Shop App Abused to Deliver Fake Receipts in Callback Phishing

Threat actors have found a new way to make their phishing attempts look legitimate: injecting fake purchase receipts directly into Shopify's Shop order-tracking app. When users see an unexpected charge for Norton antivirus or a PayPal transaction they didn't authorize, they call the number on the receipt—and reach scammers waiting to steal their credentials or install remote access software.

The attack bypasses email filters entirely by exploiting the trust users place in a legitimate shopping application.

How the Scam Works

Shop, developed by Shopify, consolidates order tracking from multiple retailers into a single app. Users connect their email accounts and the app automatically pulls shipping updates, receipts, and order confirmations. Millions of people use it to track legitimate purchases.

Scammers have figured out how to insert fake receipts that appear alongside real orders. The fraudulent invoices typically claim to be from well-known brands:

• Norton or McAfee antivirus renewals ($399 or similar)
• Apple purchases
• PayPal transactions
• Software subscription renewals

Each fake receipt prominently displays a phone number for "customer service" or "billing disputes." That number connects to the threat actor's call center, not the actual brand.

The Social Engineering Phase

Once a victim calls, the real attack begins. Scammers posing as support representatives use social engineering techniques to extract information or gain device access.

Common tactics include:

• Credential harvesting: Asking for login credentials to "verify the account"
• Payment card details: Requesting card numbers to "process a refund"
• One-time codes: Talking victims through entering 2FA codes that authorize fraudulent transactions
• Remote access installation: Convincing users to install tools like TeamViewer or AnyDesk so the "technician" can "remove the charge"

The remote access angle is particularly dangerous. Once installed, attackers can browse files, capture credentials, install additional malware, or initiate wire transfers while the victim watches, unaware of what's actually happening.

Why This Works Better Than Email

Traditional phishing emails face an uphill battle. Spam filters catch many of them. Users have been trained to scrutinize unexpected emails. Corporate security awareness programs specifically warn about suspicious invoices.

The Shop app attack sidesteps these defenses:

• No email filters: The fake receipt appears in an app, not an inbox
• Legitimate context: It's mixed with real orders the user actually placed
• Trust inheritance: The Shop app is legitimate software from a reputable company
• Urgency built-in: A $399 charge creates immediate concern

When users see an unexpected purchase in their order history, the natural response is to dispute it immediately. Scammers count on that urgency overriding caution.

Red Flags to Watch For

Despite the convincing delivery mechanism, these fake receipts often contain tells:

• Grammar errors: Poor spelling or awkward phrasing in the invoice text
• Generic order numbers: Random strings that don't match the brand's order format
• Phone numbers: Legitimate companies don't ask you to call to dispute charges—they have online dispute processes
• Mismatched branding: Logos or formatting that don't quite match the real company's style

The most reliable defense: never call numbers listed on unexpected invoices. Instead, navigate directly to the company's official website and use their published support channels.

Unclear Delivery Mechanism

Security researchers haven't confirmed exactly how scammers inject fake receipts into the Shop app. The app can populate orders from multiple sources:

• Email parsing from connected accounts
• Account associations with merchant systems
• Order workflow integrations

BleepingComputer reports that none of these channels has been definitively identified as the attack vector. Shopify has not publicly commented on specific mitigations.

If You've Already Contacted Scammers

Victims who called the fake support number should take immediate action:

1. Reset passwords for any accounts mentioned during the call
2. Contact your bank to flag potential fraud and consider issuing new cards
3. Remove remote access software if you installed any during the call
4. Monitor accounts for unauthorized transactions over the next several weeks
5. Run antivirus scans if the "support technician" had access to your device

The FBI's Internet Crime Complaint Center accepts reports of callback phishing and remote access fraud.

Callback Phishing Is Evolving

This attack represents a broader trend: callback phishing campaigns are getting more sophisticated about where and how they present fraudulent invoices. The technique first gained prominence with BazarCall campaigns that used email-based fake invoices to drive victims to malicious call centers.

Moving the delivery mechanism from email to a trusted app significantly improves the attack's credibility. Security teams should expect threat actors to explore other apps that aggregate order data or payment notifications.

For now, the best defense remains skepticism toward any unexpected charge—regardless of where it appears. Legitimate companies provide self-service dispute options through their official websites. Any invoice that asks you to call a phone number to resolve a billing issue deserves extra scrutiny.