I work for a small ecommerce company and over the weekend we received a few emails from customers claiming to have received an email asking them to confirm their card details to process their orders.
Here is the text from the email:
Hi Jan for some reason our payment processor could not process your order.
Can you please reply back with your card details so we can manually process your order again.
Card number -
Expiry -
Last 3 digits -
Kind regards,
Lucy Whetton
This email was sent from a gmail account using our company's name (company.name@gmail.com) but we do not use gmail (sales@company.name.com). We retail through ebay and our own site and our payments are processed through PayPal.
This sent us on a password changing frenzy yesterday, but today we're still receiving emails informing us of the scam. We've changed our PayPal password, the password for our email address associated with the retail site (order confirmations containing customer information are stored there) and our eBay password. We've also set our webserver to require known ssh-keys to login.
What other precautions should be taken to prevent further phishing emails affecting our customers?