x
Admin

Online fraud is on the rise: Ask us anything about keeping your account safe! 🔒

It's that time of year again … time to gather, spread joy with decorations, give gifts, and — if you're like me — that includes a lot of online orders. With all of the coming and going, it's also a time for fraudsters to make their own moves: This can look like a bogus online order form, fake charity account, or a phishing scam.

 

But what else should we keep in mind this year? Account takeover fraud has increased 133% in 2022. In the United States alone, individuals who have experienced an account takeover have lost an average of $12,000 USD. For more information on how online fraud impacts countries across the globe, have a look at this article: Global Statistics in Account Takeover Fraud for 2023.

 

Rest assured that we've got your back! Square has rolled out a bunch of new security features and we were glad to have @MimiW on the Square Account Security team host a Q&A on Wednesday, November 30th. Read on below for a summary of topics that came up.

 

Here are some example questions: 

  • As a buyer and a seller, what is the best way to keep my information secure online?
  • Is two-step verification worth the hassle?
  • I was directed to a different website to complete a gift purchase. How do I know that it's safe to enter my credit card information?

rupixen-com-Q59HmzK38eQ-unsplash.jpg

️ Tom | he/him
Seller Community Manager | Square, Inc.
Find step-by-step help in our Support Center
21,594 Views
Message 1 of 43
Report
1 Best Answer
Square

Best Answer

Hello Everyone,

 

Thanks again for taking the time to share your questions and feedback!

 

We hope your questions were answered—the experiences you've shared will help us as we continue to iterate based on your feedback.

 

As we close out this event, we wanted to do a recap on three themes that came up frequently:


  • 🔒 Beyond mobile phone two-step verification
    We strongly believe that enabling two-step verification is the best protection against account takeover attempts. Enrolling your mobile phone number is the easiest option but we also recommend adding a backup method in case you have issues receiving codes via SMS in the future. Available backup methods are (1) generating security codes using a third party Authenticator app such as Google Authenticator, Microsoft Authenticator or Authy or (2) enrolling an alternate mobile phone number that belongs to you or someone you trust enough to have full access privileges to your Square business account.

    For those of our sellers who want the strongest two-step verification, use an Authenticator app only, but make sure to follow the app’s instructions to set up a backup and recovery method (Google, Microsoft, Authy) in case you later lose access to the app or lose your mobile phone in the future.

  • 🔍 Watch out for spoofing and scams
    Be watchful of suspicious emails that look like they came from Square or from third party businesses sending messages through squareup.com, they are probably scams. Scammers will often create a false sense of urgency to persuade you to pay money, provide private information or install software that spies on you. You can check the Square app or your squareup.com Dashboard directly as the source of truth. If you think an email is impersonating Square, you can forward it to spoof@squareup.com. We have a security vendor evaluating the emails and performing any necessary takedowns on domains (malicious links) attempting to phish credentials or install malware.

  • 🧰 Self-service recovery experience is in the works
    Square uses a network of layered controls to defend against account takeover fraud. Sometimes, sellers may experience a suspicious activity review that temporarily locks their account or card usage. We are continuously making improvements to the way we block fraudulent login attempts, detect account takeover fraud and lock the bad actors out of our sellers’ accounts. We are also investing in an enhanced self-service recovery experience so that sellers can unlock their own accounts on their own time, without having to call Square support.


We appreciate you taking the time to share your experiences and we'll continue to improve Square’s products based on your business needs.   

 

Again, thanks for your participation. For the latest updates, keep watch for announcements of new features in Product Updates.

 

Mimi W.
Product Manager, Square
Get help in our Support Center

View Best Answer >

8,705 Views
Message 43 of 43
Report
42 REPLIES 42
Square Champion

Hi @Tom thanks for this post. I occasionally get spam/phishing emails that are spoofed to look like they come officially from Square, but it's someone else trying to get me to click on a link that takes me somewhere else. I always forward those emails to: spoof@square.com. Is there anything else I can do? Would be curious to hear about more details or any success stories from the fraud dept (if there is one?) at Square, to feel good about contributing toward stopping these kinds of fraud attempts.

Charlie
Homestyle Charlie
Handmade Heirloom Ornaments & Charms
Check our links for retail Etsy orders and Wholesale Ordering Info
18,229 Views
Message 2 of 43
Report
Square

Hi @HC_Charlie, thanks for bringing this up.

 

We have a security vendor monitoring spoof@squareup.com. Their security teams evaluate the emails and perform any necessary takedowns on domains (malicious links) attempting to phish credentials or install malware. By forwarding an email there, you're helping take down phishing/malicious sites and helping prevent others from falling victim to the same scam. Their security teams also do analysis on any identified malware, which contributes to the larger security community and helps strengthen malware detection and prevention.

Mimi W.
Product Manager, Square
Get help in our Support Center
7,781 Views
Message 3 of 43
Report

Does this include Notifications from Square on the POS? The notifications that come through the Square POS are legit right? 

6,323 Views
Message 4 of 43
Report
Square

Yes good call. You can trust that the in-app notifications on your genuine Square apps are from Square.

Mimi W.
Product Manager, Square
Get help in our Support Center
5,989 Views
Message 5 of 43
Report

In the last 3 weeks, I’ve received a bogus Square invoice from Geek for $467. I tried to block the email but it ended up blocking all emails from Square. So I just keep deleting them. How did this person access the Square app and my email address to send this invoice directly to my personal email inbox? I’m concerned. 

14,477 Views
Message 6 of 43
Report
Square

Hi @Evanscounseling

 

It sounds like this person knows your email address but is not necessarily sending messages from your Square account. If you would like to find out more about your specific case, please use this form to send our team an email: https://squareup.com/help/us/en/contact.

 

Square works behind the scenes to detect and suspend accounts that are being used for fraudulent purposes such as sending invoices pretending to be Geek Squad. Our models are constantly being tweaked and improved over time. In the meantime, you did the right thing to notice that the invoice was bogus and delete it.

Mimi W.
Product Manager, Square
Get help in our Support Center
6,884 Views
Message 7 of 43
Report

I use Square at multiple jobs and where I volunteer. There are many people that access the Square account so I wanted to know if there is a way to add multiple emails/cell phones so that each person can log in with the two-step verification? Otherwise you have to track down the person with the email/cell phone that is listed to have them give you the code to get in.

Thank you!

13,193 Views
Message 8 of 43
Report
Beta Member

This would be SO helpful for me too!

11,744 Views
Message 9 of 43
Report

I have the SAME problem. I had to turn off 2FA to use the App with multiple people & phones.

9,602 Views
Message 10 of 43
Report
Square

Hi @HVOD — and @CANDIDHOME@ajja, and @TransNAACP who had similar questions:

 

Yes, you can set up multiple cell phone numbers as eligible 2-step verification methods. While we recommend that each employee gets their own account rather than sharing account email addresses and passwords, we recognize that’s not always practical. After you enable 2-step verification, you can follow these steps: Update 2-Step Verification Phone Numbers to add additional cell phone numbers.

Mimi W.
Product Manager, Square
Get help in our Support Center
7,781 Views
Message 11 of 43
Report

I wanted to set up 2FA for logging on to the back office but not when the staff open the app at the shop, otherwise they have to contact me for the code, which is not a realistic plan. Can i delineate which option gets the 2FA?

13,091 Views
Message 12 of 43
Report
Square

Hi @KaleenYes you can. Here’s one way to do it.

 

Back office staff:  I would recommend creating individual employee accounts for each of your staff that needs back office access. You can then Enable Business 2-step verification so that each of those employees will need to use 2FA to login.


Front office staff: For staff who will be using shared POS devices, I would recommend generating Device Codes that they can use to log in to the device and then clock in with their personal passcode (if applicable). When those devices are logged in using Device Codes, there is no 2FA required. You can find out how to set up and use Device Codes here.

