I recently received an unusual email message to my main email account inbox, and my immediate reaction was, “This would be a good topic for a blog post.” As a member of the infosecurity industry, I practice what I preach and do not open emails from senders I don’t recognize. While I, too, may be curious when an email arrives with a tempting subject, I avoid phishing and spam at all costs. This particular email message, though, was different, and here’s why.
The email’s subject was “Receipt from (the name of a restaurant where I had recently dined).” While I had not provided my email address to the restaurant directly, I DID recognize the name, so the likelihood that the email was spam was very low. The email’s sender was identified as “Name of Restaurant” with the email address of email@example.com.
Before opening the email, the following questions went through my mind:
 How did the restaurant get my email address?
 I did not realize that the restaurant used Square, so how did Square get my email address?
 The email address where I received the email had no connection to my credit card, so how did this particular email address receive the Square email?
However, many restaurants, medical providers, retail outlets, and more use Square, so the first line of the email message now made sense: “Square automatically sends receipts to the email you used at any Square seller.”
Upon clicking the “Learn more” link in the email message:
“After your first purchase at a Square seller, you’ll have the option to provide your email address or phone number if you would like to receive digital receipts. Once you provide an email address, you’ll start receiving automatic receipts delivered by Square at that email address for all purchases you make from Square sellers using the same credit card. You can unsubscribe from automatic receipts right from the last emailed receipt that you received from Square.”
The other thing to note about Square is that for some businesses and others that use Square for payment processing, the ONLY way to get a receipt is to provide an email address. There is no choice if you want a receipt.
After satisfying myself that there had not been a security breach, I realized that the restaurant should have done more to alert its customers about its new mobile payment procedures. There could have been a sheet of paper attached to the receipt explaining Square’s involvement; or there could have been a sign at the front entrance with the same message; or lastly, the wait staff could have mentioned Square’s involvement and the future email.
Mobile devices and mobile payment processes are changing the way we all do business.
Image Credit: In Order to Succeed (Twitter: @Order2succeed ).