This could also go into the "things that make your brain hurt" folder, but search isn't working so it's going here
I could edit out the bank in question, but I'm not feeling particularly charitable to them right now so it's staying in.
I got a suspicious email yesterday, something like this:
Dear Valued Merchant,
This notification is from your payments processor, Intuit Payment Solutions. We are contacting you with respect to a recent case opened on your behalf.
Please open the attached Merchant Accounting notice. It has detailed information regarding your case 112939046. To inquire about your case, please find the contact information needed in the attachment.
Thank you for choosing Intuit Payment Solutions!
It came with an attached .pdf. Now, I wasn't born yesterday - I don't open strange attachments from financial companies, especially when they only know me as "valued merchant." And doubly so when the email comes from an address like "IMSDocumentation[AT]innovativemerchant.com" - which doesn't share any part of a domain name with the company I actually work through.
On the other hand, I *did* just use my account this weekend for the first time in months (it's a swipe account that lets me accept credit cards when I do craft fairs - I haven't sold my jewelry other than via Etsy for quite a while so my account just sat dormant). And when I went digging, I discovered that I had received another email from the same address over the weekend telling me I had to add a bank account to my profile:
MERCHANT ACCOUNT NUMBER: [number]
Dear [my name],
Thanks for signing up with Intuit Payment Solutions. To make sure you get paid as fast as possible, enter your deposit bank account information.
Tell us where to send your money:
Visit the Merchant Service Center. <--hyperlink
At the bottom of your account profile's Deposit Account Information section, add your bank account.
The Intuit Payment Solutions Team
Please do not reply to this message.
That one came with a .pdf also. Instead of clicking a strange link, I went to the site manually, and I did indeed have to add a bank to my account so they could make the deposit.
So yeah - timing was reasonable and the first email did include my real name and account number, but I wasn't expecting anything about a "case 112939046" and the email still smelled fishy (or phishy). So I contacted the fraud department via their online form and asked if the email was legit.
I got a second email today, identical to the former one posted above. So this time I called their customer support line. You know what's even more fun than 15 minutes of a 1-minute muzak loop interrupted by someone telling me I could be doing this online right now? Finding out that the fraud department replied to my email about sketchy .pdfs by sending their reply as another sketchy .pdf.
I did some more searching - their fraud site lists a handful of email addresses they send official correspondence from, but none use that particular domain name. And there's no good way to get an actual email address to complain to - the CSR on the phone didn't have a clue (although she did agree that their system is pretty dumb), and the site only links you to contact forms instead of actual emails to real people.
It's not enough to make me refuse to use their company forever and ever, but if they want to reach me in the future they'll have to try snail mail