Gen Digital says scammers are abusing Shopify’s Shop order-tracking app by inserting fake purchase receipts into users’ order histories. The receipts include phone numbers that lead victims to agents using social engineering to steal account credentials, payme
The first warning is almost always quiet: a receipt showing up where it shouldn’t.
Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts into users’ order histories. The goal is straightforward—trick people into handing over sensitive information or installing remote access software.
Shop is meant to be a trusted digital shopping assistant. It tracks orders from multiple online retailers in one place. shows receipts and shipping updates. and lets users discover and buy products from merchants that use Shopify. In North America. the app has become especially common. with 50 million downloads on Google Play and 7 million ratings in Apple’s App Store.
Gen Digital says scammers are now inserting fake orders that appear alongside legitimate purchases. The messages impersonate brands including Norton, McAfee, Apple, and PayPal, making the receipts look like normal recordkeeping—something users are likely to react to without thinking twice.
Each counterfeit receipt also includes a phone number meant to pull the victim into a “dispute.” If a user calls, Gen Digital says the person on the other end is a scammer posing as support.
From there, social engineering takes over. Researchers say victims are pushed to disclose account credentials, payment card details, and temporary authentication codes (OTPs). In some cases, the scam also persuades victims to install software that grants remote access to the device.
Gen Digital frames the tactic as a sharper version of a more familiar trick. Callback phishing—typically delivered through fraudulent email purchase notifications—is common. But inserting fake receipts directly into Shop is proving more effective. researchers say. because users already trust what appears in the app. An order that shows up in a trusted shopping history is far more likely to prompt a response from an unsuspecting person.
There’s also a tell—some of the fake receipts contain poor grammar, a red flag that can be hard to spot when the message looks like an invoice for a large purchase.
What remains unclear is how the fraudulent receipts are getting into Shop in the first place. Gen Digital says Shop can populate orders from multiple sources. including email parsing. account association. and order workflows. but it could not confirm any specific delivery channel for the fraudulent notifications.
The investigation also found no evidence that Shop, Shopify, or any of the impersonated companies were compromised.
For users, the immediate guidance is practical: if receipts appear in Shop for orders they didn’t place, do not call the phone number listed on the receipt. Verify any alleged charge directly with the user’s bank instead.
For anyone who has already contacted the scammers and shared sensitive details, Gen Digital says they should immediately reset account passwords and contact their card issuer for cancellation.
Shop app Shopify callback phishing order-tracking app fake receipts Gen Digital remote access malware OTP scams mobile security