FHN 
Cybersecurity researchers have uncovered a new phishing campaign in which scammers abuse Shopify and its Shop order-tracking app to deliver fake invoices directly to users. Instead of relying on traditional phishing emails, attackers are placing fraudulent purchase notifications inside a trusted shopping application, making the scam appear more convincing.
The fake invoices often impersonate well-known brands such as Norton, McAfee, Apple, and PayPal, creating a false sense of urgency by claiming that expensive products or subscriptions have been purchased.
How the Scam Works
The Shop app automatically collects order information from connected email accounts and Shop Pay transactions, allowing users to view all their purchases in one place. Attackers appear to be exploiting this functionality or related merchant processes to insert fake orders into users’ purchase history.
These fraudulent orders typically display costly items, including antivirus subscriptions, smartphones, or gift cards. The invoices also include fake customer support phone numbers hidden within product descriptions, shipping details, or order notes.
When victims call the number, they are connected to scammers posing as customer support representatives. The attackers then attempt to steal sensitive information such as login credentials, payment card details, one-time passwords, or convince victims to install remote access software.
Researchers emphasized that there is currently no evidence that Shopify or the Shop app has been breached. Instead, the campaign appears to abuse legitimate platform features to distribute fraudulent content.
How to Stay Safe
Users should always verify unexpected purchase notifications before taking any action. If an invoice appears suspicious, check your bank account or the official service provider directly instead of calling phone numbers listed in the receipt.
To reduce the risk of becoming a victim:
- Verify purchases through official websites or banking apps.
- Never call support numbers included in unexpected invoices.
- Report suspicious orders through the Shop app or Shopify’s abuse channels.
- Avoid installing software at the request of unknown callers.
This campaign demonstrates how cybercriminals are increasingly exploiting trusted platforms instead of relying solely on phishing emails. As users become more cautious of email scams, attackers are shifting their focus to legitimate applications where fraudulent content is less likely to raise suspicion.
About the Author
