What happened
Threat actors are abusing Shop, Shopify’s order-tracking app, by inserting fake purchase receipts into users’ order histories.
Shop is a digital shopping assistant that lets users track orders from multiple online retailers, view receipts and shipping updates, and discover or purchase products from Shopify merchants.
The scam involves fake orders that appear alongside legitimate purchases in the Shop app. The fraudulent receipts impersonate well-known brands such as Norton, McAfee, Apple, and PayPal.
The fake receipts include a phone number that users are told to call if they want to dispute the purchase. When victims call the number, they reach a scammer posing as a support agent.
The scammer then uses social engineering to pressure victims into disclosing sensitive information, including account credentials, payment card details, and one-time passcodes.
In some cases, victims are also tricked into installing software that gives the attacker remote access to the device.
Researchers said this method can be more effective than email-based fake purchase notifications because the fake receipts appear inside a legitimate order-tracking app that users already trust.
It remains unclear how the false receipts are being inserted into Shop. Researchers noted that Shop can populate orders from multiple sources, including email parsing, account association, and order workflows, but no specific delivery channel has been confirmed.
Researchers found no evidence that Shop, Shopify, or the impersonated companies were compromised. Shopify said it identified bad actors misusing its platform to generate fake order notifications and rolled out new controls to significantly reduce the activity and improve detection.
Who is affected
Shop users who see fake purchase receipts in their order history are directly affected.
The scam is especially relevant to users who may panic after seeing a large unexpected purchase from a trusted brand and call the phone number listed in the receipt.
Organizations may also be affected if employees use personal or work devices to contact the scammers, disclose credentials, share one-time passcodes, or install remote access tools.
The impersonated brands are also indirectly affected because their names are being used to make fake purchase receipts appear more credible.
Why CISOs should care
This campaign shows how callback phishing is moving beyond email inboxes and into trusted consumer apps. Users may be more likely to respond when a suspicious invoice appears inside an app they already use for legitimate order tracking.
For CISOs, the key issue is trust transference. The victim may trust the platform, so they may also trust the fraudulent receipt inside it, even though the receipt was generated by bad actors misusing the platform.
The remote access software angle is especially concerning. If an employee follows the scammer’s instructions on a work device, a consumer-facing fraud attempt can become an enterprise endpoint compromise.
The campaign also reinforces that one-time passcodes are not phishing-proof. Attackers can ask victims to read codes aloud during callback scams, allowing real-time account takeover even when MFA is enabled.
3 practical actions
- Warn users not to call numbers listed in unexpected receipts: Shopify recommends avoiding phone numbers in suspicious notifications and reporting the store directly in the Shop app. Users should verify any alleged charge through their bank or card issuer instead.
- Train employees on callback phishing beyond email: The fake receipts appear inside a legitimate app, not just in an email. Security awareness programs should include app-based invoices, fake support numbers, and scam calls that request credentials, payment details, or one-time passcodes.
- Block and monitor unauthorized remote access tools: Some victims are tricked into installing software that gives attackers remote access. CISOs should restrict unapproved remote access tools, monitor new installations, and investigate support-call scenarios that lead to remote control software on employee devices.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.