Callback Phishing Scam Targets Shopify's Shop App: How Fake Receipts Trick Users and What to Do

Threat actors are actively exploiting Shopify's Shop order-tracking app by inserting fake purchase receipts into users' order histories to push a callback phishing campaign. When users call the fraudulent support number listed on the receipt, scammers posing as customer service agents attempt to steal sensitive information or trick victims into installing remote access software . The campaign impersonates well-known brands including Norton, McAfee, Apple, and PayPal, with reports of fake receipts for iPhone purchases and Apple gift cards alongside phony security subscriptions . Crucially, cybersecurity researchers at Gen Digital and Shopify have found no evidence that the Shop app or Shopify's platform itself was breached — the scammers appear to be abusing a legitimate feature of the order-tracking system .

How the Scam Works

The core of the deception lies in the trust users place in the Shop app, which aggregates order tracking and receipts from multiple retailers into a single interface . Scammers create counterfeit orders and inject them into a user's order history, making them appear alongside legitimate purchases. Because the Shop app auto-populates orders from connected email accounts (Gmail, Outlook, and others), the fake receipt gains credibility by appearing in a familiar, trusted context .

Impersonated Brands and Social Engineering

Reported fake receipts impersonate brands such as Norton, McAfee, Apple (iPhones and Apple gift cards), and include PayPal-style payment claims . The choice of brand is deliberate social engineering: a fake receipt for a $300+ security subscription or an expensive Apple product creates urgency and panic, prompting the user to call the listed number to dispute the charge .

The Callback Phishing Payload

The key element is a phone number embedded in the order details, shipping address field, or product description, often with a message directing the user to call "support" if the charge was unauthorized . When the victim calls, the scammer answers as a support agent and attempts to:

• Steal credit card numbers and personal information under the pretense of issuing a refund.
• Obtain account login credentials.
• Trick the user into installing remote access software that hands full control of the device to the attacker .

In most reported cases, no actual charge ever appears on the user's financial accounts — the entire threat is the call .

Shopify's Response

In response to the campaign, Shopify told BleepingComputer that it had identified bad actors misusing the platform and deployed new controls that "significantly reduced this activity and improved our ability to detect it going forward" . The specific technical measures were not detailed, but the company also directs users to its official security guidance on identifying phishing, vishing, and smishing attempts, which includes verifying email domains from official Shopify addresses like @shopify.com and never calling suspicious numbers .

Official Reporting Channels

Shopify encourages users to forward suspicious emails to phishing@shopify.com. Gen Digital, whose Norton brand is impersonated in the scam, also recommends reporting suspicious Norton-related emails to spam@norton.com .

Steps to Take If You See a Suspicious Receipt

If you encounter an unexpected order or receipt in your Shop app, you should not engage with the listed contact information. Instead, follow these steps:

1. Do not call any phone number provided in the order. Legitimate companies do not include support numbers in digital receipts for you to call about disputed charges .

2. Verify charges directly with your bank or card issuer. Log into your financial accounts through their official app or website — not through links in the notification — to confirm whether any actual charge exists .

3. Do not click any links or download files from the suspicious order .

4. Disconnect email sync from the Shop app temporarily by going to Settings > Email Integration to prevent additional fake orders from auto-populating .

5. Report the scam. Forward the notification or email to phishing@shopify.com, and if it impersonates Norton, also send it to spam@norton.com .

6. If you already called the number, contact your bank immediately to freeze your accounts, run a malware scan on your device, change your Shopify password, and enable two-step authentication .

7. Mark the order as suspicious in the Shop app where available, which can help the platform identify and block similar fraudulent orders .

Key Takeaways

The callback phishing scam targeting Shopify's Shop app represents a notable evolution in phishing techniques: attackers are moving beyond email to place fraudulent receipts directly inside a trusted application where users manage real purchases. The campaign exploits user trust in the platform rather than any technical vulnerability in Shopify's infrastructure. The most effective defense is simple: never call a phone number embedded in a receipt, verify any alleged charge through official channels, and report suspicious activity to the affected platforms.