Protect your account against phishing
The term phishing describes identity theft scams involving phony websites and emails or other messages. The goal of a phishing attack is to gain access to your account and sensitive information. An attacker can create their own website that mimics a reputable one or send you a message that seems to come from a trusted source. Phishing messages can come from a fake account or an account that has been hacked.
If you believe you have shared personal information through a suspicious channel and your information and identity is at risk, then follow government guides.
A phishing message might ask you to:
- visit a link
- download a file
- open an attachment.
Malware — malicious software such as worms, trojans, bots, and viruses — can infect your computer or mobile device if you take any of these actions. After your device is infected, an intruder can gain access to your personal information.
Phishing scams can also include direct requests for personal information, such as your bank account credentials.
You might be asked to provide personal information:
- by email or another messaging system
- through a form
- at a fraudulent phone number
- at a phony physical address.
Even a request for you to enter your email address and reset your password can be dangerous.
Forward any phishing messages that you receive to Shopify's safety inbox at email@example.com. By building a record of attacks directed at merchants, Shopify can work to better protect you and your information.
As well as making your Shopify account more secure by enabling two-step authentication, make sure to protect yourself against phishing.
Know the warning signs
You can protect yourself against phishing by understanding the warning signs. Read messages carefully no matter who they appear to come from and scrutinize websites no matter how familiar they seem.
Overly general language
Although phishing can be well researched and tailored to you and your business, general language is a hallmark of phishing scams. Be wary of messages that seem to come from an organization you trust but that open with vague statements:
Likewise, if a message promises an important business or financial opportunity but doesn't include enough detail for you to confirm that the sender knows you, then it might be a scam.
Business messages from personal accounts
Sophisticated attackers can gather enough information from your online presence to create a message that could plausibly come from a real contact:
To send it, they can hack into your contact's business account or create a phony personal account. For example, if the username for your contact Julia's personal email is
juliachan3857, then an attacker might send an email from an account with the username
juliachan9665. This form of attack depends on two factors:
- People send emails from the wrong account by mistake.
- Even if you know Julia's personal email address, then you might not look too closely.
Misspellings, poor grammar, and style variations
Criminals also don't take content style guides as seriously as professional web content writers. As well as typos and grammar errors, variations in the following categories within a single page can show that a website is fraudulent:
Alarmist or overexcited tone
Watch out for time-sensitive requests that try to scare you into acting without thinking. For example, Shopify won't send you a message saying:
Similarly, a message excitedly presenting an offer that seems too good to be true — such as a 90% discount from a travel company as long as you act now — might well be.
URLs that don’t look right
Phishing attempts can include URLs that appear legitimate if you don't look too closely. Many phishing attempts use URLs that have been deliberately chosen to resemble a URL that you're already familiar with. As shown in the table below, if you normally buy swimming attire from Example Apparel at the legitimate URL and you receive an email with a link to the phony URL, then you can tell that it's bogus.
The real URL directs you to a site at the domain
example-apparel.com, which is owned by Example Apparel, and the phony URL directs you to a malicious site at the domain
com-aquatic.net, which is likely owned by criminals.
|Legitimate URL||Phony URL|
Raise concerns using another mode of communication
Speak to the supposed sender of a suspicious message in person or over the phone and resolve concerns about a webpage by talking to someone at the organization.
If you contact the sender by phone, then use a number you have on file or that appears on multiple reputable online sources. For example, if you receive a suspicious request for information from your tax agency by email, then call the agency at the number on last year's tax return. Don't call a number that appears on a suspicious website or email.
Make sure your connection to a website uses HTTPS
When you connect to any website where you could be asked to enter a username and password or other sensitive data, check that a lock icon appears beside the URL in your browser:
The lock icon tells you that the connection to the site is encrypted using the HTTPS protocol. URLs for encrypted connections start with
https:// rather than
http://. Connections that use
http:// send data in plain text, meaning it can be intercepted enroute and read.
Likewise, before clicking a link to anywhere you expect to enter information, make sure that the URL starts with
Open only attachments or links you expect
Don’t interact with attachments, links, or forms unless you are expecting them and know what they contain. Not only can they redirect you to a malicious site designed to steal your information, but they can also infect your device with malware.
When the link text is a URL, make sure that it matches the URL in the link itself. For example, a link written out as
https://help.shopify.com in the body of an email might direct you to a phishing page at another URL:
Many phishing attacks try to take advantage of online banking. If you receive a suspicious email from your bank with a special offer for a line of credit, then don't click the link. Instead, enter your bank's URL yourself in a new window and see if the offer shows up in your account dashboard.
Be careful with public wi-fi
Public wi-fi is convenient when you're on the go, but it provides many different ways for criminals to gain access to your information. You can reduce your risks by taking steps to protect yourself and your data:
Verify hotspot names
An attacker can create their own unencrypted wi-fi hotspot that is named like a reputable one in the same area, such as the network in a coffee shop. If you connect to the phishing hotspot, the attacker can direct you to their own page, where you can be exposed to malware or asked to enter private information.
Before connecting, make sure that the hotspot you plan to use is legitimate. If you can't see the hotspot name posted in an obvious place, then ask an employee.
Disable access points to your device
Even if you have connected to a legitimate public wi-fi hotspot, then you can still be at risk by being on the same network as an attacker. Public wi-fi networks are much less secure than private networks like the one at your home or office:
Protect yourself by turning off file sharing within your network and enabling your firewall before connecting. Even with those precautions, it's still not a good idea to send or receive any sensitive content using a public wi-fi network.
Send and receive sensitive data over a VPN
A virtual private network establishes a secure connection between your device and the VPN company's servers. From there, the VPN servers relay your information to the internet. If an attacker gains access to the data you are transmitting and receiving through a public wi-fi hotspot, then the data is encrypted and not useful to them:
Without a VPN, the most secure option is to avoid transmitting sensitive information over public wi-fi — don't log into your accounts until you get home.
Follow government guides if your personal information is compromised
Personally identifiable information (PII) consists of data that could be used to identify a particular person, or even impersonate them. Types of PII include:
- full name
- email address
- street address
- telephone number
- credit card number
- national identity number (such as SIN, SSN, or passport)
- driver's license
- date of birth.
If you provided personally identifiable information through a suspicious channel, or your Shopify account was compromised, then refer to guides from your government, such as this information from the Canadian and United States governments:
What to do:
File a report:
What to do:
File a report: