Popular e-commerce platform Shopify has once again been impersonated in a phishing email scam intercepted by MailGuard.
Titled “Your Failed Payout”, the email uses a display name of “Shopify”. The sender email address in the “From:” field, does not, however, use a domain belonging to Shopify. The email actually originates from a mass mailing platform.
The email body includes Shopify’s logo and informs recipients that their “payout couldn’t be deposited” because their banking details “were incorrect”. A link is provided for them to update their banking details. The email states this link will expire in 24 hours – this is likely an attempt to evoke urgency, motivating users to click on the link.
Here’s what the email looks like:
Unsuspecting recipients who click on the link are led to a fake Shopify-branded login page, asking for their Shopify store address, along with their Shopify account credentials (email address & password). The domain used in this page’s URL however, doesn’t belong to Shopify. Instead, the page appears to be hosted on a compromised website.
After users “log in” to their Shopify accounts, they’re presented with a similar page asking for their banking details, as per the below:
Once these details are entered and submitted, the attacker harvests them for later use, and the user is redirected to the actual Shopify login page.
We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.
E-commerce is booming, especially with more retailers closing their physical stores in light of the COVID-19 pandemic – and this phishing scam is a good example of how cybercriminals are increasingly exploiting this spike in online activity to trick users. We intercepted another phishing email spoofing Shopify earlier this year, which informed recipients that their shop had been "frozen".
As you can see from the screenshots above, cybercriminals have employed multiple elements to trick recipients. Here are some of them:
- The use of an email subject like “Your Failed Payout”. This creates alarm and intrigue among recipients, who, in their urgency to rectify the issue and receive their payout, may not pause to check for the email’s legitimacy before clicking on the link in the email.
- The use of a display name like “Shopify” and the inclusion of Shopify’s logo and branding within the email. This helps to boost the credibility of the email as it is likely for sellers on the platform to receive official notifications like this in their inboxes, thereby not raising any alarm bells.
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that the domain used in the phishing pages doesn’t belong to Spotify.
Shopify lists the following advice on its support page:
“Forward any phishing messages that you receive to Shopify's safety inbox at firstname.lastname@example.org. By building a record of attacks directed at merchants, Shopify can work to better protect you and your information.”
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.