We have confirmed reports that parties claiming to be Mercari Group services have sent suspicious email and short message service (SMS) messages to users, directing them to fake websites (phishing sites) that look like Mercari. These sites ask users to enter their email address and password.
As these attack methods become more sophisticated, it is getting harder for users to determine whether such suspicious emails and SMS messages are genuine or not. If you receive an email or SMS message stating that it comes from Mercari, do not access the link. Instead, check the Mercari app or access the official Mercari website through a bookmarked webpage.
What is phishing?
Phishing refers to fraudulent attempts to steal passwords, credit card information, and other personal information by sending messages (email, text, etc.) directing recipients to fake websites that look and feel just like the real thing.
Stolen personal information may be used to impersonate victims on Mercari or other services. Many people use the same ID and password on multiple websites/apps, so attackers may also use stolen login information to attempt to log in to other services.
Example of a phishing email claiming to be from Mercari
The email below is an actual phishing email used to target Mercari users.
The message uses the Mercari logo and refers to statements from past promotional campaigns, making it look like a real email message from Mercari. However, when the user clicks the button or link in the message, it sends them to a fake Mercari webpage.
The fraudulent website asks the user to input their password, SMS ID number, passcode, and other information, which the attacker will then abuse for their own purposes.
*Example of an actual phishing email
Misdirection tactics other than email and SMS
We have seen other phishing attempts that use fraudulent advertisements posted on social media. When the user clicks on an ad, they are sent to a fake Mercari website. These fraudulent advertisements tend to advertise items that have impossibly cheap prices.
Even if an advertisement is posted on a social media platform that you are familiar with, never enter your user information on a website if you are directed there by an advertisement, and only search for items on Mercari’s official website or app.
*Fraudulent advertisements that sent users to a fake Mercari website (past example)
Example of a phishing website claiming to be from Mercari
The fake Mercari websites that phishing emails, SMS messages, and fraudulent advertisements send users to are copies of the Mercari website that look and feel like the real thing. It can be hard to detect a fake simply by looking at it.
If a link leads to a page that displays what appears to be a Mercari login screen, first treat this with suspicion and access Mercari by using a bookmarked webpage, the official app, or some other method familiar to you.
*Screenshots of a phishing site imitating Mercari (past example)
Checking our news for the latest information on reported phishing attempts
We post notices and information regarding reported phishing attempts in the News section of both the Mercari app and our official blog.
How to check the news:
– App: From the home screen, go to “お知らせ” (Notices), then “ニュース” (News)
– Website: Go to “マイページ” (My Page), and then “ニュース一覧” (News)
If you entered your information on a suspicious website
If you entered your password or other such information on a suspicious website, please check the following Help Center article for guidance.
What to do if you access a suspicious website (available only in Japanese)
Reporting phishing where the attacker claims to be from Mercari
We accept phishing reports from our users for investigative purposes.
Please submit reports to phish@mercari.com.
Please note that this is designated as a receive-only email address, so we will not reply to your report.
If you require a response to your report from Customer Service, please contact us through the “お問い合わせ” (Inquiries) section of Mercari’s official app or website.
Reporting suspicious emails
Please forward any suspicious emails you receive to: phish@mercari.com.
You do not need to change the subject line of the email message.
Reporting suspicious SMS messages
Please forward a copy of any suspicious SMS content you receive to: phish@mercari.com.
You do not need to include any other information in the message or the subject line.
Reporting suspicious websites
Apart from email and SMS messages, if you are directed to a suspicious website that you believe is trying to deceive you by impersonating Mercari, copy the address of the website and send it to: phish@mercari.com.
You do not need to include any other details in the body or subject line of your email.
The Mercari Fraud Team will investigate your report based on the information we receive.
Note, the information we receive will be used for fraud prevention and other purposes detailed in our Privacy Policy.