Hi. How can we help?

Search

Following security best practices to protect your business online

Provided information is for general informational purposes only and should not be considered legal advice. You should consult with your own legal counsel for requirements governing your specific circumstances.

Most security breaches happen when a user unintentionally compromises the security of their information or access. Understanding common tactics scammers use can help protect you, your staff, and your customers from fraud.

Understanding security threats

A security threat is comprised of:

  • Scammers: A person or group of people looking to commit fraud. Typically profit-motivated.
  • Strategy: A strategy, like phishing or other social engineering tactics, that uses fear and urgency to override rational thinking.
  • Vulnerability: A security weakness, like a simple password or untrained staff.

The more security layers you have in place, the lower your chances of a security breach:

Lightspeed will never call, text, or email asking for your banking info, PIN, password, or verification codes. Keep this information confidential to ensure only authorized users can access your Retail POS account. Learn more about what to do if you suspect your account may be compromised.

Recognizing social engineering tactics

Social engineering is the strategy of tricking someone into compromising their own security by divulging sensitive information.

Social engineers use pressure tactics to make you act without thinking:

Authority

Claiming to represent an organization you work with, like Lightspeed, or someone of importance, like your IT department or bank.

Urgency

Implying or threatening consequences if you don't act immediately. Legitimate organizations won't pressure you to act urgently.

Emotion

Invoking emotions like fear, hope, or curiosity to override rational thinking.

Relevance

Exploiting current events, changes to policies, or specific times of the year, like tax season.

Scammers may try to contact you via email, text, instant message, or phone. Phishing emails are one of the most common social engineering strategies because they're low-cost and easy to automate, especially with AI. Scammers typically use impersonation to trick targets into:

  • Revealing sensitive information.
  • Downloading malware.
  • Transferring money.

Lightspeed will never ask you to:

  • Move funds or change your settlement account to an unfamiliar account.
  • Share passwords or multi-factor authentication (MFA) codes.
  • Act quickly, using urgency to limit your time to think or verify.
  • Keep a security matter confidential from family members or law enforcement.

If you ever receive a request like this, it is not from Lightspeed. Learn more about impersonation scams and keeping your Retail POS account secure.

Protecting yourself from social engineering attacks

Your strongest defense against social engineering attacks is your ability to slow down and think rationally. Scammers rely on panic-based decisions, so always take a moment to pause and consider before taking any action.

If a communication that appears to be from Lightspeed is pressuring you with urgency or other signs of social engineering:

Don't panic

  • Ask yourself or your staff if this communication was expected.
  • Verify the sender, especially if an action is involved.
  • Don't click any links or download attachments.
  • Manually navigate to the official source to investigate the situation in your account (notifications, activity logs, etc).

Don't share

  • Never share personal information during unsolicited contact.
  • Never share passwords or verification codes.

Don't engage

  • If contacted by email or text:
    • Don't reply, click links, scan QR codes, or download attachments.
    • Report the email or text as spam/phishing.
  • If contacted by phone:
    • Hang up immediately (you don't need to give an explanation or worry about appearing rude).
    • Don't follow any provided instructions.

If you're unsure about the legitimacy of a communication involving Lightspeed, reach out directly.

Cybersecurity awareness is important year round, but be extra vigilant around busy periods like tax season.

Identifying phishing emails

Common warning signs in phishing emails include:

  1. Slight misspellings, hyphens, or unusual characters in sender addresses, particularly in website domain names. Be especially suspicious of generic email addresses (like @gmail.com) from unknown senders.
  2. Generic greetings may be a sign of fraudulent messages sent in bulk, but scammers can also use information from social media and other platforms to create personalized messages.
  3. Pressure tactics and unexpected financial requests or "verifications" rely on distraction and trust. Take time to verify and think through actions that could compromise the security of your account.

  4. Links or QR codes may direct you to a fake version of a real site to steal your username and password or install malware. Always verify links in emails, texts, or external websites.

    On a computer, hover over a link (without clicking it) to view the URL text at the bottom left corner of your browser.

    Link preview example.

  5. Spelling errors in the body text, in combination with other warning signs, could indicate a phishing attempt.
  6. Don't open attachments from unknown senders or files you weren't expecting, as they can contain malware.

Critical Billing Issue: Update Your Information Now

Lightspeed Billing Support  <support@lightpseedhq.com>

Lightspeed logo.

Critical Billing Issue:
Update Your Information Now

Dear Lightspeed Customer,

Your most recent payment was declined, and your subscription is now at risk. Failure to act promptly will result in service interruption without further notice.

