chime cards we no longer accept due to many fraud reports. Have a great day!” Avis also hung up signs at branch locations announcing the ban and over the summer its FAQ singled out “prepaid debit/gift cards and Chime debit/credit cards” as not acceptable for vehicle pick-ups.
Avis’ restrictions prompted a backlash from Chime and its card network, Visa, in late summer. Visa has a strict “honor all cards” policy for merchants who generally must accept any Visa card from any issuer. After Forbes reached out to Avis for comment, its policy page was updated to remove mention of its Chime restriction. An Avis spokesperson declined to explain the reason for its Chime ban, simply saying that Chime cards are accepted as payment upon returning a rental car, which would still require customers to have a different card for vehicle pick-up.
Enterprise and Hertz, the two largest rental car agencies in America, have also instituted fintech card bans. Forbes spoke with 10 Hertz storefronts across ten states, and most said cards tied to Chime were not welcome, with Cash App, Paypal or Venmo also rejected by some. An Enterprise customer service rep said locations at airports don’t accept Chime cards either. Some of the non-airport branches called by Forbes said they do accept Chime, though they cited various special restrictions such as requiring a utility bill. Nearly half of the dozens of Marriott Courtyard, Holiday Inn, Extended Stay America and La Quinta franchise locations Forbes spoke with said they don’t accept Chime or Cash App cards, either.
Spokespeople for Hertz and Extended Stay America said company-managed locations had banned Chime or Cash App cards, while spokespeople for Marriott and Enterprise claimed the cards are accepted. (Enterprise failed to clarify its airport policy.) The owners of the La Quinta and Holiday Inn brands did not respond to multiple requests for comment by Forbes.
Brian Mullins, Chime’s senior vice president of risk, downplays the problem. “In July, we had 50,000 transactions across all Marriott and Courtyard Marriotts … There may just be some individual locations where [a rejection of Chime cards] had occurred.” Chime had already done $150 million in Enterprise car rental transactions in 2021, he said in late August. “If it’s an issue, it’s not affecting our customers,” he insisted.
According to experts, much of the fraud seen by rental car agencies and hotels is so-called first-party fraud, where card holders run schemes under their real identities. One way they can do this involves taking advantage of a quirk in the U.S. payments system, says Mary Ann Miller, a vice president at identity and fraud company Prove. When someone picks up a rental car or checks into a hotel, the merchant processes a pre-authorization charge on their debit or credit card that puts a “hold” on a set amount of money.
That hold expires after a short period of time—say, three days, depending on the terms set by the bank that issued the card. Once it expires, a bad actor, who might have rented the car for a week for example, can spend the money, since it’s no longer locked up. When the rental car agency finally goes to charge the customer after the car is returned, the bank account tied to the debit card is empty or the limit on the credit card is exhausted, and the merchant or bank can’t collect.
Another fraud tactic is for a customer to dispute large numbers of legitimate charges. Chime says its systems try to weed out serial disputers, but its frictionless interface makes refusing Chime charges as easy as a few taps on its mobile app. “Account takeovers” are another scam that fintechs like Chime are particularly susceptible to, because fraud rings often target new technology, thinking it’s more likely to have holes. In one rip-off, scammers buy information on the dark web to figure out Chime customers’ usernames and passwords, then gain access to their accounts and go on a buying spree.
Can’t traditional banks’ accounts be taken over too? Yes, but the digital banks may be both more vulnerable and more likely to be targeted. “Digital-focused banks have a target on their backs because fraudsters know that the banks want to make the user signup flow and banking experience as seamless as possible,’’ says Vice President of Trust and Safety Kevin Lee at fraud prevention firm Sift.
Because of Visa’s and Mastercard’s dispute protection policies, merchants hit with various forms of fraud can often escape being held liable for the unauthorized charges themselves. But trying to clean up a rash of illicit activity is costly, involving many hours of research and internal meetings across different corporate teams.
Chime vigorously denies that its app has become a haven for fraud. Still, part of its problems may stem from the company’s aggressive customer acquisition campaigns, often using social media to attract unbanked or underbanked prospects who have little or no credit histories. In September, the company offered cash prizes of up to $1,000 to TikTok users who made videos including the hashtag “ChimeHasYourBack.” Two months later, TikToks sporting the hashtag had collectively garnered 7.3 billion views.
Chime declined Forbes’ request to provide its overall fraud rates, saying only that they’re significantly below the maximum thresholds set by Visa and Nacha, the nonprofit association that runs ACH, the U.S. bank-to-bank payments network. The fintech’s CEO Chris Britt instead blames the merchants for any problems that have developed.
“I think there’s a limited number of merchants that are not applying the industry standard of due diligence before giving consumers access to these rental cars,” he says. He adds that Chime doesn’t run credit checks on its users—it’s the rental car agencies’ job to determine consumers’ creditworthiness.
