Scammers are placing fake purchase receipts inside Shopify's Shop app, exploiting users' trust in order-tracking applications to lure them into calling fraudulent customer support numbers.
The campaign moves the long-running fake invoice scam beyond email, placing fraudulent receipts directly inside an app where users expect to see legitimate purchases and shipping updates.
The activity was discovered by Gen Security researchers who analyzed reports from Norton customers who found fake Norton subscription invoices in the Shop app. Public reports suggest the same tactic is also being used to impersonate Apple, McAfee, PayPal, and other well-known brands.
Shop is Shopify's shopping and order-tracking application, allowing users to view receipts, monitor shipments, and receive delivery notifications. Because the app aggregates legitimate purchase information from multiple sources, fraudulent orders that appear alongside genuine purchases can seem more convincing than traditional phishing emails.
The fake receipts typically use generic merchant names such as “My Store” and claim the victim purchased or renewed an expensive product, including Norton subscriptions, iPhones, MacBooks, or Apple gift cards. The order details include a phone number and instruct users to call if they did not authorize the purchase.
If called, attackers impersonate billing or technical support staff and attempt to steal payment information, account credentials, one-time passcodes, or convince victims to install remote access software.
Although many fake receipts contain obvious grammatical mistakes, Gen says users are more likely to trust them because they appear in a legitimate shopping app rather than in an email inbox.
Gen emphasizes there is no evidence that Shopify, Shop, Norton, Apple, PayPal, or any other impersonated company has been compromised. The researchers also say it remains unclear how the fake orders are entering the app, noting that Shop imports purchase information through multiple legitimate mechanisms, making it too early to identify the exact path of abuse.
Users who receive one of these fake receipts should avoid calling the listed phone number and instead verify any charge directly through their bank, credit card provider, or the official website or app of the company being impersonated. Suspicious stores and messages should also be reported through Shop or Shopify's phishing reporting channels.
Anyone who has already called the scammers should immediately contact their bank if payment information was disclosed, change any exposed passwords, and remove any remote access software installed during the interaction.
Leave a Reply