Last night I received an email from Jessica at the Google Checkout team telling me they were unable to verify my account and that they need me to email or fax them photocopies of my credit card and drivers licenses. No creditable merchant service should ever ask you for that information over email, ever.
In the Google Checkout Buyer help section it says;
What is phishing?
A message or website that tries to trick you into revealing personal information by appearing to be from a legitimate source, such as a bank (or Google!).
Messages or websites phishing for information might ask you to enter:
Usernames and passwords Social Security numbers Bank account numbers PINs (Personal Identification Numbers) Credit card numbers Your mother's maiden name Your birthday
Phishers often ask for personal information in an attempt to steal your Google Account, your money, your credit, or your identity.
You should always be wary of any message that asks for your personal information, or messages that refer you to a webpage asking for personal information. If you receive this type of message, especially from a source claiming to be Google, please do not provide the information requested.
The email asked specifically for this type of information:
Please complete the following steps within five business days:
1. Photocopy or scan the front and back of the credit or debit card you used to sign up. (For security purposes, please conceal the first 12 digits of your card number, leaving only the last 4 digits visible.) 2. Photocopy the front of your driver license. 3. Write your ID (referenced above) on these documents, then fax them to 'Google Account Verification' at 650 644 0159. If you prefer, you can also attach your scanned documents to an email and respond to this message.
I have also taken a screen capture of the message headers, which seem somewhat legit to me, but I am sure I am missing something.
If you want to report such an attempt you can use this form or email it to email@example.com, which I will be doing right now.
Now, what is incredibly shocking to me is that in a Google Groups thread we have a similar email from a Chad at Google reported there. The thing is, Deborah (GoogleCheckoutPro) from Google tells the person to reply to the email with the information.
I know they say in brackets that I should block out part of the number, but still, they are asking for too much. They can call me if they want me to verify information.
I am unable to go into specifics about your account here. The best thing to do in this case is to respond back to the email from Chad with your questions. You can also contact our support team. They are very good at responding to emails in a timely manner.
Are you kidding me!
Forum discussion at Search Engine Roundtable Forums.
Update: This is a real email, Jessica called me to confirm (she then replied to my forward of the email to firstname.lastname@example.org) so this is real. I am still Google handles it this way.
Thank you for taking the time to speak with me over the phone today.
As mentioned over the phone to you earlier, I can confirm that the email you received is a legitimate message from Google. I apologize for any confusion.
Please follow the instructions listed in our previous email to reactivate your account.
If you have any further questions, please feel free to reply directly to this email.
Jessica The Google Checkout Team