We have confirmed reports of malicious third parties sending fraudulent emails and text messages to our users in attempts to direct them to phishing websites that look very similar to Mercari.
These websites trick users into revealing sensitive information like login details, personal information, and payment details.
As these attack methods become more sophisticated, it is getting harder to distinguish between legitimate and fraudulent messages. If you receive an email, or a text message claiming to be from Mercari, do not click on any links. Instead, access your account directly through the official Mercari application or website using a trusted bookmark.
What is Phishing?
Phishing refers to fraudulent attempts to steal login information, payment details, and other personal information by sending messages (email, text, SNS messages, etc.) or initiating phone calls and directing recipients to fake phishing websites that look almost identical to legitimate websites.
Stolen information may be used by bad actors to commit other crimes and fraud. As many people use the same ID and password on multiple websites/apps, attackers may leverage stolen login information to attempt to log in to other services.
How to Protect Yourself From Phishing?
- Register a passkey. Passkeys are a more secure alternative to passwords. With a passkey, you can log into your Mercari account using biometrics (Face ID or fingerprint) or the PIN you use to log into your device. To register a passkey, follow the instructions here
- If you use passwords, ensure they are strong and unique for each service, and use a password manager to generate and securely store your passwords
- Enable multi-factor authentication (MFA)
- Be suspicious of emails, text messages, and calls asking you to act quickly and encouraging you to click on links or download files (e.g. asking you to click on a link within 24 hours to verify your account to avoid permanent account suspension). Do not click on any links and do not open attachments or files unless you are absolutely sure they are legitimate
- Always log in to your Mercari account using the Mercari app, typing the URL directly into your browser or via a bookmarked login page
- Verify the sender’s email address, be mindful of unusual or misspelled email domains
- Reach out to Mercari directly if you need to verify the legitimacy of the information received
Example of a Phishing Message
In the example below, bad actors used the Mercari logo and referred to past promotional campaigns, making it look like a legitimate email from Mercari. However, if a user clicks on the button or links in the message, they will be sent to a phishing website that will ask them to enter their password and other information that would allow an attacker to take control of their Mercari account.
*Example of an actual phishing email
Phishing Websites Advertised Through Social Media
Another common phishing technique is to advertise phishing websites (usually showing unrealistically low prices) on social media. When a user clicks on an ad, they are sent to a phishing website.
Even if an advertisement is posted on a well-known social media platform, never enter your login credentials or personal information on a website you are directed to by an advertisement. Always use the official Mercari app or website to make purchases.
*Real example of fraudulent advertisement directing users to a phishing site
Example of a Phishing Website
Phishing emails, text messages, and fraudulent advertisements often copy the Mercari UI. It may be difficult to distinguish between authentic and phishing websites just by looking at them. To protect yourself from phishing, only log into your Mercari account via the official Mercari app or webpage.
*Screenshots of a phishing site imitating Mercari
Check Our News for the Latest Information on Phishing and Fraud
We post notices and information regarding reported phishing attempts in the News section of both the Mercari app and our official blog.
How to check the news:
– App: From the home screen, go to “お知らせ” (Notices), then “ニュース” (News)
– Website: Go to “マイページ” (My Page), and then “ニュース一覧” (News)
If You Entered Sensitive Information On a Suspicious Website
If you entered your password or other such information on a suspicious website, please check the following Help Center article for guidance.
What to do if you access a suspicious website (available only in Japanese)
Reporting Phishing
If you receive suspicious emails, or text messages or have been directed to suspicious websites that appear to be impersonating Mercari, please forward them to phish@mercari.com (this is a designated receive-only email address, we will not reply to your report).
If you need Customer Service to respond to your report, please contact us through the “お問い合わせ” (Inquiries) section of Mercari’s official app or website.
How to Report Phishing
- For emails, simply forward them as they are
- For text message content, send a copy of the suspicious message
- For suspicious websites, copy and send the website address
You do not need to change the subject line or include any additional information in your message when reporting these security concerns.
The Mercari Trust and Safety Team will investigate your report. Please note that we will use the information we receive from you to prevent fraudulent activity and for other purposes outlined in our Privacy Policy.