Hello all! Recently a fellow seller got an email about Negative Feedback and was a little concerned about it. He forwarded the email to me, and it definitely looks like a phishing email! Since I haven't seen the phishing emails hit the feedback emails yet, I thought it would be best to show you what to look out for:
Ok, lets take a look at this:
- It's not in the screen shot, but the email was all wrong. All feedback emails come from feedback@messaging.squareup.com. If it doesn't have that email address, it's a guaranteed phishing email.
- On the subject line, it says Square Customer and does not have the four digit ticket number at the end of the line. A valid feedback email will say A customer left you positive/negative feedback (#xxxx)
- Right below the From/To line, there is no instruction line. A valid feedback email will say Reply to this email to respond to your customer
- This one is subtle: Note that the background color on the feedback text is different from the background of the email. Square's emails will have the feedback text in white with a light grey background everywhere else.
- View this dispute is designed to make you panic a little and click on it. The real emails will say Respond in this blue button.
- Between the dispute button and the address, a valid email from Square would have a Purchase Overview section saying how many items were bought, on what date, and at what price. There is then an option to preview the receipt.
- Speaking of the address, Square isn't based in Tuscon. In fact, the legit emails only have the Copyright line at the bottom, not their address.
- Unsubscribe? Another way for them to get you if you didn't click on the dispute button. If I click this, I won't get any more phishing emails, right? Wrong.
- Lastly, I'm pretty sure that Square can afford their own email servers and won't need to send free email from Hubspot.
So what do you do if you get one of these emails?
First and foremost, do not click/tap on any of the links and buttons in the email. If you do, immediately run a virus check on your computer, and for the love of all things holy, don't enter any identifying information in any of the screens that pop up.
Next, forward this email to spoof@squareup.com so their legal team can go knock some knees together.
And for the record, here is what a valid feedback email will look like:
Stay safe, sell a lot, and don't give any of your money to these filty phishers!
Thank you for the thorough details, @ryanwanner. I found one of these messages in my spam folder today (see image). It has a couple of the elements you said would be in a valid Square email (the "Reply to..." instruction and the "Respond" button). Because Square does have a team in San Francisco, that address they provided could be legit. But the one thing they didn’t (couldn't?) fix was the sender's email address; it's from a personal address, not the Square Messaging one you mentioned.
