Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: shopify (1 article)Clear

Scammers abuse Shopify's Shop app to plant fake receipts for callback phishing

Attackers are abusing Shop, the order-tracking app from Shopify, by getting fake purchase receipts to appear in users' order histories, then using them to lure victims into callback phishing. Because the bogus orders show up inside a legitimate, trusted app rather than in an easily spotted scam email, they look convincing. The fake receipts typically reference an unexpected charge and a phone number to call to dispute it; when the victim calls, the scammers pose as support staff and walk them into handing over sensitive information or account access. It is a twist on callback phishing that borrows credibility from a real shopping platform.

Check
Warn users that unexpected orders or receipts appearing in the Shop app may be fake, and that any phone number prompting them to call about a charge should be treated as suspicious.
Affected
Shop app users who see unfamiliar purchase receipts in their order history; the goal is to provoke a panicked phone call where scammers extract payment details, credentials, or remote access.
Fix
Verify charges only through official banking and merchant channels, never the phone number in an unexpected receipt, and report suspicious entries. Organizations should add callback phishing to security-awareness training.