PayPal, Shopify, McAfee, Norton and Apple: Scammers Abuse Shopify to Send Fake Invoices and Steal Credentials via Fake Support Calls

PayPal, Shopify, McAfee, Norton and Apple: Scammers Abuse Shopify to Send Fake Invoices and Steal Credentials via Fake Support Calls

Scammers Exploit Shopify’s Shop App to Deliver Fake Invoices in Phishing Scheme

Security researchers Luis Corrons and Jakub Vavra from Gen have uncovered a rising trend of scammers abusing Shopify’s Shop order-tracking app to distribute fraudulent invoices directly within users’ purchase histories. Unlike traditional email phishing, this tactic leverages in-app social engineering, exploiting trust in a platform typically used for legitimate order tracking.

The scam involves fake receipts appearing in the Shop app, impersonating well-known brands such as Norton, McAfee, Apple, and PayPal. These fraudulent entries often labeled under generic seller names like “My Store” feature high-value items like antivirus subscriptions, smartphones, or gift cards to create urgency. Attackers embed fake support phone numbers in unusual fields, such as product descriptions or shipping addresses, where legitimate receipts would never include them.

When victims call the listed number, the attack escalates into voice phishing (vishing), with scammers posing as customer support to extract sensitive data including login credentials, payment details, or one-time passcodes. Some victims are also tricked into installing remote access software, granting attackers control over their devices.

The Shop app aggregates order data from sources like Gmail, Outlook, and Shop Pay, automatically scanning connected email accounts for shipping-related keywords. While the exact method of injecting fake orders remains unclear, potential vectors include email parsing manipulation, merchant workflow abuse, or loosely validated input fields. Importantly, there is no evidence of a breach in Shopify, the Shop app, or the impersonated brands this is an abuse of legitimate platform features rather than a direct compromise.

This campaign reflects a broader shift in phishing tactics, where attackers exploit contextual trust in familiar digital environments. Similar schemes have been observed in calendar invite scams and collaboration platform abuse, where the delivery channel itself lends credibility to the scam.

The emergence of in-app invoice fraud highlights the growing challenge for cybersecurity defenses, as malicious content becomes harder to detect when embedded within trusted ecosystems.

Source: https://gbhackers.com/scammers-abuse-shopify-to-send-fake-invoices/

PayPal TPRM report: https://www.rankiteo.com/company/paypal

Shopify TPRM report: https://www.rankiteo.com/company/shopify

McAfee TPRM report: https://www.rankiteo.com/company/mcafee

Norton TPRM report: https://www.rankiteo.com/company/norton

Apple TPRM report: https://www.rankiteo.com/company/apple

"id": "norpayshoappmca1782469522",
"linkid": "norton, paypal, shopify, apple, mcafee",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'customers_affected': 'Users of the Shop app with '
                                              'connected email accounts',
                        'industry': 'Technology, E-commerce',
                        'name': 'Shopify (Shop app)',
                        'type': 'E-commerce platform / Mobile application'},
                       {'industry': 'Cybersecurity',
                        'name': 'Norton',
                        'type': 'Cybersecurity company'},
                       {'industry': 'Cybersecurity',
                        'name': 'McAfee',
                        'type': 'Cybersecurity company'},
                       {'industry': 'Technology, Consumer Electronics',
                        'name': 'Apple',
                        'type': 'Technology company'},
                       {'industry': 'FinTech, Payments',
                        'name': 'PayPal',
                        'type': 'Financial services company'}],
 'attack_vector': 'In-app social engineering (Shopify Shop app)',
 'data_breach': {'data_exfiltration': 'Yes (via vishing attacks)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (financial and personal data)',
                 'type_of_data_compromised': 'Login credentials, payment '
                                             'details, one-time passcodes, '
                                             'personally identifiable '
                                             'information'},
 'description': 'Security researchers Luis Corrons and Jakub Vavra from Gen '
                'uncovered a rising trend of scammers abusing Shopify’s Shop '
                'order-tracking app to distribute fraudulent invoices directly '
                'within users’ purchase histories. The scam involves fake '
                'receipts appearing in the Shop app, impersonating well-known '
                'brands such as Norton, McAfee, Apple, and PayPal. These '
                'fraudulent entries feature high-value items and embed fake '
                'support phone numbers in unusual fields. Victims are tricked '
                'into calling these numbers, leading to voice phishing '
                '(vishing) attacks where scammers extract sensitive data or '
                'install remote access software.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'Shopify and impersonated brands '
                                       '(Norton, McAfee, Apple, PayPal)',
            'data_compromised': 'Login credentials, payment details, one-time '
                                'passcodes, personally identifiable '
                                'information',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': 'User devices (via remote access software '
                                'installation)'},
 'investigation_status': 'Ongoing (no evidence of breach in Shopify or '
                         'impersonated brands)',
 'lessons_learned': 'Attackers are increasingly exploiting contextual trust in '
                    'familiar digital environments (e.g., in-app receipts) to '
                    'bypass traditional phishing defenses. Organizations must '
                    'improve input validation, user education, and monitoring '
                    'of unusual in-app behaviors.',
 'motivation': 'Financial gain, data theft',
 'post_incident_analysis': {'root_causes': 'Abuse of legitimate platform '
                                           'features (email parsing, merchant '
                                           'workflows, or input validation '
                                           'gaps) to inject fake order data '
                                           'into the Shop app.'},
 'recommendations': ['Enhance input validation in the Shop app to prevent '
                     'injection of fake order data.',
                     'Implement stricter scrutiny of fields where support '
                     'phone numbers or suspicious links may be embedded.',
                     'Educate users about the risks of in-app phishing and '
                     'vishing attacks.',
                     'Monitor for unusual patterns in order data aggregation '
                     '(e.g., generic seller names, high-value items).',
                     'Collaborate with email providers to improve detection of '
                     'manipulated shipping-related emails.'],
 'references': [{'source': 'Gen Security Research (Luis Corrons and Jakub '
                           'Vavra)'}],
 'response': {'third_party_assistance': 'Security researchers from Gen (Luis '
                                        'Corrons and Jakub Vavra)'},
 'title': 'Scammers Exploit Shopify’s Shop App to Deliver Fake Invoices in '
          'Phishing Scheme',
 'type': 'Phishing / Social Engineering',
 'vulnerability_exploited': 'Abuse of legitimate platform features (email '
                            'parsing, merchant workflows, or input validation '
                            'gaps)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.