Protect your account against phishing, vishing, and smishing
The term phishing describes identity theft scams involving phony websites and emails or other messages. The goal of a phishing attack is to gain access to your account and sensitive information. An attacker can create their own website that mimics a reputable one or send you a message that seems to come from a trusted source. Phishing messages can come from a fake account or an account that has been hacked.
Attackers might also try similar tactics to attack your account by using vishing, voice phishing, and smishing, SMS or text phishing, to gather sensitive information. You must be careful not to provide sensitive information over the phone and not to click potentially compromising links sent through SMS texts. If you suspect that you might have received a call or SMS text for phishing, then you should contact Shopify Support immediately.
A phishing message might ask you to complete the following tasks:
- visit a link
- download a file
- open an attachment
- reply with personal information or two-step authentication codes
If you perform any of these actions, then you can infect your computer or mobile device with malware, which is malicious software such as worms, trojans, bots, and viruses. After your device is infected, an attacker can gain access to your personal information.
Phishing scams can also include direct requests for personal information, such as your bank account credentials.
Phishing scams might ask you to provide personal information in the following ways:
- by email or another messaging system
- through a form
- using a fraudulent phone number
- using a phony physical address
Even a request for you to enter your email address and reset your password can be dangerous.
On this page
- Recognizing legitimate Shopify emails
- Know the warning signs
- Shopify and requests for sensitive documents
- Raise concerns using another mode of communication
- Verify that your connection to a website uses HTTPS
- Only open attachments or links that you expect to receive
- Be careful when you use public Wi-Fi
- Follow government guidelines if your personal information is compromised
Recognizing legitimate Shopify emails
Shopify will only send emails from official domains such as @shopify.com
, @email.shopify.com
, @em.shopify.com
, and @shopify-billpay.melio.com
. Emails from public email services such as Gmail, Yahoo, Apple mail, or Hotmail aren't from Shopify and should be treated as potential phishing attempts.
What to do if you suspect a phishing email
If you accidentally clicked on a link in a phishing email, then take immediate action:
- Change your Shopify account password.
- Activate two-step authentication for added security.
- Contact Shopify Support to check for any unauthorized access to your account.
Signs of a phishing email
Be aware of the following common signs that an email might be a phishing attempt:
- Unexpected emails from free email services.
- Requests for personal information.
- Poor grammar and spelling.
- Urgent or threatening language.
- Links to unfamiliar websites.
Importance of two-step authentication
Activating two-step authentication, also known as two-factor authentication or multifactor authentication, on your Shopify account provides a more secure login process by adding an extra layer of protection and making it more difficult for unauthorized users to access your account, especially if you suspect you've received a phishing email. Learn more about securing your account with two-step authentication.
Verify suspicious emails
If you receive an email that looks like it’s from Shopify Support but seems off in any way, then verify its legitimacy:
- Check that the email comes from an official Shopify domain such as
@shopify.com
,@email.shopify.com
,@em.shopify.com
, and@shopify-billpay.melio.com
. - Be cautious of any unusual characters or punctuation in the email address.
- When in doubt, contact Shopify Support directly through official channels for confirmation.
Know the warning signs
You can protect yourself against phishing by understanding the warning signs. Read messages carefully no matter who they appear to come from and scrutinize websites no matter how familiar they seem.
Vague or general language
Although phishing can be well researched and tailored to you and your business, general language is a hallmark of phishing scams. Be wary of messages that seem to come from an organization that you trust, but that start with vague statements such as Dear account holder.
In addition, if a message promises an important business or financial opportunity, but doesn't include enough detail for you to confirm that the sender knows you, then it might be a scam.
I am Frederick, a banker.
Pls contact me asap regarding a possible late relative's inheritance.
Can't share much via sms. Email me at the address below.
Business messages from personal accounts
Sophisticated attackers can gather enough information from your online presence to create a message that could plausibly come from a real contact.
Wholesale Pricing UpdateHi Georgia:
I just wanted to update you. Here is a spreadsheet of our current wholesale prices: fabric-prices-october.xls
I hope you were satisfied with the last batch of shirts! Please let me know if you have any questions or concerns.
Julia Chan
Account Manager
Example Fabrics
Attackers can hack into your contact's business account or create a phony personal account to send a phishing email message. For example, if the username for your contact Julia's personal email is juliachan3857
, then an attacker might send an email message from an account with the username juliachan9665
. This form of attack relies on the following behaviors:
- People often send email messages from the wrong account by mistake.
- Even if you know Julia's personal email address, you might not look too closely and notice the difference.
Alarming or overexcited tone
Be aware of time-sensitive requests that try to scare you into acting without thinking. For example:
We've had a catastrophic server failure. Respond with your username and password in the next 24 hours or you'll lose access to your store permanently.
Email messages might make offers that seem too good to be true, such as a 90% discount from a travel company available only if you act now.
