Protect your account against phishing

The term phishing describes identity theft scams involving phony websites and emails or other messages. The goal of a phishing attack is to gain access to your account and sensitive information. An attacker can create their own website that mimics a reputable one or send you a message that seems to come from a trusted source. Phishing messages can come from a fake account or an account that has been hacked.

A phishing message might ask you to complete the following tasks:

  • Visit a link.
  • Download a file.
  • Open an attachment.

Malware — malicious software such as worms, trojans, bots, and viruses — can infect your computer or mobile device if you take any of these actions. After your device is infected, an intruder can gain access to your personal information.

Phishing scams can also include direct requests for personal information, such as your bank account credentials.

Phishing scams might ask you to provide the following personal information:

  • By email or another messaging system.
  • Through a form.
  • At a fraudulent phone number.
  • At a phony physical address.

Even a request for you to enter your email address and reset your password can be dangerous.

Know the warning signs

You can protect yourself against phishing by understanding the warning signs. Read messages carefully no matter who they appear to come from and scrutinize websites no matter how familiar they seem.

Overly general language

Although phishing can be well researched and tailored to you and your business, general language is a hallmark of phishing scams. Be wary of messages that seem to come from an organization you trust but that open with vague statements such as Dear account holder.

Likewise, if a message promises an important business or financial opportunity but doesn't include enough detail for you to confirm that the sender knows you, then it might be a scam:

I am Frederick, a banker. Pls contact me asap regarding a possible late relative's inheritance. Can't share much via sms. Email me at the address below.

Business messages from personal accounts

Sophisticated attackers can gather enough information from your online presence to create a message that could plausibly come from a real contact:

Wholesale Pricing Update

Hi Georgia, I just wanted to update you. Here is a spreadsheet of our current wholesale prices: fabric-prices-2016-oct.xls

I hope you were satisfied with the last batch of shirts! Please let me know if you have any questions or concerns.


Julia Chan

Account Manager

Example Fabrics

To send an attack, they can hack into your contact's business account or create a phony personal account. For example, if the username for your contact Julia's personal email is juliachan3857, then an attacker might send an email from an account with the username juliachan9665. This form of attack depends on two factors:

  • People send emails from the wrong account by mistake.
  • Even if you know Julia's personal email address, then you might not look too closely.

Misspellings, poor grammar, and style variations

Criminals don't take content style guides as seriously as professional web content writers. As well as typos and grammar errors, variations in the following categories within a single page can show that a website is fraudulent:

  • spelling.
  • capitalization.
  • numbers.
  • punctuation.
  • formatting.

Alarmist or overexcited tone

Watch for time-sensitive requests that try to scare you into acting without thinking. For example, Shopify won't send you a message saying:

We've had a catastrophic server failure. Respond with your username and password in the next 24 hours or you'll lose access to your store permanently.

Similarly, watch for messages making offers that seem too good to be true, such as a 90% discount from a travel company available only if you act now.

URLs that don’t look right

Phishing attempts can include URLs that appear legitimate if you don't look too closely. Many phishing attempts use URLs that have been deliberately chosen to resemble a URL that you're already familiar with. As shown in the table below, if you normally buy swimming attire from Example Apparel at the legitimate URL and you receive an email with a link to the fake URL, then you can tell that it's a phishing attempt.

The real URL directs you to a site at the domain, which is owned by Example Apparel, and the phony URL directs you to a malicious site at the domain, which is likely owned by criminals.

Characteristics of legitimate and phone URLs
Legitimate URL Phony URL

Raise concerns using another mode of communication

Speak to the supposed sender of a suspicious message in person or over the phone and resolve concerns about a webpage by talking to someone at the organization.

If you contact the sender by phone, then use a number you have on file or that appears on multiple reputable online sources. For example, if you receive a suspicious request for information from your tax agency by email, then call the agency at the number on last year's tax return. Don't call a number that appears on a suspicious website or email.

Make sure your connection to a website uses HTTPS

When you connect to any website where you could be asked to enter a username and password or other sensitive data, check that a lock icon appears beside the URL in your browser.

The lock icon tells you that the connection to the site is encrypted using the HTTPS protocol. URLs for encrypted connections start with https:// rather than http://. Connections that use http:// send data in plain text, meaning it can be intercepted en route and read.

Before clicking a link to anywhere you expect to enter information, make sure that the URL starts with https://.

Don’t interact with attachments, links, or forms unless you are expecting them and know what they contain. Not only can they redirect you to a malicious site designed to steal your information, but they can also infect your device with malware.

When link text is a URL, make sure that it matches the URL in the link itself. For example, a link written out as in the body of an email might direct you to a phishing page at another URL.

Many phishing attacks try to take advantage of online banking. If you receive a suspicious email from your bank with a special offer for a line of credit, then don't click the link. Instead, enter your bank's URL manually in a new window and see if the offer shows up in your account dashboard.

Be careful with public wi-fi

Public wi-fi is convenient when you're on the go, but it provides many different ways for criminals to gain access to your information. You can reduce your risks by taking steps to protect yourself and your data.

Verify hotspot names

An attacker can create their own unencrypted wi-fi hotspot that is named like a reputable one in the same area, such as the network in a coffee shop. If you connect to the phishing hotspot, the attacker can direct you to their own page, where you can be exposed to malware or asked to enter private information.

Before connecting, make sure that the hotspot you plan to use is legitimate. If you can't see the hotspot name posted in an obvious place, then ask an employee.

Disable access points to your device

Even if you have connected to a legitimate public wi-fi hotspot, then you can still be at risk by being on the same network as an attacker. Public wi-fi networks are much less secure than private networks like the one at your home or office.

Protect yourself by turning off file sharing within your network and enabling your firewall before connecting. Even with these precautions, it's still not a good idea to send or receive any sensitive content using a public wi-fi network.

Send and receive sensitive data over a VPN

A virtual private network establishes a secure connection between your device and the VPN company's servers. From there, the VPN servers relay your information to the internet. If an attacker gains access to the data you are transmitting and receiving through a public wi-fi hotspot, then the data is encrypted and not useful to them.

Techradar and PC Mag are good places to start if you want to learn how to choose a VPN.

Without a VPN, the most secure option is to avoid transmitting sensitive information over public wi-fi.

Follow government guides if your personal information is compromised

Personally identifiable information (PII) consists of data that could be used to identify a particular person, or even impersonate them. Types of PII include.

  • full name.
  • email address.
  • street address.
  • telephone number.
  • credit card number.
  • national identity number (such as SIN, SSN, or passport).
  • driver's license.
  • date of birth.

If you provided personally identifiable information through a suspicious channel, or your Shopify account was compromised, then refer to guides from your government, such as this information from the Canadian and United States governments.


What to do:

File a report:

United States

What to do:

File a report:

Ready to start selling with Shopify?

Try it free