Merchant Services
Merchant Phishing Attacks

Merchant Phishing Attacks: Don't Fall for the Bait!

When it comes to a particularly insidious form of cyber crime known as "phishing," the tide has definitely turned.

Until recently, it was uncommon for scammers to target merchants. But cybercrime gangs - many of them based overseas - are honing in on merchants like sharks closing in for the kill.

The reason is simple: Unlike an attack against an individual, a successful attack against your merchant processing accounts could yield transaction details of all the cardholders who have done business with you - a big catch indeed. Here's how it typically plays out:

You come in one morning to find an "urgent" email claiming that your merchant account has been compromised or frozen due to fraudulent activity. In your panic to resolve the situation, you unwittingly provide secure information - usernames, passwords, credit card details - which a scammer then uses to access your secure data.

Or, maybe you follow e-mail instructions to click on a link to your merchant account website. The link takes you to a cleverly disguised clone site. Here, malicious software, such as a keystroke logger, is launched to capture passwords and secure data.

Ultimately, antivirus software and security tools can't stop a phishing attack. Security of your data hinges on you and your employees applying common sense - and cautious skepticism.

Practice some skepticism. Could your account really be blocked due to "suspicious activity"? Yes, but a reputable processor will not ask you to click on a link in an e-mail to share or change your account credentials. If you think the message might be legitimate, pick up the phone and call the processor directly to confirm before entering data on a website.

Watch what you click. If you receive an e-mail advising you of suspicious activity, avoid clicking links or opening any file attachments. Instead, open a new window and type the Web address of your merchant account provider directly into your browser to access your account.

Look for the lock. If you need to enter sensitive information on a website, look for a padlock in your browser's status bar to signify that you are on a secure site.

Train employees. Make all employees aware of the danger of following links they receive in e-mails. And consider having them participate in some training, such as a webinar on the latest attack techniques.

Limit access. Consider which members of your staff really need access to the merchant account. Also limit access to credit card processing information or merchant account passwords to a few trusted employees whose backgrounds have been thoroughly checked.

Phishing scams may appear to come from a legitimate business - like PNC Merchant Services®, our partner First DataTM or another service vendor you may use. But don't fall for the bait!

If you ever have questions about an e-mail that appears to be from PNC Merchant Services or First Data but you aren't sure, don't hesitate to call PNC Merchant Services Customer Service at 800-742-5030 for assistance.


PNC is a registered mark of The PNC Financial Services Group, Inc.("PNC")

Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.

This Merchant Business Insights e-Newsletter is designed to provide useful and practical information for merchants accepting card transactions. It is not intended to be legal, tax, accounting or financial advice, nor should it be substituted for a full and regular review of the Association Rules and any changes thereto. Internet sites provided in this e-Newsletter are provided as a convenience to our readers. While PNC Merchant Services endeavors to provide resources that are reputable and safe, we are not responsible for the information, products, or services obtained on such sites.