A Receipt From a Shopping App That You Don’t Recognize Is a Scam.
If you see a receipt in the Shop app for a purchase you didn’t make, be careful. Scammers have been able to insert fake orders—appearing to come from legitimate companies like Apple, Norton, and PayPal—into the purchase history of Shop users as part of a phishing campaign involving a callback.
Fake purchase receipts are a favorite tactic of scammers posing as PayPal users . They often use email notifications to trick victims into calling a fraudulent customer support number or clicking a phishing link.
How online order fraud works
As BleepingComputer reports , online store users are seeing fake invoices in their order tracking history alongside legitimate purchases. These fraudulent receipts may indicate that a payment (usually for a large amount) has been processed, an order has been prepared, or a subscription has been renewed.
They also provide an email address and/or phone number to dispute the purchase, but if you call, you’ll be connected to scammers posing as customer support representatives. The goal is to trick customers into handing over personal information, such as login credentials, credit card information, or authentication codes, or even downloading malware that will allow the scammers to remotely access your device.
Researchers at the cybersecurity company Gen Digital , who uncovered this scam, found that the fake purchase notifications contained obvious signs of fraud, such as grammatical and spelling errors. However, Shop is a widely used and largely trustworthy app, so users have little reason to suspect fraud and are therefore more likely to call customer support or otherwise modify their receipt. Furthermore, an in-app notification may be less likely to raise concerns than a phishing email.
Purchase history tracks orders paid for with Shop Pay and purchased from stores using Shopify, provided you provided the email address associated with your Shop account when placing the order. The system also retrieves tracking information from Gmail and Outlook, scanning messages for keywords like “tracking number” and “track your package,” so you can see pending packages sent outside the Shop ecosystem.
Researchers note that it remains unclear how exactly the attackers insert fake orders into users’ histories, and there is no evidence that Shop, Shopify, or any other companies impersonating them have been hacked. Shop simply stated that it is implementing “new controls” to address the issue.
What should you do if you see a product in a store that you don’t recognize?
Don’t automatically assume a receipt for an unknown purchase is legitimate, whether it appears in the Shop app or in your email. Check your bank or credit card statements, as well as your transaction history with the listed merchant, to ensure there’s no corresponding purchase. If you don’t find anything, the receipt itself is almost certainly fraudulent, and you shouldn’t use it. Don’t call the number, send emails, or click any links.
If you haven’t done any of the above, you can simply ignore the notification or report it directly to the store and the seller. If you called or provided any information, change your password (preferably on a different device) and monitor any suspicious login attempts or unfamiliar charges from your accounts.