Fake Cash App Payment Link Phishing
Criminals send fake Cash App payment-request links via SMS, email, or social media that lead to a phishing page styled as the Cash App login — collecting sign-in codes to take over accounts under the pretence of processing a legitimate payment.
Part of: Phishing
Last reviewed: 7 June 2026
Cash App allows users to send payment requests as shareable links — a feature designed for convenience that scammers have adapted for phishing. Fake Cash App payment-request links can be crafted to appear nearly identical to genuine Cash App request links, including the payment amount and requester's name, but they resolve to credential-harvesting pages rather than the real Cash App.
The most common delivery scenario involves a seller or service provider claiming to have sent a Cash App payment-request link for goods or services agreed upon. When the victim clicks the link — expecting to be taken to a familiar Cash App interface to approve a payment — they land on a phishing page that asks for their Cash App sign-in credentials.
Alternatively, the fake link may appear in a social-media context: a gig-economy job posting, a marketplace sale, or a peer-to-peer fundraiser. The victim, focused on completing a transaction they initiated, is less vigilant about inspecting the URL before entering their details.
How this scam works on the Cash App brand
Genuine Cash App payment-request links follow the format cash.app/[identifier] and resolve to a page on cash.app. When you open a real Cash App payment-request link on a mobile device with Cash App installed, it typically opens the app directly rather than a browser page. A link that opens a browser-based login page asking for your email, phone number, or sign-in code should raise an immediate alert.
Phishing pages mimicking Cash App are designed to closely replicate the app's login screen. They use Cash App's green and white colour scheme, the correct logo, and a sign-in flow that sends a real Cash App OTP to the victim's phone number. When the victim enters the code, it is captured and immediately used by the attacker to complete a login to the real Cash App account.
Some campaigns use a short link that obscures the true destination. The short link may appear to go to a recognised URL shortener before redirecting to the fake Cash App page, adding a layer of indirection that makes URL inspection less practical.
Common red flags
- A Cash App payment link that opens a browser-based login page rather than the Cash App
- A request to enter your phone number and sign-in code on a web page to approve a payment
- Link URL is not cash.app or does not resolve directly to the Cash App
- A sign-in code from Cash App arrives after you entered your number on the fake page
- The payment request came via a channel where Cash App links are unexpected: email, a job ad, or DM
- The page asks for your debit card number in addition to your sign-in code
- The requester applies pressure to complete the payment immediately before the link expires
How to protect yourself
- Open Cash App directly and send or receive payments through the app, not via external links
- Verify that any Cash App link starts with cash.app before tapping it
- If a link opens a browser login page rather than the app, close the browser and open Cash App directly
- Never enter your sign-in code on a web page — the code is for the app's own sign-in flow only
- Enable the Security Lock on Cash App so payments require biometric or PIN confirmation
- Be cautious of payment requests from new contacts or via unexpected channels
- Report fake Cash App links to Cash App support through the app
How to report it
- Report through Cash App: Profile > Support > Report a Scam
- Forward the fake link details to [email protected]
- Report fake links to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to the FBI's IC3 at ic3.gov if the account was accessed or funds stolen
Frequently asked questions
What does a real Cash App payment-request link look like?
Genuine Cash App payment links start with cash.app/ followed by the recipient's $Cashtag or a unique identifier. On a mobile device with Cash App installed, the link should open the app directly. A link that opens a browser login page is not genuine.
Should I ever enter a Cash App sign-in code on a website?
No. Your Cash App sign-in code is a one-time authentication token for use in the Cash App sign-in flow on the official app. There is no legitimate reason to enter it on any website.
How can I pay someone via Cash App safely?
The safest way to pay via Cash App is to open the app, tap the '$' icon, enter the amount, and search for the recipient's $Cashtag. Do not use external links from emails or messages to initiate payments unless you can verify the link resolves to cash.app.