A Comprehensive Overview of In-App Chat Scams: Part 1

8 min read Michael Carroll on Oct 18, 2023
MK Copy of Blog Imagery Templates (1).png

People have been trying to run a scam on the internet for as long as it has been used as a communication platform. The methods and defenses used have been constantly evolving, and at this point, most people are aware of basic password security, multi-factor authentication, phishing scam techniques, and the dangers of file sharing. But one vector for scams that has received less attention is in-app chat scams, which happen in a conversation in-app or product. Perhaps we feel a false sense of security within a company's official web app or mobile application, so we aren't as on guard in a chat application as in emails. However, it’s still important to raise awareness of this method of online scams and how you can increase your cybersecurity awareness around it.

We'd like to give you a comprehensive overview of in-app chat scams, starting with their history and growth, what to look out for, and how PubNub can help you eliminate chat scams in your app to protect the positive chat experience for your users. Then, in part two, we'll talk about the role of SMS, some common in-app chat vulnerabilities that could affect your data security, and some specific tools PubNub provides that enable developers to secure their real-time chat.

The history of in-app chat scams

In-app chat scams have significantly evolved, becoming as sophisticated and high-quality as the web and mobile apps they target. These scams leverage the popularity and widespread usage of in-app chat features to deceive unsuspecting users. With an event-driven platform like PubNub, you can build in-app chat functionality with built-in security features to detect, alert, block, and continually improve its ability to prevent these attacks. Let's start by delving into the evolution of these scams and understand the tactics scammers employ to defraud users.

Basic phishing

Initially, in-app chat scams were predominantly basic phishing attempts, where scammers would send messages that appeared to be from legitimate sources, such as well-known companies or friends. These messages often contain malicious links or requests for sensitive information like passwords or credit card details.

Social engineering

As users became more cautious about clicking suspicious links, scammers started employing social engineering techniques to manipulate victims and gain permission for their sensitive data. They would impersonate customer support representatives, friends, or family members and engage in conversations to extract sensitive information or convince users to perform actions that benefit the scammers.

Gift card

In recent years, gift card scams have gained popularity. Scammers pretend to be someone in need—such as a friend or family member—and request users to purchase and share gift card codes. These scammers often mimic the communication style and patterns of the person they are impersonating, making it difficult for victims to realize they are being scammed.

Advanced chatbot

Artificial intelligence has many positive use cases, but with the good comes the bad. Advancements in AI, automation, and natural language processing have enabled scammers to develop sophisticated chatbots that can mimic human conversations convincingly. These chatbots engage users in seemingly legitimate conversations, responding to messages and questions to make them appear like real people. They can gather personal information, such as login credentials or credit card details, and even persuade users to install malware or visit malicious websites.

Fake customer support

Another tactic scammers use is impersonating customer support representatives to access users' accounts or sensitive information. They may send messages claiming a security breach or a problem with the user's account and ask for login credentials or other personal information to resolve the issue. By posing as trusted customer support, scammers exploit users' trust and trick them into providing sensitive data.

Investment or money-making

Bad actors may present enticing investment opportunities or money-making schemes to exploit victims' desire for financial success. They may claim insider information, secret strategies, or guaranteed high investment returns. Victims are often asked to invest a large sum of money upfront or provide personal information for identity theft. These scams appeal to victims' greed and hope for quick wealth, leading them to make impulsive and risky decisions.


Scammers may create fake profiles on dating websites or social media platforms and use in-app chat to form romantic relationships with unsuspecting end-users. They use emotional manipulation, flattery, and promises of love and companionship to gain the victim's trust. Once trust is established, scammers may request money for various reasons, such as travel expenses, medical emergencies, or financial difficulties. Victims often become emotionally invested before realizing they have been deceived.

App hijacking

In-app chat scams have also evolved to involve app hijacking, where scammers gain backend control over an app's chat feature and use it to send fraudulent messages. This can happen through vulnerabilities in the app's security or social engineering techniques that trick users into granting access. Once they have control, scammers can send malicious links, request payments, or collect sensitive information from unsuspecting users.

Malicious content sharing

Bad actors may also use in-app chat features to share malicious content, such as infected files or links to phishing websites. They may send messages that entice users to click on a link or download a file, infecting their devices with malware or redirecting them to a fraudulent website where their personal information is compromised.

Trends in in-app scams                                  

The history of in-app chat scams reveals several trends over the years. Analyzing these trends, we can gain valuable insights into scammers' evolving tactics in this domain. Here are some key trends that have been identified:

Increasing Sophistication: Scammers have become increasingly sophisticated in their approach to in-app chat scams. Initially, these scams relied on basic phishing techniques, but they have since evolved to include more advanced methods such as social engineering, impersonation, and even AI-powered chatbots that convincingly mimic human interactions.

Exploitation of Trust and Familiarity: Bad actors often exploit users' trust and familiarity with a particular app or platform. They mimic the app's interface and design, creating a sense of trust.

Targeting Popular Apps: In-app chat scams tend to target apps that are popular on the iOS and Android app stores and have a large user base. This strategy allows scammers to cast a wider net and increase their chances of success. Social media platforms, messaging apps, and e-commerce applications have been particularly attractive targets due to the sheer volume of users they attract. Additionally, healthcare provider apps have been desirable targets because of the sensitive, HIPAA-protected information stored on their backend.