Chime isn’t the only fintech wrestling with fraud and delinquency problems, and these issues date back to the earliest fintech companies in America. From July through October of 2000, two years after PayPal got off the ground, the company lost $6 million to fraud at a time when its revenue was less than $5 million. PayPal was losing $1,900 an hour to fraud. More recently, phony jobless claims have been a problem for Green Dot and Square’s Cash App, as well as Chime.
Ten residents of Palm Beach County, Florida were arrested in September for attempting to raid other states’ unemployment benefit coffers. According to court records, the defendants typically opened accounts at Chime, Cash App or Green Dot under their own names, then applied for unemployment checks from states they had neither lived nor worked in. Explaining how to commit the fraud to an unnamed associate, one 21-year-old defendant suggested using the three fintechs for direct deposit of the swindled funds: “States like Arizona and Pennsylvania hittin fasho…FREE GAME,” he wrote in an Instagram message reprinted in court records. “Chime Greendot cash app.”
“There’s no risk of needing to show identification in person, no surveillance video to show who’s utilizing the bank account.”
Kyle Kinney, a detective at the local Florida police department who investigated the cases, says the offenders likely preferred digital banks for their convenience, compared to brick-and-mortar alternatives. “There’s no risk of needing to show identification in person, no surveillance video to show who’s utilizing the bank account,” he explains. “Transferring and receiving funds to and from co-conspirators is pretty easy.”
The flood of extra unemployment money tied to the pandemic, as well as the expanded categories of people eligible for payments, has likely exacerbated the problem. The U.S. Labor Department’s Inspector General recently estimated that, based on an historical mispayment rate of 10%, between March 2020 and September 2021, $87 billion in enhanced benefits could have been improperly paid, with “a significant portion attributable to fraud.”
But, the IG added, the actual number—based on a preliminary audit—was likely higher. Frank McKenna, cofounder of fraud prevention firm Point Predictive, suspects that Chime was “one of the preferred ways that a lot of these fraudsters took money from the government, because they could easily go online, set up a Chime account very quickly, have the funds transferred into the account, and then quickly have those funds diverted elsewhere …
I think what you’re seeing now is the result of a lot of growth, and a lot of the fraud that might have gotten into the portfolio while all the stimulus came in.” He also says that there’s an active market on messaging app Telegram for people to buy Chime accounts.
It’s not just the merchants who have become wary of doing business with big fintechs like Chime and Cash App. HMBradley, a three-year-old, Santa Monica-based online bank with $375 million in assets, saw a startling rise in fraud coming from the transfers it gets from Chime and Cash App accounts. The schemers would typically open an HMBradley account, then connect it to an existing Chime account.
They’d request to transfer funds from Chime, and when the money reached HMBradley, they’d quickly ferry it into a third bank account. Often, the funds HMBradley was pulling in from Chime didn’t exist—and that’s possible because of the way the U.S. bank-to-bank transfer network, or the Automated Clearing House (ACH) system, works.
The ACH network, first built in the 1970s, lacks real-time verification and it can take days for transactions to settle through ACH. So when a neobank allows a customer to pull money from an outside account via ACH, it takes on the risk of finding out several days later that the customer only had $1 in his account even though he requested to transfer $1,000. ACH still underlies most money transfers, to the tune of $62 trillion in 2020, and is run by Nacha, a nonprofit association funded by financial institutions.
While HMBradley typically only sees about $500 worth of fraud per month, in May it lost tens of thousands of dollars, split between Cash App and Chime users, according to CEO Zach Bruhnke. To stop the bleeding, Bruhnke put longer holds on transfers so that a customer trying to pull in funds from a Chime or Cash App account would have to wait a few more days to see the funds arrive in HMBradley.
Another new online bank called One has also placed longer holds on Chime transactions. “It’s a reflection of how frequently the accounts tend to be fraudulent and how much loss tends to be taken on those transactions,” says One CEO Brian Hamilton. Chime CEO Chris Britt again prefers to shift the blame. He says that small companies like HMBradley and One “probably don’t have the same level of sophistication in terms of how to process things like ACH transactions and transfers from online accounts.”
Betterment, a robo-investing app with $29 billion in assets, blocked all new connections to Chime, Cash App, Square, Robinhood, Green Dot and Metabank in May due to “a trend of attempted fraudulent activity,” according to an email Betterment sent to some customers that was reviewed by Forbes. Britt says there are a “number of companies” that Chime “runs much more volume through … that are managing just fine.”
According to Bruhnke, Chime’s team was helpful in troubleshooting HMBradley’s fraud spike. Bruhnke tried to work with Cash App to get help, too, but their support was “almost non-existent,” he says. Today, HMBradley no longer puts longer holds on Chime transactions, but for most Cash App customers, he extends HMBradley’s typical two-day hold period for transfers to five business days and caps daily transactions to between $100 and $500.
