Back to news
Cybersecurity Alert
June 26, 2026 by EmailMeNow IT Consulting

Shopify Shop App Scam: Fake Invoices Appear Alongside Real Orders

Scammers inject fake purchase receipts into the Shop order-tracking app, impersonating Norton, Apple, and PayPal to push callback phishing. Gen Digital reported the campaign in June 2026. Audits score shopify.com at 60% and shop.app at 54%.

Source: Gen Digital / BleepingComputer

ShopifyPhishingCallback ScamMobile AppsCybersecurityTexas
Shopify Shop app fake invoice scam warning showing fraudulent receipts in order history

Scammers are placing fake purchase receipts inside Shop, Shopify’s order-tracking and shopping app, so fraudulent charges appear alongside legitimate orders. The receipts impersonate brands like Norton, McAfee, Apple, and PayPal, then embed a fake support phone number that connects victims to callback phishing operators.

Gen Digital (Norton’s parent company) published research on June 24, 2026, after Norton customers reported suspicious invoices inside Shop. BleepingComputer followed on June 25, 2026. Shopify told reporters it identified bad actors misusing the platform and rolled out new controls that have significantly reduced the activity.

Read Gen Digital’s research:
https://www.gendigital.com/blog/insights/research/fake-invoices-shopping-apps

Why the Shop App Makes This More Believable

Shop is a legitimate app with 50 million downloads on Google Play and 7 million ratings on Apple’s App Store. Users rely on it to track packages, view receipts, and receive delivery notifications from multiple retailers.

According to Shop’s documentation, orders can populate from Gmail, Outlook, the email linked to a Shop account, and Shop Pay purchases. If a mailbox is connected, the app scans for keywords like “tracking number” to build the Orders tab. Push notifications for payments and deliveries add another trusted channel.

That context is the scam’s advantage. A fake invoice in email is easy to dismiss. A $399 Norton renewal sitting next to your real Amazon and Target receipts inside an app you already use feels different — even when the wording is clumsy.

Researchers found no evidence that Shopify, Shop, Norton, Apple, PayPal, or other impersonated brands were compromised. The exact path scammers use to inject fake orders remains unclear — possibilities include merchant order workflows, email parsing, or account association — but the delivery surface is what makes the attack effective.

How the Scam Works

  1. Fake order injection — A fraudulent receipt appears in the Shop app’s Orders tab, often under a generic merchant name like “My Store” or “Mein Shop.”
  2. High-value lure — Receipts claim expensive purchases: Norton or McAfee subscriptions ($300–$400), iPhones, MacBooks, Apple gift cards, or PayPal-style payment claims.
  3. Embedded callback number — Scammers place a phone number in the product description, receipt body, or even the shipping address field — not where legitimate support contacts appear.
  4. Urgency trigger — Wording like “If Order Not Place By You” or “If Need Help” pushes the victim to call immediately.
  5. Callback phishing — The person answering impersonates billing or brand support and attempts to steal credentials, payment card details, one-time passcodes, or convince victims to install remote access software.

This is callback phishing — a long-running invoice scam technique — moved from email inboxes into a shopping app order history where users expect real purchases.

Illustrated attack chain

Step 1: Fake receipt appears next to real orders

Illustration: Shop order-tracking app showing a fake Norton subscription receipt alongside legitimate purchases

The victim receives a push notification or opens Shop and sees a new order for an expensive security subscription. It sits in the same list as real receipts and shipping updates, lending credibility the scam text alone would not earn.

Step 2: Suspicious details hide in plain sight

Illustration: fake My Store receipt with support phone number in shipping address field

Generic merchant names, awkward grammar, and phone numbers stuffed into product descriptions or address fields are red flags — but easy to miss when a notification says hundreds of dollars were just charged.

Step 3: Victim calls fake support

Illustration: callback phishing scam with victim on phone to fake billing support

Calling the number moves the attack off-platform. Scammers pose as Norton, PayPal, or cancellation support and steer victims toward sharing passwords, card numbers, OTPs, or installing remote-access tools.

Step 4: Verify charges through official channels

Illustration: user verifying no unauthorized charges in banking app while dismissing fake Shop notification

The safest response is to separate the alert from the action. Check your bank or credit card app directly. Log into the official Norton, Apple, or PayPal account — never use contact details inside the suspicious receipt.

What Shop and Shopify Users Should Do

Shopify recommends users who receive a suspicious notification to avoid calling any phone numbers in it and report the store directly in the Shop app.

  • Do not call phone numbers, emails, or links inside suspicious Shop receipts.
  • Verify charges through your bank, credit card app, or the official website of the impersonated brand.
  • Report suspicious stores in Shop (store page → menu → report) and forward phishing to phishing@shopify.com.
  • Norton users can forward suspicious messages to Norton and verify charges only through their Norton account or official support channels.
  • If there is no matching charge, treat the receipt as a scam attempt — opening it alone does not compromise your device.

If you already called the number

  1. End the call immediately.
  2. Contact your bank or card issuer using the number on your card — not the scammer’s number.
  3. Change passwords from a different device if possible, starting with email, Apple ID, Google, and banking accounts.
  4. If you installed remote access software, disconnect from the internet, remove the software, and run a security scan before banking or email.
  5. If you shared a one-time code, treat the related account as compromised — reset password, review recovery options, and check login activity.

Why Texas Businesses Should Care

Retail staff, bookkeepers, and small-business owners who use Shop to track vendor shipments may see these fake receipts on personal phones tied to business email. A finance employee who calls a fake “PayPal support” line from a device with QuickBooks, Shopify admin, or Microsoft 365 access can expose the whole operation — the same callback patterns we track in WhatsApp RMM malware and FBI Kali365 OAuth theft.

Hospitality and retail teams already face invoice and payment fraud. Moving fake invoices into trusted mobile apps raises the bar for staff awareness training.

Independent Cybersecurity Audit

We audited platform and impersonated-brand domains relevant to this advisory on June 26, 2026:

Organization (Domain)OverallRisk Level
PayPal (paypal.com)76%Good
Shopify (shopify.com)60%High Risk
Norton (norton.com)56%High Risk
Shop app (shop.app)54%Critical Risk

shopify.com and shop.app scores reflect public email and transport posture — not whether a receipt inside the app is legitimate. Strong scores on paypal.com or norton.com do not stop scammers from impersonating those brands inside Shop order details.

Audit links:

Priority Actions for IT Teams

  1. Train staff — Shop app receipts require the same skepticism as email invoices; never call numbers embedded in order details.
  2. Separate personal and business mail connected to Shop if possible; review which Gmail/Outlook accounts feed the app.
  3. Document callback-phishing response — if an employee calls a scam number, isolate the device and rotate credentials immediately.
  4. Block remote-access tools not in your approved software catalog (TeamViewer, AnyDesk, etc.) on business endpoints.
  5. Report incidents to phishing@shopify.com and your bank — pattern reporting helps platforms tighten controls.

Protect your organization.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com — and contact EmailMeNow IT Consulting for callback-phishing awareness training and approved-software policies.


Sources: Gen Digital — Fake invoices in shopping apps · BleepingComputer — Shop app callback phishing · CyberInsider coverage · Norton support — shopping app scam warning · EmailMeNow audits — shopify.com