Misspellings, poor grammar, and style variations
Although a fraudulent website or email message might look professional, there might be typographical and grammar errors. To determine whether a website or email message might be fraudulent, look for incorrect use or inconsistencies in the following:
- spelling
- capitalization
- numbers
- punctuation
- formatting
Suspicious URLs
Phishing attempts can include URLs that seem to be legitimate if you don't look too closely. Many phishing attempts use URLs that have been deliberately chosen to resemble a URL that you're already familiar with. For example, if you usually buy swimming attire from Example Apparel at the legitimate URL and you receive an email message with a link to a fake URL, then you can tell that email message is a phishing attempt.
The real URL directs you to a site at the domain example-apparel.com
, which is owned by Example Apparel, and the phony URL directs you to a malicious site at the domain com-aquatic.net
, which is likely owned by criminals.
Legitimate URL | Phony URL |
---|---|
example-apparel.com/aquatic/swimmies | example-apparel.com-aquatic.net/swimmies |
Shopify and requests for sensitive documents
Shopify never asks you for sensitive information directly through an email message that is a text or image, or as a file attachment.
The following are examples of sensitive documents:
- any form of identification
- passwords
- credit card information
- banking information
- national identity numbers, such as SIN (social insurance number) or SSN (social security number)
Shopify only requests that you submit sensitive documents through a secure upload page that starts with app.shopify.com
or .shopify.com
.
Raise concerns using another mode of communication
Speak to the supposed sender of a suspicious message in person or over the phone and resolve concerns about a webpage by talking to someone at the organization.
If you contact the sender by phone, then use a number that you have on file or that's displayed on multiple reputable online sources. For example, if you receive a suspicious request for information from your tax agency by email, then call the agency at the number on last year's tax return. Don't call a number that's displayed on a suspicious website or in an email message.
Verify that your connection to a website uses HTTPS
When you connect to any website where you could be asked to enter a username and password or other sensitive data, verify that a lock icon displays beside the URL in your browser.
The lock icon tells you that the connection to the site is encrypted using the HTTPS protocol. URLs for encrypted connections start with https://
rather than http://
. Connections that use http://
send data in plain text, which means that it can be intercepted en route and read.
Before you click a link to anywhere that you expect to enter information, verify that the URL starts with https://
.
Only open attachments or links that you expect to receive
Don't interact with attachments, links, or forms unless you're expecting them and know what they contain. Not only can they redirect you to a malicious site designed to steal your information, but they can also infect your device with malware.
When link text is a URL, verify that it matches the URL in the link itself. For example, a link written out as https://help.shopify.com
in the body of an email might direct you to a phishing page at another URL.
Many phishing attacks try to take advantage of online banking. If you receive a suspicious email message from your bank with a special offer for a line of credit, then don't click the link. Instead, enter your bank's URL manually in a new window and check whether the offer displays in your account dashboard.
Be careful when you use public Wi-Fi
Public Wi-Fi is convenient when you're not at home or at work, but it provides many different ways for attackers to gain access to your information. You can reduce your risks by taking steps to protect yourself and your data.
Verify hotspot names
An attacker can create their own unencrypted Wi-Fi hotspot that whose name is similar a reputable one in the same area, such as the network in a coffee shop. If you connect to the phishing hotspot, then the attacker can direct you to their own page where you can be exposed to malware or asked to enter private information.
Before you connect to a hotspot, make sure that the hotspot that you plan to use is legitimate. If you can't find the hotspot name posted in an obvious place, then ask an employee at that location.
Deactivate access points to your device
Even if you have connected to a legitimate public Wi-Fi hotspot, then you can still be at risk by being on the same network as an attacker. Public Wi-Fi networks are much less secure than private networks, such as the one at your home or office.
Protect yourself by turning off file sharing within your network and by activating your firewall before connecting. Even with these precautions, it's still not a good idea to send or receive any sensitive content using a public Wi-Fi network.
Only send and receive sensitive data over a VPN
A virtual private network establishes a secure connection between your device and the VPN company's servers. From there, the VPN servers relay your information to the internet. If an attacker gains access to the data that you are transmitting and receiving through a public Wi-Fi hotspot, then the data is encrypted and not useful to them.
Techradar and PC Mag are good places to start if you want to learn how to choose a VPN.
Without a VPN, the most secure option is to avoid transmitting sensitive information over public Wi-Fi.
Follow government guidelines if your personal information is compromised
Personally identifiable information (PII) consists of data that could be used to identify a particular person, or even impersonate them. PII includes the following types of information:
- full name
- email address
- street address
- telephone number
- credit card number
- national identity number, such as SIN, SSN, or passport
- driver's license
- date of birth
If you provided personally identifiable information through a suspicious channel, or your Shopify account was compromised, then refer to guides from your government, such as this information from the Canadian and United States governments.
Canada
What to do:
File a report:
United States
What to do:
File a report: