Red Flags Abound; Payday users lament questionable service, loss of funds

“When it happened, I had an adrenaline rush and thought to myself, I’m done for. I’m a tech bro. So, instantly I knew it was a phishing attack. I tried to login in but my password had been changed by the hijackers. I initiated a reset password immediately but my balance was zero when I logged in. Within five minutes everything was gone. It happened so fast,” Joshua Igba narrated to Technext.

Joshua’s story of “doomsday” begins on March 25, 2023, two days before Payday opened a Telegram channel on March 27 to resolve complaints and bring the platform closer to users. He and his team had earlier considered Payday as a reliable alternative to Access Bank’s dollar card that wasn’t working.

So, he opened an account with Payday.

By 8 PM, “We lost our startup capital on the Payday app, partly due to a phishing attack and partly due to security and ethical flaws on Payday.” But, his team were not going to shrug their shoulders over this.

So, on June 19, he says he arrested a suspect, but “between these two dates, Payday’s team failed me and abandoned me. Only Favour (Payday’s founder) was responding. I don’t know what all Payday employees are doing to have abandoned me.“

He still does not have his money to date.

“Patronise them at your own risk.”

In an April 5 post titled Stay Away from PaydayApp If You Value Your Sanity, Nairaland user, @abhosts, narrates how his $500 “is in limbo” because he funded his virtual dollar card and all the transactions were declined and he kept getting the response: “insufficient funds.”

“After two weeks of back and forth with their support,” the customer care representative asked the user to refresh his memory about the complaint, as he forgot. “This looks unreal,” @abhosts wrote.

A response by another user reads that Payday is a “source to dupe unsuspecting customers…they work hand in hand with fraudsters on Twitter, sharing phishing links which they claim they know nothing about.”

“The app has a lot of bugs”

Speaking to Technext, a user and cybersecurity expert [name withheld] says the Payday app only has a lot of bugs, as she has used the platform to make purchases from foreign marketplaces.

“Payday are no scammers,” the user says. “Their service has question marks though.”

Narrating his experience still in April, Nairaland user, @Deeprooted, says he funded his account and initiated payment but was declined.

“After several fruitless attempts, I then decided to get my money back to the local currency. Na there I come sabi says I don buy market oh!”

Still, on bugs, Payday users say the app always updates (which may be the company’s response to bugs), but there are no prior announcements before disabling major features that led users to the platform in the first place.

How money typically disappears from users’ virtual accounts

There are about three ways unauthorised withdrawals can happen on virtual accounts:

• Phishing (which has been mentioned by some victims): This is a type of social engineering attack where the attacker sends a fraudulent message or email that appears to be from Payday. The message or email may contain a link that, when clicked, takes the victim to a fake Payday website that looks like the real thing. Once the victim enters their login information on the fake website, the attacker can steal it and use it to log into their real Payday account and make unauthorised withdrawals.
• Malware: This is software that is designed to harm a computer system. Malware can be installed on a computer through a variety of ways, such as clicking on a malicious link, opening an infected attachment, or downloading a file from an untrusted source. Once malware is installed on a computer, it can steal personal information, such as login credentials, and use it to make unauthorised withdrawals from Payday accounts.
• Data breaches: This is a security incident that results in the unauthorised access, disclosure, or destruction of sensitive data. Data breaches can happen to any organisation. If a data breach occurs, it is possible that hackers could steal customer login credentials and use them to make unauthorised withdrawals from customer accounts.

From Technext’s background check, phishing has been the most prominent, but that is just an external discovery.

On its part, Payday says it uses fraud protection measures to detect and prevent fraudulent activities, including “monitoring account activity for suspicious transactions, setting up alerts for unusual activity and using machine learning algorithms to identify patterns of fraudulent behaviour.” However, fraudsters have had field days with users’ monies.

Payday has waved the red flags, severally

By March 2023, the Payday team, on its Telegram channel, had started announcing that “Payday will not ask you for your personal details or ask you to click on any link.” But, “We need you to stay patient while we work on issues.”

One of the issues, Payday wrote, was happening across the banking system, “so, when you do a top-up to your Payday account and it doesn’t reflect immediately, please be patient for at least, 24-48 hours.”

The message reiterated that Payday will not ask you to click any link and issues are always escalated within 30 minutes/one hour.

In an April 5 post, Payday published a statement asking its users to avoid “fraudulent Instagram and Twitter pages using the image of our co-founder and COO, Yvonne Obike, to defraud customers.

“We please urge customers who are approached by these fraudulent accounts not to engage them and report/block the accounts,” Payday wrote.

Payday has maintained a campaign asking users to guard their details judiciously and not click any links on social media.

And, in a response to Technext’s questions, Payday said the company recognises the ongoing phishing attacks and absentee communication on their part, and “sincerely apologises” for any inconvenience.

