As one of the world’s premier payment processors, First Data enjoys the trust of millions of merchants and financial institutions and their customers. Unfortunately, criminals sometimes try to exploit that trust by masquerading as First Data in an attempt to steal merchant account login credentials.
We’re aware of one phishing scam that targets our merchant customers with an e-mail message that appears to come from First Data and claims that their account is locked or their password has expired. The message includes a link to a fraudulent website that asks for login credentials for our e-commerce gateway.
How do the criminals know who our gateway customers are? They don’t! They think that if they cast a wide enough net they’re sure to catch a few phish. The phishing e-mails are sent to countless merchants, many of whom are not our customers, in hopes of tricking some merchants who do happen to be our customers.
Learn to protect yourself
You can protect yourself by being cautious any time you receive unsolicited e-mail. First Data will never send e-mail asking you to click a link to log in to your account. Never click on links in e-mail messages that ask for your personal or account information, no matter who the sender is. Instead, Always type the address into your browser’s address bar or log in to the Customer Center on FirstData.com.
You should also pay close attention to which e-mail address these messages are sent to. If you normally receive information from First Data at firstname.lastname@example.org but suddenly receive an account-related message at email@example.com, you have reason to be suspicious.
Make life harder for criminals
In some cases, criminals have harvested generic e-mail addresses (like firstname.lastname@example.org) from websites and are sending phishing messages to those addresses. One way to make life a little harder for criminals is to obfuscate the e-mail addresses on your website.
You’ve probably seen an address written like sales (at) somemerchant (dot) com —that’s one simple way to make am e-mail address harder to harvest, but unfortunately it makes the address harder for your customers to use as well.
Programs criminals use to harvest e-mail addresses would be unlikely to identify the address hidden in the script, but website visitors would see email@example.com .
If you’re uncertain about the authenticity of a message that appears to come from First Data, you can report suspicious requests to firstname.lastname@example.org.
You can help protect yourself by learning more about phishing and other online scams at OnGuardOnline.gov, an educational resource maintained by the Federal Trade Commission.
Meanwhile, we’re working with various hosting companies, domain registrars and law enforcement agencies to shut down phishing websites and catch the criminals behind this scam.