What happened
Block, Inc., the owner of Cash App, agreed to pay $45 million to settle allegations from a bipartisan coalition of 46 state attorneys general that the company misled users about the app’s safety and failed to provide promised fraud protections.
The coalition, led in part by New York Attorney General Letitia James and Texas Attorney General Ken Paxton, alleged that Cash App was marketed as a safe, bank-like alternative even though its fraud protections did not keep pace with the risks on the platform. Regulators said Block falsely implied that users would receive bank-like protections while failing to properly investigate unauthorized transactions, reimburse users when required, or provide effective support for fraud victims.
The alleged failures included lax account verification, no limit on how many accounts one person could create, a years-long absence of phone support, delayed fraud investigations, unwarranted account lockouts, and social media promotions that made users easier targets for scammers. Investigators said Cash App did not require a Social Security number or date of birth to create an account, allowing bad actors to operate networks of scam accounts.
Regulators also said the lack of official phone support created a separate attack path. Users who searched online for Cash App support numbers often found fake customer service numbers operated by scammers, who then used those calls to take over accounts or drain linked financial accounts. Under the settlement, Block must maintain 24-hour customer support, provide live phone and chat support for set periods each day, stop misleading safety claims, discontinue marketing practices known to increase fraud, educate users about scams, and meet legal obligations to investigate and reimburse certain unauthorized transactions.
Who is affected
Cash App users are directly affected, especially those who used the app as a primary financial account for paychecks, government benefits, savings, or daily transfers.
Unbanked and underbanked consumers may have faced greater risk because Cash App was promoted as a bank-like alternative, but regulators alleged it did not provide the same level of fraud protection or resolution.
Block is also affected because the settlement imposes new requirements around customer support, fraud handling, marketing claims, consumer education, and reimbursement obligations.
Why CISOs should care
This case is not just about consumer fraud. It shows how security claims, fraud controls, customer support, and identity verification can become regulatory exposure when a financial platform scales faster than its risk program.
For CISOs, the attack path matters. Weak account verification and unlimited account creation can enable scam networks, while poor support channels can push users into attacker-controlled “help desk” traps. That makes customer support availability part of the security model, not just a service-quality issue.
The case also highlights the risk of marketing language. If a platform claims bank-like security, advanced fraud detection, or strong account protections, regulators may expect those claims to match actual controls, staffing, investigation workflows, and reimbursement practices.
The broader lesson is that fraud prevention, identity verification, customer communications, and incident resolution are now part of security governance for fintech and payment platforms.
3 practical actions
- Align security claims with actual controls: CISOs should review public safety, fraud, and account-protection claims with legal and compliance teams to ensure marketing language reflects real capabilities.
- Strengthen fraud and identity controls: Payment platforms should review account creation rules, verification standards, account-linking behavior, transaction monitoring, and controls against networks of scam accounts.
- Secure customer support pathways: Organizations should provide clear official support channels, monitor for fake support numbers and impersonation, and ensure fraud victims can reach trained support staff quickly.
Today in cybersecurity:
- SCMBANKER Malware Targets Mexico’s Financial Sector Using ClickFix Lures
- Ghost Phishing Campaign Exploits Browser Blind Spot to Target Microsoft 365 Accounts
- Google Fixes Dialogflow CX Flaw That Could Have Enabled AI Chatbot Data Theft
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

