Unfortunately, there are many ways for bad actors to obtain card or account information. It’s not always possible to determine exactly how a card was compromised, but being knowledgeable about common tactics can help you avoid scams and keep your account safer.
Below is a list of fraud schemes and scams that are common around the world:
Social engineering
Fraudsters use social engineering to manipulate individuals into providing card and personal information. It can take place in person, over the phone, or over the Internet. Often, social engineering that takes place over email or text falls under the category of phishing. Social engineering often uses three elements: fear, urgency or authority. Always take a moment and analyze for those key elements and ask yourself if it makes sense for the situation.
Phishing scams
A phishing scam occurs when a fraudster sends emails, text messages, or calls pretending to be a legitimate company to trick consumers into providing personal information, such as card information. Here is a great article on Phishing scams with some tips on recognition and protection.
Skimming
Skimming occurs when a fraudster attaches a card reader to capture consumer information. Card readers can be connected to gas station payment portals, ATMs, or even in businesses.
Malware and spyware
Malware and spyware are software installed, often unknowingly, onto a device to capture keystrokes, such as passwords or card information.
Card best practices
If your card was compromised, it’s unlikely that we’ll be able to tell you exactly how it happened or whether any of the above tactics were used but here are some best practices to help keep your card secure going forward:
- Whenever possible, work with vendors you know and trust, or who are recommended to you by someone you trust. Avoid making purchases based on advertising alone.
- Double-check email addresses and messages when communicating with a trusted merchant. For example, Mercury will always email you from an @mercury.com email address. A strange URL at the end of an email address or a string of random names or numbers could warrant more investigation – try getting in touch with your normal point of contact at the sender’s company to verify before clicking any links sent with the email, opening any attachments, or responding.
- A good rule of thumb is to consider how you normally interact with a merchant. Do they usually send letters by mail, but today they’re contacting you over the phone? Is their message urgent and provoking more anxiety than usual? Is someone claiming to be an agent reaching out over text, when you’ve always had to contact them first in the past?
- When entering your card information online, don't use any links emailed or texted to you. Go to the merchant's website and locate the appropriate payment page instead.
- Never share your account or card information on public or unsecured channels, like email, Slack, or text.
- To authorize someone else to use a card connected to your account, never let them use your card. Instead, invite them as a team member, assign them a role and issue them their own virtual or physical debit card.
- Keep your records updated – make sure you’re removing team members and beneficial owners from your Mercury account when they leave your company.
- Set reasonable daily, weekly, or monthly limits for each card based on how much you spend on each.
- Create merchant-locked cards for cards you only use with specific stores and vendors.
If you suspect that your card is compromised, or if you notice any unrecognized transactions on your card, you should freeze it immediately by following the instructions here.
We recommend freezing first, but if you’re certain that the card is compromised, you should cancel or replace the card so that it can’t be unfrozen. If you’re canceling because of unrecognized transactions, make sure to double-check with your team and your own records to make sure the transactions are fraudulent, since cards can’t be reactivated after they are canceled.