I know we’ve talked at length about shopping, fake invoices, and all the ways scammers try to create panic. But this latest twist is worth a look because it moves the scam into a place where people expect to see legitimate purchase information.
According to BleepingComputer, threat actors are abusing Shop, Shopify’s order-tracking app, to place fake receipts inside a user’s order history and then use those fake orders to push callback phishing attacks. Instead of sending a fake Norton or McAfee invoice by email and hoping it lands in your inbox, the scammers are trying to place the bait directly inside an app that many people use to track real purchases.
The BleepingComputer article is titled Order-tracking app Shop abused to push callback phishing attacks.
That matters because callback phishing relies on panic and urgency. The scam usually claims you purchased something expensive, renewed a subscription, or authorized a charge you don’t recognize. The message then gives you a phone number to call to “fix” the problem. Once you call, the social engineering starts. The attacker may try to steal payment information, convince you to disclose account details, or walk you into installing remote access software under the guise of helping with a refund or cancellation.
What makes this version more dangerous is the setting. A fake receipt in email is one thing. A fake receipt in an order-tracking app feels more legitimate because it appears alongside real purchases and shipping updates. That can lower a person’s guard and make them more likely to call before stopping to think.
This is also a good reminder of how a real purchase normally works. If you buy something, you should be able to verify it through the merchant you used, the payment method you used, and the email confirmations or account history tied to that order. A random support number embedded in an order note, push alert, or receipt should not be treated as trustworthy just because it appears inside a familiar app. If you think an order is fraudulent, do not call the number included in the suspicious message. Instead, go directly to the merchant’s official website or app, contact support through a method you already know is legitimate, and check your bank or card statement independently.
If you use Shop or similar tracking apps, it’s worth reviewing any order alerts carefully and treating surprise high-dollar purchases, security software renewals, gift card orders, or electronics purchases with suspicion, especially if the message pushes you toward a phone number rather than normal account support channels. The scammer’s goal is not just to scare you. The goal is to get you talking.
And once that happens, the rest of the scam can become much easier.
Remember, when you make a legitimate purchase, you will usually see a pending or posted transaction through your financial institution, card issuer, PayPal, or other payment provider fairly quickly. If one of these emails claims you were billed for hundreds of dollars and there is no matching transaction at all, that is a strong sign the receipt is fake and designed to push you into calling the scammer. Remember that transactions may pend for a period of time, but they eventually either drop off if it is temporary, or if it’s a valid charge, post within days.
How this is supposed to work
- You buy something.
- You get a receipt from a real merchant.
- You see the charge through your payment method.
- If something looks wrong, verify it through the merchant or financial institution directly.
- Do not call a phone number from a suspicious receipt or order notice.
Also, one last thing: reporting by BleepingComputer says that it is not clear how these receipts are appearing, and vendors indicate no vulnerability path was used.
Stay safe!
Related
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.
Let’s remind people how purchasing something is supposed to work
I know we’ve talked at length about shopping, fake invoices, and all the ways scammers try to create panic. But this latest twist is worth a look because it moves the scam into a place where people expect to see legitimate purchase information.
According to BleepingComputer, threat actors are abusing Shop, Shopify’s order-tracking app, to place fake receipts inside a user’s order history and then use those fake orders to push callback phishing attacks. Instead of sending a fake Norton or McAfee invoice by email and hoping it lands in your inbox, the scammers are trying to place the bait directly inside an app that many people use to track real purchases.
The BleepingComputer article is titled Order-tracking app Shop abused to push callback phishing attacks.
That matters because callback phishing relies on panic and urgency. The scam usually claims you purchased something expensive, renewed a subscription, or authorized a charge you don’t recognize. The message then gives you a phone number to call to “fix” the problem. Once you call, the social engineering starts. The attacker may try to steal payment information, convince you to disclose account details, or walk you into installing remote access software under the guise of helping with a refund or cancellation.
What makes this version more dangerous is the setting. A fake receipt in email is one thing. A fake receipt in an order-tracking app feels more legitimate because it appears alongside real purchases and shipping updates. That can lower a person’s guard and make them more likely to call before stopping to think.
This is also a good reminder of how a real purchase normally works. If you buy something, you should be able to verify it through the merchant you used, the payment method you used, and the email confirmations or account history tied to that order. A random support number embedded in an order note, push alert, or receipt should not be treated as trustworthy just because it appears inside a familiar app. If you think an order is fraudulent, do not call the number included in the suspicious message. Instead, go directly to the merchant’s official website or app, contact support through a method you already know is legitimate, and check your bank or card statement independently.
If you use Shop or similar tracking apps, it’s worth reviewing any order alerts carefully and treating surprise high-dollar purchases, security software renewals, gift card orders, or electronics purchases with suspicion, especially if the message pushes you toward a phone number rather than normal account support channels. The scammer’s goal is not just to scare you. The goal is to get you talking.
And once that happens, the rest of the scam can become much easier.
Remember, when you make a legitimate purchase, you will usually see a pending or posted transaction through your financial institution, card issuer, PayPal, or other payment provider fairly quickly. If one of these emails claims you were billed for hundreds of dollars and there is no matching transaction at all, that is a strong sign the receipt is fake and designed to push you into calling the scammer. Remember that transactions may pend for a period of time, but they eventually either drop off if it is temporary, or if it’s a valid charge, post within days.
How this is supposed to work
Also, one last thing: reporting by BleepingComputer says that it is not clear how these receipts are appearing, and vendors indicate no vulnerability path was used.
Stay safe!
Share this:
Like this:
Related
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.
Published in article commentary