Scammers are increasingly exploiting Shopify’s ecosystem and its Shop order-tracking app to deliver fraudulent invoices directly into users’ purchase histories, marking a shift from traditional email-based phishing to in-app social engineering attacks.
Security researchers Luis Corrons and Jakub Vavra from Gen have identified multiple campaigns in which fake receipts appear in the Shop app, impersonating trusted brands like Norton, McAfee, Apple, and PayPal.
By placing malicious content within a legitimate shopping interface, attackers are leveraging user trust in platforms typically used for tracking real purchases and deliveries.
Scammers Abuse Shopify to Send Fake Invoices
The technique leverages how the Shop app aggregates order data from various sources, including Gmail, Outlook, and Shop Pay transactions. The app automatically scans connected email accounts for keywords related to shipping and order confirmations, then populates the Orders tab with relevant entries.
Threat actors appear to exploit this functionality or related merchant workflows to insert fake orders under generic seller names, such as “My Store.” These fraudulent entries often feature high-value items, such as antivirus subscriptions, smartphones, and gift cards, to create a sense of urgency and panic.
Within the fake receipts, attackers embed fraudulent support phone numbers in unusual fields such as product descriptions, shipping addresses, or order notes.
This is a key indicator of compromise, as legitimate receipts do not include support contacts in these locations. The goal is to convince victims that they have been charged for an unauthorized purchase and must immediately call the listed number to resolve the issue.
Once the victim makes the call, the attack shifts to a voice phishing (vishing) scenario. The scammer impersonates customer support or billing personnel and tries to extract sensitive information, including login credentials, payment card details, and one-time passcodes.
In some cases, victims may also be instructed to install remote access software, allowing attackers to control their devices. Although many fake receipts contain grammatical errors and poorly constructed sentences, their presence in a trusted app environment significantly reduces user suspicion.
Importantly, there is no confirmed evidence of a breach affecting Shopify, the Shop app, or the impersonated brands. Instead, this activity appears to be an abuse of legitimate platform features rather than a direct compromise.
The exact method used to inject these fake orders remains unclear. However, potential vectors include email parsing manipulation, misuse of merchant onboarding processes, or exploitation of loosely validated input fields. This uncertainty complicates detection efforts, as the malicious content originates from within a trusted ecosystem.
This campaign highlights a broader evolution in phishing tactics, where attackers increasingly rely on contextual trust rather than technical exploits.
Similar approaches have been observed in calendar invite scams and collaboration platform abuse, where the delivery channel lends credibility to the malicious message. In this case, the Shop app’s role as a centralized hub for purchase tracking makes it an attractive target for social engineering campaigns.
Users are advised to avoid calling any phone numbers listed in unexpected receipts and instead verify transactions directly through official banking apps or service provider accounts.
If no corresponding charge is found, the notification should be treated as fraudulent. Suspicious orders or stores should be reported through the Shop app, and phishing messages can be forwarded to Shopify’s abuse channels. Security vendors like Norton have also issued warnings, urging users to validate any billing concerns through official support channels only.
The emergence of in-app invoice scams underscores a growing challenge for cybersecurity defenses, as attackers continue to embed malicious content within trusted digital environments, making detection more difficult and increasing the likelihood of successful compromise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
