Venmo Security Issues for Employees

Venmo Security Issues For Employees

Say you go out to lunch or happy hour with your co-workers. That nice guy, Gary, from accounting picks up the tab and everyone pays him back through Venmo. Everybody appreciates how easy it is–especially Gary from accounting. 

All good, right? Maybe not. Using Venmo–with co-workers or anyone else–could expose you and your employer to scams.

The “Privacy” Illusion

I hear you saying, “But Dave, I kept the amount I paid Gary through Venmo private so it’s OK.” Yes, the financial aspect of Venmo isn’t in question here. Paypal owns Venmo and assuming that you are practicing good cyber hygiene for your account, (strong, unique password and multi-factor authentication) that piece is buttoned up.

The issue is all the other information surrounding your Venmo account and activity may be enticing bait for cyber criminals. Venmo users’ friends lists and transactions are public by default. And while you can change the privacy settings for transactions, most people unfortunately do not.

The “public by default” posture for transactions has caused many privacy and security experts to warn about this approach. Recently the Electronic Frontier Foundation EFF and Mozilla (makers of Firefox) wrote an open letter to Venmo’s CEO and COO. The letter said “The list of people with whom you exchange money paints a startlingly clear picture of the people who live, date and do business with you” and it raised three fundamental concerns:

  • Venmo transactions are not private by default. This is a long running concern and depending on what information you post in the comments, this can be a significant privacy concern
  • Anyone can view your “friends” list
  • As a result of issues one and two, Venmo users may be exposing data about their personal habits that would be better kept private

The EFF letter also references a report by computer science student Dan Salmon who was able to scrape data for millions of Venmo transactions over a six-month period. In an article for Wired, Salmon wrote “But the most likely cyberattack to be conducted using Venmo data is spearphishing-and the amount of specific information available via the app would make for a very convincing phish. An attacker could easily find a list of the people that their target most frequently interacts with, as well as that person’s common spending habits.”

You can read the open letter to Venmo here

Venmo Under Fire

Unfortunately, this is not the first time that Venmo has come under fire for privacy related concerns. The Federal Trade Commission (FTC) prosecuted Venmo in 2018 for allegedly misleading users about the privacy of transactions and PayPal settled by agreeing to several conditions, including a requirement to make “clear and conspicuous” disclosures about information sharing.

Despite all this scrutiny, transactions are still public by default and there is no way to disable the public sharing of friend lists. This means that hackers can scrape readily available information from Venmo and use it in whatever way they’d like. 

Consider this scenario: Once you complete a Venmo transaction, there’s a public record of you (and your named co-workers) paying Gary. An attacker could use the information to pose as Gary in an email and request that you provide him with a password, corporate information or other sensitive data. And who doesn’t trust Gary? He’s from accounting

Venmo No Go?

Venmo users concerned about privacy can turn off “public by default” for their transactions by going to Settings > Privacy, select Private > Change All to Private. If you choose to use Venmo, you should do this. Additionally, users can be careful about what they post in the comments of a transaction.

Is the convenience of Venmo worth the risk? Not in my book. I won’t use Venmo until they land on the side of privacy by making it the default (Sorry, Gary.) Is it something you should ask employees to avoid? That’s your call, but you can certainly be sure that your staff understands all the implications of using the app. In fact, you could just forward this blog post!

Posted in
Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, CISA, CISM, PMP and ITIL) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Share this Blog

Enterprise Password Management Promo Wide

Is Your Name or Birthday a Part of Your Password?

If so, you’re a part of the 59 percent of people who don’t follow proper password hygiene. More than 70 percent of passwords are used for more than one system, meaning if cybercriminals crack one, they can access a lot more accounts.

Our free Enterprise Password Management Guide will give you the best password hygiene practices to help you secure your computer and your business.

Download the Guide

Explore the Latest Trends in IT

Fundamentals of Information Technology Management - Intrust

IT 101: What Is Information Technology Management?

When was the last time you stopped to think about how your business relies on technology? Information technology management is...
Avoid Pig-Butchering - Intrust IT

Pig-Butchering Scams: What They Are and How to Stay Safe

At Intrust IT, we understand that it may feel like the specter of cybersecurity is always breathing down your neck....
3 Reasons to Replace Aging Equipment - Intrust IT

Three Compelling Reasons Your Company Should Replace Its Aging Computers Before Year-End

As the end of the year approaches, businesses everywhere are evaluating their budgets and looking for strategic opportunities to invest...
What are managed services - Intrust IT

What Are Managed Services? And What Are the Benefits?

Running a business in today’s tech-driven world means you need reliable IT infrastructure. But let’s be honest, managing IT in-house...
Windows 10 End of Life How This Could Impact Your Business - Intrust IT

Windows 10 End of Life: How It Could Impact Your Business

As Microsoft officially plans to end support for Windows 10 on October 14, 2025, businesses need to begin thinking ahead....
AI implementation Roadmap Intrust IT

Master AI Integration With Our AI Implementation Roadmap Guide

AI is one of the greatest technological breakthroughs of the last few years. It has become our handy assistant, data...