Protecting Yourself from the latest Shopify Payments Phishing Scam

Do you use Shopify, Shopify POS, or Shopify Payments as your payment processor? You need to read this latest phishing scam email that attempts to crack your financial information, such as your bank account and online banking logins, by pretending to be Shopify itself.

Recently, a type of financial data phishing scam has been targeting users of Shopify and Shopify Payments, claiming that 'additional financial information' is needed in order to comply with regulators. The email, titled with subject line "Important reminder regarding your Shopify Payments account," requests the following: "Kindly update your banking information to continueDue to financial regulation changes in your jurisdiction, we require you to provide additional information about your business to continue using Shopify Payments. If this information is not provided by November 12th 20th, 2021 your payouts will be put on hold."
The email, titled with subject line “Important reminder regarding your Shopify Payments account, sent to a client of Arbuckle Media.

Recently, a type of financial data phishing scam has been targeting users of Shopify and Shopify Payments, claiming that ‘additional financial information’ is needed in order to comply with regulators. The email, titled with subject line “Important reminder regarding your Shopify Payments account,” requests the following:

“Kindly update your banking information to continueDue to financial regulation changes in your jurisdiction, we require you to provide additional information about your business to continue using Shopify Payments. If this information is not provided by November 12th 20th, 2021 your payouts will be put on hold.

Click on the banner(s) to access the Shopify Payments information”

If you ever receive an email from someone purporting to be “Shopify” and/or “Shopify Payments” looking for updated financial information, please note that if:

  1. the email does not come from an @shopify.com (or other official Shopify-owned domain) email address;
  2. the email, while well written for a scam, is still quite vague, and provides an extremely small window of 2 days to take action (creating fear and urgency in the recipient);
  3. the email doesn’t contain correct spelling and grammar (including punctuation);
  4. the button link goes to anywhere except your legitimate Shopify dashboard or a legitimate Shopify site; and/or
  5. they ask for login credentials or personal or financial information to be relayed via email or anywhere except your legitimate shopify dashboard;

the email is very likely a phishing scam. Shopify (or any reputable payment merchant for that matter) would never do this to its customers.

In this screenshot example that we received from a real client, you’ll notice the sender is using a legitimate email address from an unrelated business (note: we’ve reached out to this business to let them know, and they are working on a fix themselves). This likely means that this sender is compromised and is being used because their email address is an otherwise legitimate email account that had been active, sending real emails to customers and contacts (vendors, suppliers, etc.) and built up real history in the eyes of spam filters.

Should Shopify or Shopify Payments need more information from you, you’ll likely get an email from one of their official accounts AND you will see a notification on your Shopify account dashboard (once logged in). 
Here are some basic steps you can take to protect yourself:

  1. Never click links inside emails that you are uncertain about.
  2. Never open or download images or attachments from emails you are uncertain about.
  3. Forward these emails to your web developer or tech team (such as us, if we are working together) if you are uncertain about the legitimacy or source of an email, or how to perform a legitimate request properly and securely.
  4. Delete the email permanently from your account.
  5. Advise your team members (any of whom may receive the email, regardless if they have access to information the phishing scam is after) about the details of this.
  6. Never enter sensitive information, such as personal information, login credentials, financial data or information, or credit card information on a website that does not have a valid SSL certificate (you’ll see a locked icon near the URL in your browser window). 
  7. Never transmit passwords or login credentials via text message or email, or keep them written down physically. Never store these types of information in a text format anywhere on your devices or in the cloud. If you have a lot of passwords, use a password manager (some reputable ones are available for free) to store passwords.
  8. Contact your financial institution if you beleive your information has been shared with unauthorized individuals as soon as humanly possible.
  9. Change passwords to your email and Shopify accounts if you believe they are weak or have been shared with unauthorized individuals.
  10. Setup and require 2-factor authentication “2FA” (or multifactor authentication, “MFA”) on your Shopify account and your financial/online banking logins (if possible), as well as for any employee accounts.
  11. Train your staff on phishing scams and how to protect themselves, their personal devices, and your business account(s). If their personal devices are compromised and contain access such as credentials, data such as customer information, or even simply use your wifi network, you are at risk of loss and/or liability (either civil or through statutory penalty such as a fine).

Stay safe out there!