Threat actors reportedly abuse Shopify's Shop app for callback phishing attacks. The method inserts fake purchase receipts into user order histories. Fraudulent orders appear legitimate, showing users unrecognized transactions.

The scam aims to deceive users into contacting attackers via provided contact information to dispute fake charges. This initiates a callback phishing scheme. Threat actors then attempt to extract sensitive personal and financial information.

The Shop app serves as a widely used digital shopping assistant, tracking orders from numerous online retailers. This makes the issue a potentially widespread security concern for its user base.