Watch out for suspicious emails or websites claiming to be associated with Mercari (2024)

We have confirmed reports that parties claiming to be Mercari Group services have sent suspicious email and short message service (SMS) messages to users, directing them to fake websites (phishing sites) that look like Mercari. These sites ask users to enter their email address and password.

As these attack methods become more sophisticated, it is getting harder for users to determine whether such suspicious emails and SMS messages are genuine or not. If you receive an email or SMS message stating that it comes from Mercari, do not access the link. Instead, check the Mercari app or access the official Mercari website through a bookmarked webpage.

Phishing refers to fraudulent attempts to steal passwords, credit card information, and other personal information by sending messages (email, text, etc.) directing recipients to fake websites that look and feel just like the real thing.

Stolen personal information may be used to impersonate victims on Mercari or other services. Many people use the same ID and password on multiple websites/apps, so attackers may also use stolen login information to attempt to log in to other services.

The email below is an actual phishing email used to target Mercari users.

The message uses the Mercari logo and refers to statements from past promotional campaigns, making it look like a real email message from Mercari. However, when the user clicks the button or link in the message, it sends them to a fake Mercari webpage.

The fraudulent website asks the user to input their password, SMS ID number, passcode, and other information, which the attacker will then abuse for their own purposes.

*Example of an actual phishing email

We have seen other phishing attempts that use fraudulent advertisem*nts posted on social media. When the user clicks on an ad, they are sent to a fake Mercari website. These fraudulent advertisem*nts tend to advertise items that have impossibly cheap prices.

Even if an advertisem*nt is posted on a social media platform that you are familiar with, never enter your user information on a website if you are directed there by an advertisem*nt, and only search for items on Mercari’s official website or app.

*Fraudulent advertisem*nts that sent users to a fake Mercari website (past example)

The fake Mercari websites that phishing emails, SMS messages, and fraudulent advertisem*nts send users to are copies of the Mercari website that look and feel like the real thing. It can be hard to detect a fake simply by looking at it.

If a link leads to a page that displays what appears to be a Mercari login screen, first treat this with suspicion and access Mercari by using a bookmarked webpage, the official app, or some other method familiar to you.

*Screenshots of a phishing site imitating Mercari (past example)

We post notices and information regarding reported phishing attempts in the News section of both the Mercari app and our official blog.

How to check the news:
– App: From the home screen, go to “お知らせ” (Notices), then “ニュース” (News)
– Website: Go to “マイページ” (My Page), and then “ニュース一覧” (News)

If you entered your password or other such information on a suspicious website, please check the following Help Center article for guidance.
What to do if you access a suspicious website (available only in Japanese)

We accept phishing reports from our users for investigative purposes.
Please submit reports to phish@mercari.com.
Please note that this is designated as a receive-only email address, so we will not reply to your report.
If you require a response to your report from Customer Service, please contact us through the “お問い合わせ” (Inquiries) section of Mercari’s official app or website.

Reporting suspicious emails
Please forward any suspicious emails you receive to: phish@mercari.com.
You do not need to change the subject line of the email message.

Reporting suspicious SMS messages
Please forward a copy of any suspicious SMS content you receive to: phish@mercari.com.
You do not need to include any other information in the message or the subject line.

Reporting suspicious websites
Apart from email and SMS messages, if you are directed to a suspicious website that you believe is trying to deceive you by impersonating Mercari, copy the address of the website and send it to: phish@mercari.com.
You do not need to include any other details in the body or subject line of your email.

The Mercari Fraud Team will investigate your report based on the information we receive.

Note, the information we receive will be used for fraud prevention and other purposes detailed in our Privacy Policy.