In an alarming trend, cybercriminals are exploiting the Shop app from Shopify to deceive users. By inserting fake purchase receipts into users’ order histories, scammers are manipulating trust in the platform to steal sensitive information and gain unauthorized access to devices.
The Shop app serves as a centralized hub for users to track orders, access receipts, and discover products from various retailers. With 50 million downloads on Google Play and 7 million ratings in Apple’s App Store, it is particularly popular in North America where support and purchasing options are more robust.
Scammers impersonate trusted brands
According to Gen Digital a cybersecurity company, fraudsters are inserting fake orders that appear alongside legitimate purchases. These deceptive receipts impersonate well-known brands such as NortonMcAfeeApple and PayPal.
The fake receipts include a phone number for users to call and dispute the alleged purchases. However, the number connects to a scammer posing as a support agent. Using social engineering tactics the fraudster attempts to convince the victim to disclose account credentials, payment card details, and temporary authentication codes (OTPs).
Remote access software installed on victim devices
In some instances, victims are tricked into installing software that grants remote access to their devices. This allows scammers to exploit the device further, potentially leading to more severe consequences such as identity theft or financial loss.
Gen Digital researchers note that inserting fake receipts into the Shop app is a more effective method than using email for fraudulent purchase notifications, a technique known as callback phishing. The legitimacy of the Shop app makes users more likely to respond to the deceptive orders.
Red flags and user precautions
Despite the sophistication of the scam, many of the false receipts contain poor grammar, which serves as an obvious red flag. However, users may overlook these mistakes, especially when confronted with an invoice for a large purchase.
Until the situation is resolved, users who encounter receipts for orders they did not place are advised not to call the listed phone number. Instead, they should verify any alleged charges directly with their bank. Those who have already contacted the scammers and disclosed sensitive information should immediately reset their account passwords and contact their card issuer for cancellation.
The exact method by which the fake receipts are inserted into the Shop app remains unclear. The app can populate orders from multiple sources, including email parsing, account association, and order workflows. However, no specific delivery channel for the fraudulent notifications has been confirmed.
Gen Digital emphasizes that there is no evidence that Shop, Shopify, or any of the impersonated companies have been compromised. BleepingComputer reached out to Shopify for comment but did not receive a response as of publishing.
