Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: fraud (4 articles)Clear

Scammers abuse Shopify's Shop app to plant fake receipts for callback phishing

Attackers are abusing Shop, the order-tracking app from Shopify, by getting fake purchase receipts to appear in users' order histories, then using them to lure victims into callback phishing. Because the bogus orders show up inside a legitimate, trusted app rather than in an easily spotted scam email, they look convincing. The fake receipts typically reference an unexpected charge and a phone number to call to dispute it; when the victim calls, the scammers pose as support staff and walk them into handing over sensitive information or account access. It is a twist on callback phishing that borrows credibility from a real shopping platform.

Check
Warn users that unexpected orders or receipts appearing in the Shop app may be fake, and that any phone number prompting them to call about a charge should be treated as suspicious.
Affected
Shop app users who see unfamiliar purchase receipts in their order history; the goal is to provoke a panicked phone call where scammers extract payment details, credentials, or remote access.
Fix
Verify charges only through official banking and merchant channels, never the phone number in an unexpected receipt, and report suspicious entries. Organizations should add callback phishing to security-awareness training.

Attackers post fake breach notices to Maine's public disclosure portal

In an unusual misinformation campaign, fraudulent data-breach notices were submitted to Maine's official Attorney General breach portal and published before anyone verified them, forcing named companies to issue denials. One filing falsely claimed a Discord breach affecting more than 10 million people, submitted not by a company representative but by an individual using a personal Gmail address, a placeholder phone number, and impossible dates. Because the portal is public and a listing does not mean a breach is confirmed, the fakes can spread fear, damage reputations, and seed convincing phishing lures. It highlights how trusted disclosure channels can be weaponized.

Check
Monitor state breach-notification portals for filings naming your organization, and verify any breach claim about a vendor or partner through that company's official channels before acting on it.
Affected
Any organization that can be named in a fraudulent filing, and the public and journalists who treat a portal listing as confirmation; the underlying portal trust model is the weakness.
Fix
Establish monitoring and a rapid-denial process for fake filings, brief staff and customers to confirm breach notices via official sources, and press regulators to add basic submitter verification.

FIFA World Cup 2026 fraud wave hits fans before June 11 kickoff

With the FIFA World Cup kicking off June 11 across the US, Canada, and Mexico, the FBI and researchers at Group-IB and Fortinet warn that a large fraud operation is already running. Group-IB tracked more than 4,300 fake FIFA websites and a Chinese-speaking crew, GHOST STADIUM, that cloned the official site pixel-for-pixel, fake login and all, across 300-plus domains. Scams include bogus ticket, merchandise, and hospitality sites, fake streaming apps that hide banking malware, and betting sites that harvest passport scans for identity theft. With tickets scarce and 150 million requests filed, scammers are exploiting fans' urgency to steal logins, money, and personal data.

Check
Warn staff and remind yourself to verify any World Cup ticket, merchandise, or streaming offer, and check security logs for employee visits to lookalike FIFA domains.
Affected
Anyone buying World Cup tickets, merchandise, hospitality, or streaming access, plus job seekers; employees using work devices or accounts to shop for the tournament.
Fix
Buy only via fifa.com typed directly into the browser, avoid sponsored search results and emailed links, and block known fraudulent FIFA domains at your web gateway.

FBI warns of fake FIFA World Cup 2026 sites (fiffa.com, alt-TLDs) collecting payment data ahead of June 11 kickoff

The FBI has issued a public service announcement warning of hundreds of fake FIFA-themed phishing and fraud sites ahead of the 2026 World Cup running June 11 to July 19 in the US, Canada, and Mexico. Domains include fiffa[.]com and alternative TLDs (.org, .xyz, .live, .sale) plus fake employment portals like jobs-fifa[.]com and fifa-hiring[.]com. The fraudulent sites collect names, addresses, phone numbers, and banking/payment details; the data is used for fake-ticket sales, hospitality-package scams, identity theft, and fraudulent account creation. Group-IB and Bitdefender confirmed parallel malvertising via Google Search, Facebook, Telegram, and WhatsApp, with one major operation attributed to a Chinese-speaking gang.

Check
Add FIFA-themed lookalike domains (fiffa.com, fifa-*[.]com, fifa with alt-TLDs) to email and web filters. Brief staff that the only official site is fifa.com - any other is suspicious.
Affected
Anyone considering buying World Cup tickets, hospitality packages, or FIFA-related employment ahead of June 11. Chinese-speaking gangs and Russian-speaking operations target English, Spanish, and Portuguese speakers.
Fix
Source tickets only via fifa.com or authorized partner sites. Pay via credit card or escrow for chargeback protection. Report fake FIFA sites to FBI IC3. Apply Group-IB and Bitdefender IoCs.