To prevent your store from going offline, update your payment method . immediately.

Common causes of declined payments:

  • Insufficient funds
  • Bank or Pay pals issue
  • Incorrect card details

If you need assistance, reply to this email.

Lightspeed Support.

One attachment

📄 info.exe Download

You can contact Retail Support to confirm if a Lightspeed email communication is legitimate. Always go to the official website or app to login.

Phishing emails may or may not include any number of warning signs, and tactics are getting more sophisticated every day. It's most important to stay vigilant and act cautiously when managing your business online. Learn more about keeping your Retail POS account secure.

Identifying fraudulent phone calls

Common warning signs of social engineering over the phone include:

  • Fear and urgency-based pressure tactics, which may be presented as helpful or advantageous.
  • Unexpected financial requests and/or “verification” of sensitive information. Never share passwords or security codes with anyone.
  • Bypassing procedures or requesting confidentiality.

Scammers can use technology to alter the number they appear to be calling from, so a legitimate business number shows up on your caller ID. They may even ask you to visit the official source to “verify” the number. Do not redial or call back any provided numbers.

Unless you're expecting a scheduled callback from Lightspeed:

  1. Hang up.
  2. Manually enter Lightspeed's official phone number on your phone to contact Retail Support.

Scammer

Hello, am I speaking to [name]?

Business owner

Yes, this is [name]. How may I help you?

Scammer

I'm calling from Lightspeed about a very important matter regarding your subscription. A billing error has led to your account being overcharged by $2000. I have opened up a Support ticket for you, but because of the upcoming bank holiday, I cannot process the refund unless we can confirm your banking information by the end of the day. Could you please confirm your bank branch and business account number?

Business owner

*hangs up and gets in touch with Retail Support*

Following security best practices

Cybersecurity is a continuous process, not a one-time event. To help protect your business from scammers, it's important to build a multi-layered strategy.

Be prepared

  • Stay informed and vigilant: Consider which threats and vulnerabilities may affect your business and follow security best practices to help prevent security incidents. Critically analyze all communication, especially if you're asked to perform an action like clicking a link or sharing a code to move funds or change your settlement account to an unfamiliar account.
  • Train your staff: Cybersecurity is everyone's responsibility. Provide regular training to ensure everyone with access to Retail POS knows and follows cybersecurity best practices.
  • Plan for realistic business risks: Regularly evaluate realistic risks, like phishing, callers impersonating Lightspeed or physical device theft, and identify ways to counter them. Have a plan to deal with security breaches. Run through scenarios and role-specific procedures with your staff.

Secure your setup

  • Follow networking best practices: Secure your network and physical setup to prevent misuse or theft.
  • Keep device software updated: Ensure important security patches are installed.

  • Use strong and unique passwords, implement MFA, and manage and monitor access.

    Using unique passwords and implementing MFA for all of your accounts, including email accounts, Retail POS, and financial institutions, ensures that if one account is compromised, other accounts remain secure.

Manage your online presence

  • Click with caution: Only click links, scan QR codes, or download files, apps, plugins, and software updates from trusted sources. Untrustworthy sources may contain hidden malware.
  • Review settings: Regularly review your privacy settings on social media and other channels.
  • Manage what's shared: Be mindful of what you and your employees share online, especially about your organization and customers. This includes information shared with AI tools.

Protect customer data

As a business owner, you have a responsibility to protect any sensitive customer data you handle, like credit card and cardholder details. While it's recommended to consult with legal counsel for advice about requirements governing your specific circumstance, all businesses should:

  • Maintain PCI compliance: Adhere to industry standards designed to protect cardholder data. By maintaining PCI compliance, you reduce the risk of experiencing a data breach or fraud involving your customers' personal information.
  • Obey data privacy laws: Privacy laws, like the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the state of California, protect consumer privacy by controlling how businesses handle customer data. Research and follow all relevant laws in your area to ensure your business operating policies are in legal compliance. This includes information shared with AI tools.
  • Train your employees: Implement a formal security awareness program to make all employees aware of the importance of data security, including consent for data collection and applicable laws.

Connecting with Lightspeed

To connect with Lightspeed, visit our official channels:

What's next?

Keeping your Retail POS account secure

Identify fraudulent communications and manage suspected unauthorized account access.

Learn more

Multi-factor authentication (MFA) in Retail POS

Add an extra layer of security to your user accounts with MFA.

Learn more

Was this article helpful?