Mimi W.
Product Manager, Square
Get help in our Support Center
7,768 Views
Message 13 of 43
Report

Can Square use an email for a second form of verification? To ask for a cell phone as the only other possible second form of verification is unfair to those that do not use or cannot have a cell phone on the job. The small business that I manage does not have a staff schedule that would make it possible to use a cell phone as a second form of verification.

12,264 Views
Message 14 of 43
Report
Square

Hi @ayurveda-world,

 

From a security perspective, we choose not to allow email addresses as a 2-step verification method. Across the industry, there are many instances where users will reuse the same password for their email account as their other online accounts. So when a bad actor has access to one password, it unlocks both the service itself and the email inbox where 2-step verification code is sent to.

 

As an alternative to 2-step verification to a cell phone, you can add an Authentication app such as Authy, Google Authenticator or Microsoft Authenticator. In your particular case where you don’t want your staff using their cell phones, I would recommend downloading the Authy app for Mac / PC or iPad. The initial setup for the Authy app on a computer or tablet will involve a phone number (cell phone or landline) but using it to generate 2FA codes for logging in will not require phone access.

 

Follow these steps to Enable an Authentication app as your Square account’s 2FA method.


Although not available yet, we are working on 2-step verification delivered via an automated voice call. Look out for product updates as we can then deliver these codes to your business’s landline phone number.

Mimi W.
Product Manager, Square
Get help in our Support Center
7,736 Views
Message 15 of 43
Report

With 2 step verification can it be set up with 2 phone numbers, so either one of the  two  can get the code and verify? There are 2 of us and we are not often at the same location.

thanks Tom

12,154 Views
Message 16 of 43
Report

I have received 2 emails that say I have negative feedback one stating for a delayed purchase delivery and one stating that there were bogus order placements for my customers and saying that my account would be closed by Nov 30th. Neither of these things are showing up on my square dashboard and I have had NO complaints from my customers.  I feel that these are fraudulent  but certainly  need to know so I can address this.  Thank you, Cheryl White

11,763 Views
Message 17 of 43
Report
Square

Hi @DeepRiver2022,

 

You can forward these emails to spoof@squareup.com to report the incident. Do not include any other information in the email you forward. The appropriate team will investigate and take action if needed. Here’s more information from a previous Seller Community thread.

Mimi W.
Product Manager, Square
Get help in our Support Center
7,767 Views
Message 18 of 43
Report

I have found many sites that use Yubico keys for logging in, and I believe that system to be very safe.  Has Square considered Yubico as a second safe log in?

11,594 Views
Message 19 of 43
Report
Square

Hi @Nootkabear,

 

We are exploring stronger authentication methods such as Yubico keys and on-device prompts.

 

In the meantime, if you haven’t already, you can use an Authentication app such as Authy, Google Authenticator or Microsoft Authenticator as your 2FA method instead of using SMS codes sent to a cell phone.


Follow these steps to Enable an Authentication app as your Square account’s 2FA method.

 

Also tagging @Giblet37 who had a similar question — check out my reply here. ⬆️

Mimi W.
Product Manager, Square
Get help in our Support Center
7,757 Views
Message 20 of 43
Report

Hello,

I like the idea of the added security of 2 factor authentication but I need another way to activate it besides a code sent to your cell phone. Perhaps a code sent to an email account, for example.  We do not have an Apple store in our area. The nearest one is over 200 miles away. Recently my iPhone broke. It was a hardware problem and not user caused. Apple was great about repairing it but my options were to drive to an Apple store (over 4 hours each way) or mail my phone in for repairs. In both scenarios I did not have access to my phone for some time. If I had this 2 factor authentication turned on I would not be able to access my Square account. I would not be able to run my business or pay my employees. That is too big of a risk for me to take. I need to have access to Square at all time and can not afford to be 'locked out' if my phone breaks or is stolen. 

Thank you for considering my situation. 

Clea 

Simple Machine 

Winery & Tasting Room

10,797 Views
Message 21 of 43
Report