No, they just got an email from someone that happened to have my address in the `From` field.
Since we're in the realm of phishing already, let's not forget that people still commonly enter their email address and email password into sites claiming to "Find your friends who are using this service".
The problem with social attacks is that they spread socially, and it's not enough for just "some", or even "most" people to be educated for it to be stopped.
I don't think Square are ignorant about this, but I'd like to see some confirmation that some measures are in place to counter threats like these.
What also doesn't help is that sites like Facebook leak personal information like sieves. I've been receiving the spam e-mails claiming to be from various of my Facebook friends for some time.
In the happy case, yes. But, that doesn't consider how phishing works.
So, Square trains people that these e-mails are OK. In the happy case, you get the email from a friend, followed by a link/invitation from Square. Everything is fine.
After doing this several times, one day you just get the email that appears to be from Square, informing you that you have money. This is a phishing email and there is no email from a friend, which should raise a red flag, but for many it won't. Or they may just think Square changed the process. Putting the onus on the user to discern this is not a good plan.
Training users to click a link from an email that resulted from a process they didn't initiate, then enter personal/financial information or credentials is not a good idea.