Phishing attacks happen when a malicious source tries to get you to provide private information by pretending to be a legitimate company, coworker, or someone else you trust. They often look like official emails, websites, tweets, or Facebook posts, and can steal your personal information if you’re not on the lookout.
Stripe does send email notifications from time to time, so it is always worth checking the content of the email for the following details:
Check the web address (URL) before you click on a link. On a web browser, hover over the link and look at the URL that shows up on the bottom of your browser. Is it pointing to a page at stripe.com?
Stripe emails will sometimes come from "e.stripe.com” or “growth.stripe.com”, and you may see pages that include “stripe.events” or “go.stripe.global.” All of these are domains that are owned by Stripe.
Stripe.com is where our product lives, and it is common practice for companies to choose different domains for sending emails and hosting landing pages. Doing so allows us to protect the original domain from security threats.
Some stripe emails will also contain links that read "https://info-link.stripe.com" which will be a redirect link owned by Stripe that will direct users to Stripe proprietary content. Users also should check to make sure there is “https” in the link. All event registration pages will have stripe.events domain in the url (e.g. "https://stripe.events/devxdub").
Only type your password into a website after confirming that it is the website you want, not one that was created to look like Stripe.
Check the domain name for typos (such as “stirpe.com”).
Check for our Extended Validation Certificate; this usually looks like a green lock next to the URL, and it lets you know that you are on the genuine Stripe website.
If you believe the email is a phishing attempt, forward the full message along with the email headers to email@example.com.