Recognise and report suspicious activity
About suspicious activity
At Square, keeping your account secure is our top priority.
If you can’t access your Square account, your account may have been taken over. An account takeover happens when a hacker logs in to your Square account and uses it to commit fraud. To do this, they only need access to your email address and password. Account takeovers can result in chargebacks and lost sales and present a reputation risk if the hackers pose as your business. Fraudsters target you with phishing emails that attempt to trick you into giving up your credentials to what looks like a trusted source.
Before you begin
You can prevent suspicious activity (including account takeover) by updating your account security on a regular basis.
Report suspicious activity
There are several ways to report suspicious activity to Square based on what occurs.
If you receive suspicious communications, contact Square Support or report the massage if applicable. Once suspicious activity is reported, the appropriate team will investigate and take action if needed.
If you notice a transaction or change made to your account that you didn’t authorise, contact Square Support right away.
If you receive a notification from us regarding changes to your account information or unusual activity on your account, follow the instructions to complete the self-verification steps. We will then review your account and let you know of the outcome. This process can take up to 48 hours. Once your account is verified and your access restored, you may be prompted for some additional steps to enable two-step verification or to update your contact information.
If you can’t log in with your email address and password, contact Square Support. Make sure to provide the email and phone number associated with your Square account in the request; we’ll work with you to get you back in control of your account.
Protect your account
Review the instructions below to protect your account from suspicious activity.
Is your Square password the same as your email, bank, or an online shopping account? If so, and any of those systems are breached, your Square account is immediately accessible. Anyone can guess simple, common password combinations. Avoid using a number series (12345), your birthday, and “password.” Learn how to reset your password or how to create a passkey.
Two-step verification is a tool that provides an extra layer of security for your Square account, protecting your account from unauthorised access. Learn how to [set up two-step verification](https://app.squareup.com/help/(locale}/article/5593).
In instances that Square detects unusual activity on your account and needs to contact the account holder, you can add an additional secure contact method to your Square account as a backup. Adding a secondary contact method enhances account security and helps you access and recover your account, if needed. Learn how to edit your account and business information.
Email is not a secure way to send any information and could expose you to data hacking. Personally identifiable information (“PII”) is information that either on its own, or when put together with other data, can identify an individual. Examples of PII include: social security numbers, tax identification numbers, home / business addresses, phone numbers, debit/credit card numbers, dates of birth, copies of government-issued IDs and health information.
When you send an email, you don’t necessarily know how many networks or servers the message will pass through on its way to the recipient, or who has access to them. In addition, emails sitting on your device may be accessible to a third party.
To be truly secure, the message must be encrypted before it leaves the sender’s computer and it must remain encrypted until the recipient receives it. We have partnered with a cloud-based service provider, SendSafely, which we will use to transfer PII from Square. SendSafely uses end-to-end encryption to protect files from unauthorised access. Files and messages sent through SendSafely are encrypted before they leave your the sender’s device and SendSafely never has access to the decryption key needed to view them, ensuring it is only the intended recipient who has the ability to decrypt and access the message. The recipient doesn’t need to install anything new to use the service.