“Firstly, we want to categorically state that we in no way condone the use of illicit means to defraud customers of their funds and take the safety of our customers and their funds very seriously. We sincerely apologise for any inconvenience and distress these attacks may have caused. We are working diligently to ensure that they are rectified as and when they happen, and are brought to our attention. 

“In recent months Payday has grown more popular, and our user base has increased tremendously, as a result, there is an increase in the number of fake accounts on social media pretending to be us targeting unsuspecting users. We immediately took steps to educate our users on ways in which they can protect their accounts from unauthorised access. We have also actively taken steps to improve security from our end, including:

• Device Authorisation: allowing users to approve or deny logins from other devices
• One-time passwords (OTPs) for every login attempt as well as withdrawals and transfers
• Streamlined support to in-app and email. 
• Increased the support team to improve response time

“We are also improving communication with our users via in-app, push notifications, email, Virtual Banking Halls, and Telegram.

“Regarding recovery, we have been able to recover some funds in cases where we were informed in time, especially when the transactions occur within the Payday app itself. However, when third-party financial institutions are involved, the next step is to reach out to destination accounts, report, and obtain KYC details if the money has already been withdrawn.”

In a separate response, Payday says “Users can withdraw from their Payday account without any issue. However, due to a provider-related issue, users are unable to withdraw from their USD cards at the moment.”

Did users notice any red flags?

Joshua says his team did.

“Between February and March, there was a time transfers were on pause mode for three weeks. Payday offered its users Silvergate US Account and Silvergate was plagued with bankruptcy. So we even felt we had lost all our money.

“I emailed Payday instantly. I notified some tech mentors. Then I had to reach out to Favour. When it happened, I had an adrenaline rush and thought to myself, I’m done for. I’m a tech bro. Instantly I knew it was a phishing attack. So I tried to login in but my password had been changed by the hijackers, so I initiated a reset password immediately but my balance was zero when I logged in. Within five minutes everything was gone. It happened so fast,” Joshua said.

Joshua is not the only one. It is a mix of phishing and account ‘mis’ funding – where customers pay into their accounts and the monies get stuck in the green skies.

Pieces of evidence from social media:

Is it still bugs or poor customer service?

It is established that finaglers have used Payday as their channel, and it is now more concerning, knowing that the user base may be increasing at a phenomenal rate. And, Payday users have complained about its customer service, which should be fully operational in order to stop phishing attacks on its heels.

“During that period, Payday did not reply to emails,” Joshua says, referring to the Silvergate issue.

He continues:

“They didn’t reply to my complaints. If not that I managed to have access to Favour the CEO, it would have been an absolute abandonment.” But, “I’m offended that Favour didn’t do enough to help me recover these funds. I used everything to beg him on WhatsApp till everything collapsed.”

Social media [Twitter, Instagram, Facebook] is flooded with complaints of poor customer service and poor response rates on the in-app chat and via emails.

In his narration, a user wrote:

“I have been using Payday since February 2022, even with their poor ratings and public backlash, I stuck with them. I needed nothing in return other than good service. Their cards would fail to make payment and I’ll approach their chat support in the app. My issue could stay for days and no response will be available. I know times I lost deals due to their issues.

“It got crazier. It kept on getting crazy until I finally quit using them. For two months, I couldn’t use the card, it will be one excuse or the other every day. So I quit and took out all my money, and moved on.”

Meanwhile, bugs in a platform like Payday can prevent user monies deposits from showing by causing errors in the code that is responsible for processing deposits.

This can happen for a variety of reasons, such as typos [in the code that is responsible for processing deposits], incorrect logic [in the code could cause the deposit to be processed incorrectly, such as being credited to the wrong account, or unexpected inputs [such as a deposit that is larger than the maximum allowed amount, could cause the code to crash and prevent the deposit from being processed].

As a result, the deposit may not be processed correctly or may not be reflected in the user’s account balance.

Why all this matters

Joshua writes, “I want Payday to know that they must recover my money and use the strategy to help other victims also recover their funds. If they were diligent enough, we won’t lose the money.

“Also, I documented a number of lapses with the Payday app and areas of non-compliance security-wise, which I plan to use in court as my last straw, to recover our startup capital.

“What is the essence of identity verification and all the military-grade and bank-grade security promises neobanks keep saying, if not to actually prevent and protect customers? 

“Payday is a good place for payments, no doubt, but as of today, it is not a safe place for banking. It appears to be a safe haven for criminals and being a victim that went knife through the bread with the neobank, I encourage Payday users to be very careful because the tiny transaction Payday wants to make on your money is more important than anything. Expect to be abandoned should your money get lost on the platform. They won’t even reply to your email and if you can’t leverage on relationships like I did, you are done for.”

He adds that neobanks and fintech platforms should collaborate more to protect customers’ funds.

In response, Payday says, “We are working to resolve this while managing conversations with users who reach out to us via our support channels: in-app and support email.”

They only need to respond quicker than before.