Hackers are leveraging new tactics to deceive online shoppers, infiltrating trusted platforms such as Shopify’s Shop app with fraudulent invoices. This emerging scam has been identified as cybercriminals embed fake receipts directly within the app’s order history, offering a convincing facade that surpasses traditional phishing emails.
Fraudulent Invoices in Trusted Digital Spaces
Research indicates that the scam is primarily targeting users of the Shop app, a popular order-tracking application by Shopify. By inserting fictitious charges for expensive items or services, scammers exploit the confidence users have in this digital space, making the fake order appear genuine.
Victims are prompted to call a provided phone number if they do not recognize the order, which marks the beginning of the scam. This tactic has been documented by GenDigital, whose analysts warn that these fake purchase claims are cleverly placed among legitimate receipts and updates within the app.
Targeting High-Profile Brands to Amplify Fear
The fraudulent activity often involves impersonating prominent brands in technology and security, including fake charges for security subscriptions, tech gadgets, and payment system claims. The strategy remains consistent: induce panic, driving victims to reach out via the provided contact number.
Online forums, including Reddit, reveal that this is not an isolated incident. Numerous users report encountering unrecognized orders in the Shop app without corresponding bank transactions or follow-up communications from legitimate sellers, suggesting a systematic exploitation of the app’s infrastructure.
Understanding the Scam’s Modus Operandi
The Shop app is designed to consolidate order confirmations, shipping updates, and receipts, drawing data from linked email accounts by identifying specific keywords. This functionality, while beneficial to users, has inadvertently been manipulated by scammers to plant fraudulent orders within the app.
These fake receipts often list generic seller names and claim expensive subscription renewals, embedding a phone number in either the product description, receipt, or shipping address. Despite their unusual placement, users may overlook these discrepancies due to the app’s trusted nature.
GenDigital’s research indicates the exact method of abuse remains uncertain, whether through merchant workflows, email parsing, or another exploited pathway. However, the appearance of fraudulent content in a trusted app environment underscores the evolving threat landscape.
Protecting Yourself from Emerging Scams
Upon calling the number listed in a fake receipt, victims are drawn into a risky situation. The scammer may impersonate various support roles, eventually seeking sensitive information like payment details, passwords, or remote access to the victim’s device.
The urgency generated by the fake receipt is a deliberate ploy to initiate contact, similar to tactics observed in calendar invite scams. A receipt within a shopping app inherently feels more authentic than an email, increasing the likelihood of user engagement.
If faced with a suspicious order in a shopping app, refrain from calling the provided number. Verify charges directly through banking apps or websites, and report dubious stores via the app’s reporting feature. Stay informed and vigilant to protect against such sophisticated scams.
