ProBackend
social engineering phishing
4 hours ago6 min read

Shopify Shop App Exploited to Push Callback Phishing Attacks

Threat actors are abusing the popular Shop order-tracking app by inserting fake purchase receipts, tricking users into calling fraudulent support lines to steal sensitive data and credentials.

Marcus Wright

You check your phone, a notification pops up, and it’s the familiar Shop app icon. You assume it’s that package you’re waiting for—maybe the birthday gift you ordered, or just that impulse buy you’ve forgotten about. You tap it, and there it is: a receipt for a service or a product you absolutely didn't buy. It looks legitimate. Too legitimate.

This is the newest, most alarming frontier in social engineering. Threat actors are now manipulating the Shop app—the very tool users rely on to keep track of their legitimate purchases—to push classic callback phishing attacks. It’s a masterclass in exploiting trust. They aren’t breaking into Shopify itself; they’re riding its coattails, using its interface as a megaphone for their scams.

The Mechanics of a Trusted Vector

When we look at traditional phishing, the barrier to entry is high. Users have been trained, however imperfectly, to scan for suspicious links or odd email domains. But the Shop app? It’s different. Users explicitly invite it into their lives to track shipments. That inherent trust is hard-earned, and attackers know exactly how to cash it in.

The method is terrifyingly simple yet effective. Somehow, fake purchase receipts—often for services claiming to be top-tier brands like Norton, McAfee, Apple, or PayPal—are appearing inside user order histories within the app.

The technical mechanism here is still murky, but the effect is absolute. By appearing alongside legitimate tracked packages, these fake receipts gain an aura of authority that an email phishing attempt could never hope to achieve. You’re already in the app. You’re already looking for order information. This doesn't look like an intrusion; it looks like a notification.

This brings us to the core of the threat: callback phishing.

In a classic "link-based" phishing attack, the attacker hopes you'll click a malicious URL to download malware or visit a credential-stealing site. Callback phishing, or "VOIP phishing," bypasses that entirely.

Instead of a malicious link in an email, the fake receipt in the Shop app provides a customer support number for you to "dispute the charge" or "cancel the subscription."

Here lies the genius—and the danger—of this method. Once you call that number, you've taken the action yourself. You are the one initiating the conversation. That interaction changes everything. You aren’t skeptical because you didn’t receive an unsolicited link; you’re proactive because you think you’re fixing a mistake.

The scammer on the other end isn't just a bot. They are trained, persuasive, and patient. They aren't trying to trick you into clicking a link, which requires a single moment of vulnerability. They are trying to talk you through a series of steps to, say, "verify your account" or "process a refund," which requires a sustained, deliberate engagement. It’s significantly harder for a user to recognize a scam when the scammer is guiding them through a "support" process.

The Psychological Maneuvers Behind the Scam

Why does this work? It’s all about the manipulation of urgency and authority.

When a user sees a charge for $400 or $500 from a massive corporation, the immediate, visceral response from the average person is panic. "I didn't authorize that charge." The attacker feeds into this. The fake receipt is designed to prompt a quick phone call to "cancel" the transaction before it officially clears.

The scammer on the line is always calm, professional, and efficient—the exact antithesis of your own panicked state. They build rapport. They use, or appear to use, official company terminology. They often tell you that you've been "hacked" or that there was a "billing error" that needs immediate rectification.

They might even ask you to install remote desktop software (like TeamViewer or AnyDesk) to "remotely control your screen and fix the issue." Now they aren't just talking to you; they have a window into your device.

The Devastating Impact

The end goal, unsurprisingly, is data theft.

Once they've got you on the line, the attack can escalate in dozens of different directions. They might ask for:

  • Account credentials for your bank, email, or your actual Shopify account.
  • Payment card information directly.
  • Multi-factor authentication (MFA) tokens or OTPs (one-time passwords). If they are trying to access your bank account, they need that 2FA code that your bank sends to your phone. By keeping you on the phone, they can trick you into reading that code out loud, giving them the last piece of the puzzle they need to drain your accounts.

The damage is often immediate and significant. And unlike a credit card charge that can be easily disputed, once you've authorized an account access or handed over a 2FA code, clean-up can be a nightmare.

How to Protect Yourself: The "Stop and Think" Protocol

The reality of this threat is that it weaponizes our own habits against us. But the solution isn't to stop using order-tracking apps. The solution is to change how we interact with them.

  1. Be Skeptical, Always: Treat any unexpected notification as a potential threat. If you didn’t buy it, you didn't buy it. Don’t panic.
  2. Never Call the Number in the Receipt: This is the most crucial step. If a receipt looks suspicious, DO NOT call the phone number provided in the notification. That number is the scammer's lair.
  3. Verify via Official Channels Only: If you are worried about a charge, go directly to the official website of the company in question. Find their customer support number through their actual, verified website—not through the Shop app, not through a search engine ad, and certainly not through a phone number in an email or receipt.
  4. Guard Your MFA Codes: Never, under any circumstances, share a one-time password or MFA token with anyone, even someone claiming to be from a company support department. Legitimate organizations will never ask for this code.
  5. Install Nothing: Under no circumstances should you ever install remote access software on your phone or computer at the request of someone you met through a suspicious notification.

The Evolving Landscape of Social Engineering

This abuse of the Shop app is just the latest example of a broader trend: attackers are moving away from brute-force technical exploits toward sophisticated, human-centric manipulation. If they can’t break the code, they break the human.

By leveraging trusted SaaS platforms and legitimate enterprise interfaces to deliver their scams, threat actors are effectively laundering their phishing attempts. They’re making the malicious feel mundane.

While Shopify and other platforms will undoubtedly work to implement better filters for these fraudulent receipts, the reality is that no technical control will ever be perfect. As long as these applications exist, they will be attractive targets for those who seek to manipulate the users who trust them.

Ultimately, the best defense against this kind of sophisticated attack is the same as it’s always been: a dose of healthy paranoia and the willingness to take a step back before acting. The urgency is the scam. The panic is the trap. The best way to win is to simply refuse to play the game on their terms. If it feels suspicious, ignore it, close the app, and breathe. Your money is worth more than a moment of panic.

Trust Leveraged: Attackers Turn Shop App Notifications into Phishing Traps

More engineering analysis and backend guidance from ProBackend.
More blogs