2

I work for a small ecommerce company and over the weekend we received a few emails from customers claiming to have received an email asking them to confirm their card details to process their orders.

Here is the text from the email:

Hi Jan for some reason our payment processor could not process your order.

Can you please reply back with your card details so we can manually process your order again.

Card number -

Expiry -

Last 3 digits -

Kind regards,

Lucy Whetton

This email was sent from a gmail account using our company's name (company.name@gmail.com) but we do not use gmail (sales@company.name.com). We retail through ebay and our own site and our payments are processed through PayPal.

This sent us on a password changing frenzy yesterday, but today we're still receiving emails informing us of the scam. We've changed our PayPal password, the password for our email address associated with the retail site (order confirmations containing customer information are stored there) and our eBay password. We've also set our webserver to require known ssh-keys to login.

What other precautions should be taken to prevent further phishing emails affecting our customers?

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 8
    First thing: Send out a mass email to your customers explaining that this is happening, warning them NOT to reply to any requests for personal details or financial information via email, and assuring them that you will NEVER ask for such information. – Polynomial Apr 14 '15 at 14:37
  • 1
    Your company does use the `company.name@gmail.com` email? – ThoriumBR Apr 14 '15 at 14:42
  • @ThoriumBR - no, our company email is sales@company.name.com - we don't use gmail. – DJ_Beardsquirt Apr 14 '15 at 14:51
  • Why are you changing your passwords if the source email is not one that you control? – schroeder Apr 14 '15 at 16:18
  • 3
    Based on the substance of this question, and your "how do I contact Gmail?" comment, I suspect that you are out of your depth on this issue. I strongly suggest you find a security consultant to find out how the phisher got your customer list and how to remediate the whole problem. – msw Apr 14 '15 at 16:21

1 Answers1

7

1) Contact gmail, and ask them to shut down the gmail account that your customers would send their details to if they fall for the scam.

2) Notify all your customers that this is a scam, and they shouldn't reply to phishing emails like the one above.

3) Spend a bit of time and energy on finding out how/why this happene, and if possible who did it. E.g. a) SQLi on a customer database accessible through your website? b) Insider job? c) ....?

KristoferA
  • 347
  • 3
  • 11
  • "Contact gmail" - care to point to where? I'm not sure that they have a generic abuse contact point. – Polynomial Apr 14 '15 at 14:56
  • 2
    A quick search for "gmail abuse" shows how [Google addresses such issue](https://www.google.fr/intl/fr/goodtoknow/online-safety/reporting-abuse/). – WhiteWinterWolf Apr 14 '15 at 15:06
  • 4
    @Polynomial This should be a good starting point: https://support.google.com/mail/contact/abuse – KristoferA Apr 14 '15 at 15:41
  • Have you gotten any emails from non-customers? Is there any chance that google would provide you information on who the abusive account sent this identical email to? – ojblass Apr 14 '15 at 16:28
  • *"Notify all your customers that this is a scam"*: Just wanted to highlight that this can be done through several ways, not necessarily exclusive (email sent to customers, warning message displayed on the website, etc.). – WhiteWinterWolf Oct 05 '16 at 09:06