In the ever-evolving world of digital scams, cybercriminals are becoming more cunning, crafting messages that mimic trusted brands to trick unsuspecting users. A recent scam making the rounds involves fake emails appearing to come from Square, the popular payment processing service. These emails are designed to incite panic, often under the guise of a customer complaint or negative feedback, and lead recipients into compromising their personal or business information.
Below, we’ll break down how this scam works, the red flags to watch for, and how to protect yourself and your business.
The Scam: Fake “Negative Feedback” Alert from Square
The scam starts with an email that looks like it’s from Square. Here’s an example of one such message:
Subject: A Customer left you a negative feedback
From: Square <messages+ml2cec0s87bzj@squaremktg.com>
Body (excerpt):
*“We have received a complaint from your customer… we will be placing a temporary suspension on your account, as well as your weekend deposits.
If you think this was a mistake, please follow the link below to respond to your customer’s complaints…”*
At first glance, the email appears legitimate. The branding mimics Square’s tone, it includes typical phrasing like “protect our customers and buyers alike,” and it even uses a Lafayette, LA address and links to privacy policies — all tactics used to build trust.
But it’s not from Square.
Red Flags That Reveal the Scam
1. Sender Email Address
The “From” address — messages+ml2cec0s87bzj@squaremktg.com — is suspicious. While it uses the word “square,” legitimate Square emails typically come from domains like @squareup.com.
Scammers often use lookalike domains or subdomains with subtle tweaks to fool recipients.
2. Urgency and Threats
The message creates a sense of urgency and fear:
“We will be placing a temporary suspension on your account…”
This is a classic phishing tactic. The scammer hopes you’ll react emotionally and click the link without verifying the authenticity.
3. Grammatical Errors and Awkward Phrasing
Professional companies like Square have editors and brand standards. Phrases like:
- “Reason; Complaints from your customer (service not delivered)”
- “Thanks, Have questions? contact us.”
…are clunky and riddled with punctuation errors.
4. Suspicious Link
The biggest red flag? The hyperlink. These emails typically use buttons or links that redirect to phishing pages, which are designed to look like Square’s login page. Once you enter your credentials, the scammers capture your login details and may gain access to your Square account, bank info, or other sensitive data.
Most modern email providers will flag this with a warning like:
“This message might be dangerous. It contains a suspicious link that was used to steal people’s personal information.”
That spam filter might save you — but don’t rely on it.
What Happens If You Click the Link?
If a victim clicks the link, they are usually redirected to a spoofed Square login page. Once they enter their email and password, that information is sent directly to the scammer.
From there, consequences could include:
- Unauthorized access to your Square dashboard
- Theft of customer data
- Financial losses via fraudulent transfers
- Damage to your business reputation
How to Protect Yourself
✅ Always Verify the Sender
Check the full email address. Look for odd spellings or unrelated domains. If you’re unsure, contact Square directly through their official site — never through the links in the email.
✅ Don’t Click Suspicious Links
Hover your mouse over the link before clicking. Many browsers or email clients will preview the actual URL. If it doesn’t lead to a trusted domain like squareup.com don’t touch it.
✅ Enable Two-Factor Authentication (2FA)
Square offers 2FA to secure your account. Even if your password is compromised, 2FA adds an extra layer of protection.
✅ Report Phishing Attempts
Forward suspicious emails to: phish@squareup.com
Also mark it as “Phishing” or “Spam” in your email client to help protect others.
✅ Stay Informed
Subscribe to email fraud alerts from Square or your payment processor. Scams evolve constantly, and staying updated can help you spot the next wave.
Don’t Fall for the Bait
This scam targeting Square users is one of many phishing attacks designed to exploit small business owners’ trust and fear. By staying vigilant, scrutinizing emails carefully, and never entering login credentials through unverified links, you can protect yourself and your business from becoming the next victim.
If you ever receive an email like this and are unsure, pause. Take a breath. Then go directly to Square’s official website or contact support before taking any action.
Have you received a similar scam email?
Let us know in the comments or send us a tip — we’re tracking these scams to help others stay safe.