TL;DR
Scammers are abusing the Shop app to display fake purchase receipts that lure users into callback phishing scams. The campaign targets credentials, OTPs, and remote device access, making strong identity security and endpoint controls critical.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Scammers are abusing the Shop app to display fake purchase receipts that lure users into callback phishing scams. The campaign targets credentials, OTPs, and remote device access, making strong identity security and endpoint controls critical.
Cybercriminals continue to evolve their phishing tactics, and email is no longer their only delivery channel. A new Shop app phishing campaign plants fake purchase receipts directly inside users’ order histories, exploiting the trust people place in legitimate shopping applications. Instead of malicious links, victims are prompted to call fraudulent support numbers, where attackers attempt to steal sensitive information or gain remote access to devices.
The Shop app, developed by Shopify, helps users manage purchases from multiple merchants through a centralized order history. Researchers from Gen Digital recently discovered that threat actors are abusing this trusted environment by inserting fraudulent purchase receipts alongside legitimate orders. Importantly, there is no evidence that Shopify, Shop, or the impersonated brands were compromised. Instead, attackers are exploiting the platform’s trusted user experience through social engineering.
The fake receipts imitate well-known companies, including:
Each receipt claims that an expensive purchase has been made and provides a phone number for disputing the transaction. Because users expect purchase information inside an order-tracking application, these fake entries appear far more convincing than traditional phishing emails.
Unlike conventional phishing campaigns that rely on malicious links, callback phishing shifts the attack to a live conversation.
The attack typically follows this sequence:
| Stage | Attacker activity | Risk to users |
|---|---|---|
| Fake receipt | Fraudulent purchase appears inside Shop | Creates urgency and panic |
| Phone call | Victim calls the listed support number | Establishes attacker credibility |
| Social engineering | Scammer impersonates customer support | Builds trust through conversation |
| Data theft | Requests passwords, payment details, or MFA codes | Credential compromise and financial fraud |
| Device takeover | Victim installs remote access software | Full endpoint compromise |
During the phone conversation, attackers commonly attempt to obtain:
In several observed cases, victims were instructed to install remote access software under the pretense of processing refunds or reversing fraudulent transactions. Once installed, attackers gain direct control over the endpoint, significantly expanding the scope of the compromise.
Although the fraudulent receipts target consumers, the consequences can quickly affect enterprise environments.
Employees frequently use the same devices for both personal shopping and business applications. If a user installs remote access software or shares authentication information during a callback phishing attack, attackers may gain access to:
Even when corporate credentials are not disclosed immediately, compromised endpoints may provide attackers with opportunities for lateral movement, privilege escalation, or additional credential harvesting.
Strong identity security therefore extends beyond protecting login credentials. Organizations must also protect endpoints from post-phishing compromise and unauthorized remote access.
Callback phishing often succeeds by convincing users to install unauthorized remote access software or disclose credentials and MFA codes. Reducing the risk requires both preventive controls and continuous threat detection.
Hexnode UEM helps reduce endpoint exposure by using app blocklist/allowlist policies to restrict unwanted or untrusted apps, creating device compliance policies, supporting BYOD containerization, and using device compliance to inform Conditional Access decisions through IdP integrations such as Microsoft Entra ID or Okta. These controls help administrators restrict unwanted or untrusted apps and enforce compliance-based access decisions on managed devices.
Discover how containerization secures BYOD by separating work and personal data on devices.
Download the InfographicIf an attack progresses beyond the initial social engineering stage, Hexnode XDR provides visibility into suspicious endpoint activity. Hexnode XDR is documented as monitoring real-time endpoint events and identifying anomalies such as unauthorized process execution, brute-force attempts, known malware signatures, anomalous file changes, and unauthorized network beaconing; documented response actions include process neutralization and network isolation.
The latest Shop app phishing campaign demonstrates that attackers no longer depend solely on email to deceive victims. By planting fake purchase receipts inside a trusted order-tracking application, they exploit user confidence to facilitate credential theft, OTP theft, and remote device compromise.
Organizations cannot rely on user awareness alone. Combining strong identity security practices with endpoint management, application control, and continuous threat detection provides a more resilient defense against modern callback phishing campaigns. As attackers increasingly weaponize trusted digital experiences, layered security becomes essential for protecting both users and enterprise resources.
Block risky apps, enforce compliance, and detect endpoint compromise with Hexnode UEM and XDR faster.
Start Your Free Trial!Instead of directing victims to malicious websites, callback phishing persuades users to initiate contact over the phone. This gives attackers more opportunities to manipulate victims through live conversations.
Unauthorized remote support tools can provide attackers with persistent access after a successful scam. Monitoring these applications helps security teams detect suspicious activity before it escalates.