Stripe Users Targeted by Phishing Scam

October 25, 2019 12:42 pm Natasha Deeney

Users of the global online payments system, Stripe are being warned about a sophisticated phishing scam that aims to harvest their user credentials.

Stripe is an attractive target for cybercriminals seeking access to payment card information as it manages billions of dollars of online payments from businesses all over the world. 

The phishing email, which resembles an official Stripe email explains that the “details associated with the account are invalid,” and that urgent action is required. The email then encourages users to click a link to review their details. 

For any businesses relying on online transactions and payments, an account placed on hold could cause major disruption. As such, the email aims to create a sense of urgency and panic for the recipient.

By clicking the link, recipients are directed to a fake Stripe website where they are prompted to provide their credentials, including their user name, email, password, bank information, and phone number.

However, when the recipient enters their personal information, they will receive a “wrong username/password” error message and will then be redirected to the legitimate Stripe website so that they won’t suspect that the email is a scam. The email is also particularly sophisticated in the way it masks the URL so that cyber-savvy users could be easily tricked into clicking the link as the URL destination is obscured.

Unfortunately, this is not the first time that Stripe users have been targeted by phishing. As such, Stripe recommends customers to protect their accounts using strong passwords and to add an extra layer of security by enabling two-step verification.

With 90% of all data breaches caused by phishing and 3.4 billion fake emails sent every day, users must remain cautious and vigilant. Despite the increasing sophistication of these emails, there are several signs which can alert you to the presence of a phishing email.

How to Prevent a Phishing Attack

  • A request for personal information – If you receive an email asking for personal information such as an account number, password, pin or security questions, approach with caution. It’s unlikely that legitimate organisations will request these personal details via email.
  • Poor spelling and grammar – You can often detect a phishing email by the way it is written. The writing style might be different from that usually used by the sender and it may contain spelling mistakes and poor grammar.  
  • Check the web address (URL) before you click on a link -On a web browser, hover over the link and look at the URL that shows up on the bottom of your browser. 
  • Threatening or urgent language– A common phishing tactic is to promote a sense of fear or urgency. If you are unsure if the request is legitimate, contact the company directly via their official website or official telephone number.

Metaphish provides a robust defense against phishing attacks by training employees how to identify and respond appropriately to these threats. Get in touch for further information on how we can help protect your business.