Threat actors are exploiting Shop — Shopify’s popular order-tracking app — by injecting fake purchase receipts into users’ order histories. The goal is to trick people into calling phone numbers listed on the receipts and handing over sensitive information.
The fake receipts impersonate well-known brands like Norton, McAfee, Apple, and PayPal. When victims call the listed number, scammers posing as support agents try to extract account credentials, payment card details, and one-time authentication codes. In some cases, victims are convinced into installing remote access software.
Gen Digital researchers say the scheme is more effective than traditional email phishing because Shop is a trusted app with 50 million downloads on Google Play and 7 million ratings on the App Store. Users inherently trust notifications that appear there.
How the fake orders get into the app remains unclear. Shop populates orders from multiple sources — email parsing, account association, and order workflows — but researchers haven’t pinpointed which channel the attackers are exploiting.
There’s no evidence that Shop, Shopify, or any of the impersonated companies have been compromised. Many of the fake receipts contain poor grammar, which can serve as a red flag.
If you see a receipt in Shop for something you didn’t buy, don’t call the number on it. Verify any charge directly with your bank instead.