Multi-Channel Attacks: Scammers have started employing multi-channel attacks to bypass security measures and increase their chances of success. For example, they may initiate a conversation in the app's chat feature and then redirect users to a fraudulent website or communicate via email or an offline channel like a phone call to further manipulate and deceive users.

Rapid Adaptation: Scammers constantly adapt their tactics to stay one step ahead of the security measures employed by development teams. They quickly identify and exploit vulnerabilities in app systems, find new ways to bypass security protocols, and adapt their messaging to increase the likelihood of success.

Characteristics of in-app chat scams

“Act tody for Amazon account to be safely!”

We’ve all gotten these messages. Sometimes, they’re well-written enough to where you may (for a split second, at least) think it’s legit. Other times, you look at it, laugh, and think, “They clearly can’t speak the language…does anyone actually fall for this!?”

Unfortunately, yes, they do.

But we know that chat scammers use common techniques to find success Here are some common characteristics to watch out for:

Impersonation: Scammers often impersonate trusted individuals or entities, such as customer support representatives, app developers, or well-known companies. They may use similar names, logos, or fake profiles to appear legitimate.

Urgency: In-app chat scams typically create a sense of urgency to pressure users into taking immediate action. Scammers may claim that the user's account is compromised, that a payment is overdue, or that an important update needs to be installed to make users act impulsively without thoroughly thinking through the situation.

Requests for personal information: Bad actors often ask for personal information, such as usernames, passwords, credit card details, or social security numbers. They may claim that this information is needed for verification purposes or to resolve an issue, but their real intention is to steal the user's identity or commit fraud.

Payment requests: In-app chat scams frequently involve requesting payments or financial transactions. Scammers may ask users to make a payment to resolve an issue, unlock additional features, or claim a prize. They may use various payment methods, such as wire transfers, prepaid gift cards, or cryptocurrency, to make it difficult to trace the transactions and even more difficult for victims to get their money back.

Poor grammar and spelling: Many in-app chat scams contain poor grammar and spelling. This is often a red flag that the message is not from a legitimate source. Scam artists may not have a strong command of the language or may use automated translation tools, leading to message errors. But tools like ChatGPT are making it easier for bad actors to create legit-sounding messages, so while our example at the start of this section may have been the reality historically, it’s only a matter of time until we lose this red flag indicator.

PubNub and in-app chat security

Detecting scams in in-app chats underpins user trust, a crucial component of your platform's success. When users feel secure from scams, it boosts their engagement considerably, elevating the app's reputation and, in some cases, its profitability.

Scam detection isn't simply a cure, it's a preventive measure. By embedding scam detection in real-time communication, you mitigate risks proactively. This infrastructural shift fortifies the user's trust, laying the groundwork for a more resilient communication framework.

PubNub's serverless compute platform, chat APIs, and SDKs, allow developers to write custom code and update scam detection rules in real time without needing application redeployment. This flexibility enables companies to adapt quickly to new scamming techniques and scale their scam detection capabilities as their user base grows. With PubNub's ability to handle millions of messages per second, companies can confidently rely on its scalability to support their growing user base and provide a top-of-the-line user experience.

Improved user experience with trust and safety

Utilizing PubNub functionality for things like access control and end-to-end encryption for your messaging platform’s security fosters an environment of trust and safety, empowering users to communicate freely while protecting them against scams and inappropriate behaviors.

  • Provides proactive screening of potential scam messages

  • Facilitates safe user interactions within both mobile and web applications

  • Prevents disclosure of sensitive data

  • Blocks inappropriate content in real time

  • Employs adaptive algorithms for continuous risk assessment

  • Promotes user confidence and trustworthiness of the platform

  • Increases overall user retention and satisfaction

Reduced risk of scams and inappropriate user behaviors

Reducing scam risks significantly with PubNub's advanced algorithms is integral to fostering secure in-app, real-time communication environments, enabling software development teams to build apps that keep users safe. PubNub's proactive methods block most scam attempts, enabling users to interact securely.

  • Advanced algorithm detection and proactive blocking of suspicious links or messages

  • Real-time scanning and risk evaluation of chat content

  • Customized sensitivity based on application requirements

  • Provision of effective user warning systems against potential scams

  • Implementation of tight security measures to prevent recurring scams

  • Continuous updates and upgrades to stay ahead of evolving scam tactics

These, made possible with our Functions feature and Access Manager, offer robust chat security, enhancing users' confidence and trust in engaging with an application. In part two of our in-app chat scams overview, we’ll cover both of these features in-depth and some of the security vulnerabilities developers should be on the lookout for.

Our platform helps developers build, deliver, and manage realtime interactivity for web apps, mobile apps, and IoT devices. Working with a third party like PubNub frees you up to focus on the parts of app development you love. With over 15 points of presence worldwide supporting 800 million monthly active users and 99.999% reliability, you’ll never have to worry about outages, concurrency limits, or low latency issues caused by traffic spikes. PubNub is perfect for any application that requires features like geolocation, group chat, or real-time data streaming.

Sign up for a free trial and get up to 200 MAUs or 1M total transactions per month included.