Bruhnke says of Square’s rapid customer growth, “They’re a public company, and they’re sort of padding their user numbers by perpetuating this.” Square declined to make an executive available for an interview, but told Forbes via email that fraud prevention is a top priority and that Cash App maintains teams dedicated to resolving merchant acceptance issues.
Stock trading app Robinhood recently highlighted its own ACH fraud challenges. “Customers initiate deposits into their accounts, make trades on our platform using a short-term extension of credit from us, and then repatriate or reverse the deposits, resulting in a loss to us of the credited amount,” it wrote in its second quarter regulatory filing. As a result, its provision for credit losses for the first half of the year surged 54% to $37 million.
In February, a payments processing company that works with hundreds of merchants that sell age-restricted products like alcohol saw 45% of its fraudulent ACH transactions come from Chime, according to an executive at the payments company.
It noticed a pattern where some people had used multiple Chime accounts under slightly different names but with the same IDs. They’d buy alcohol from one merchant, but before the transaction settled, they’d quickly pull the rug out by moving that money into another Chime account, a maneuver made possible by the settlement lags of the ACH system.
The liquor stores saw tens of thousands of dollars of losses, and when the payments company determined that Chime wasn’t going to do anything to fix the problem, it permanently blocked Chime transactions altogether. Says the payments company executive, “If they’re not actively doing anything about it, then we have to actively do something about it.”
- “Credit Card Fraud – Consumer Action” (PDF). Consumer Action. Retrieved 28 November 2017.
- “Official PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards”. http://www.pcisecuritystandards.org. Retrieved 1 October 2021.
- “FRAUD THE FACTS 2019 – The definitive overview of payment industry fraud” (PDF). UK Finance.
- “Credit card fraud: the biggest card frauds in history”. uSwitch. Retrieved 29 December 2019.
- “Court filings double estimate of TJX breach”. 2007.
- 9 Ways to Keep Credit Card Fraud From Happening to You”. The Balance. Retrieved 29 December 2019.
- “Preventing payment fraud | Barclaycard Business”. http://www.barclaycard.co.uk. Retrieved 29 December 2019.
- “Application fraud”. Action Fraud. Retrieved 29 December 2019.
- Forrester Wave Report: ThreatMetrix and the Revolution in Risk-Based User Authentication”. ThreatMatrix. Retrieved 28 November 2017.
- What Is Account Takeover Fraud?”. the balance. Retrieved 28 November 2017.
- “Visa U.S. Chip Update: June 2016 Steady progress in chip adoption” (PDF). VISA. 1 June 2016. Retrieved 28 November 2017.
- Credit card fraud: What you need to know
- “What Hackers Want More Than Your Credit Card Number | Credit.com”. Credit.com. 1 September 2015. Archived from the original on 30 May 2016. Retrieved 16 May 2016.
- “Business Advice”. Take Five. Archived from the original on 5 September 2018. Retrieved 29 December 2019.
- “Social Engineering Fraud Explained | – with Get Indemnity ™”. getindemnity.co.uk. Retrieved 29 December 2019.
- Inside Job/Restaurant card skimming. Journal Register.
- Overseas credit card scam exposed”. bbc.co.uk.com.
- NACS Magazine – Skimmming Archived 27 February 2012 at the Wayback Machine. nacsonline.com
- Theft ring rigged Florham Park ATM, attorney general says”. Daily Record (Morristown). Retrieved 18 November 2016.
- ATM Camera Snopes.com
- Clarin.com (2 November 2010). “Piden la captura internacional de un estudiante de Ingeniería” (in Spanish).
- “A Dramatic Rise in ATM Skimming Attacks”. Krebs on Security. 2016.
- “Rogue automatic payments”– Retrieved 2016-02-07
- Tucker, Eric. “Prosecutors target credit card thieves overseas”. AP. Retrieved 13 September 2014.
- “Section 901 of title IX of the Act of May 29, 1968 (Pub. L. No. 90-321), as added by title XX of the Act of November 10, 1978 (Pub. L. No. 95-630; 92 Stat. 3728), effective May 10, 1980”. Archived from the original on 14 April 2002. Retrieved 25 May 2017.
- “Lost or Stolen Credit, ATM, and Debit Cards”. Ftc.gov. 6 August 2012. Retrieved 2 August 2014.
- “Who Regulates Credit Card Merchant Services in UK?”. GB Payments. Retrieved 29 December 2019.
- “Identity Crime”. Australian Federal Police. Commonwealth of Australia. 2015.
- “Identity crime in Australia”. http://www.ag.gov.au. Commonwealth of Australia Attorney-General’s Department. 2015.Adsit, Dennis (21 February 2011). “
- Error-proofing strategies for managing call center fraud”