Cybercriminals have devised a phishing campaign that that takes aim at customers of the online payment processing company Stripe, with the intention to steal their credentials, compromise their accounts and presumably view their payment card data.

The attackers employ two clever tricks to hide their malicious activity. First, they use a technique to block email recipients from viewing the destination of a malicious embedded link when they hover over it with their cursor. Then, after stealing victims’ login credentials, they use a fake log-in error message as a sneaky way to transition them back back to the legitimate Stripe website.

Researchers from Cofense’s Phishing Defense Center recently uncovered the phishing plot and exposed it in an Oct. 17 blog post written by threat analyst Milo Salvia.

The phishing emails appear to be an alert from Stripe Support, warning recipients that certain details associated with their account are invalid. Recipients are urged to quickly resolve their issues to avoid having their accounts frozen.

“This is cause for panic among businesses that rely solely on online transactions and payments. Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions,” Salvia states in the blog post.

The emails also contain a “Review your details” button, which, if clicked, sends users to a phishing site that impersonates Stripe. Unfortunately, cautious recipients who hover the cursor over the button before clicking will not see the hyperlink’s malicious destination.

“The true destination of this hyperlink is obscured by adding a simple title to HTML’s <a> tag, which shows the recipient the title ‘Review your details’ when the recipient hovers over the button instead of the URL. Potentially this is a tactic to mask the true destination…” Salvia writes.

The phishing site is comprised of three separate pages. The first seeks victims’ admin email address and password, while the second asks for a bank account number and linked phone number. The third page looks like original login page, but the message “Wrong Password, Enter Again.” When victims re-enter their credentials, thinking something went wrong, they are actually routed to the real Stripe website, to reduce the likelihood that they become suspicious.