Researchers at Gen Digital have uncovered a scam that abuses Shop, Shopify’s order-tracking app used by millions of online shoppers to follow purchases from many different stores in one place. Criminals are managing to inject fraudulent purchase receipts directly into Shop users’ order histories — fake invoices that appear to come from well-known brands like Norton, McAfee, Apple, and PayPal, often for high-dollar charges designed to alarm the reader. Each fake receipt includes a phone number to call for “disputes.” When the panicked customer dials, a fake support agent walks them through “cancelling” the charge, which actually means handing over login credentials, card numbers, one-time codes, or even installing a remote-access tool that hands the scammer control of their device.
The reason this scam works is trust: the fake receipt shows up next to real orders inside an app the user already considers legitimate, so the receipt looks legitimate too. Shopify has rolled out additional detection controls in response, but the simplest defence is to never call a phone number that appears inside a receipt — call your bank or the brand directly using a number you find yourself.
How to check if you’re affected
Affected products include the Shop app on both iPhone and Android devices. Open Shop and scroll your order history for any purchase you don’t recognise — especially “subscriptions” or “renewals” for Norton, McAfee, Apple, or PayPal at unusually high amounts. If you see one, do not call the number on the receipt; instead, log in to your bank or card issuer’s official app or website and check whether a real charge exists. If you already called and shared card or account details, contact your bank immediately to lock the card, change the password on any account you mentioned, and run a malware scan on your computer if you installed anything the caller asked you to.