Shop App Abused for Callback Phishing Attacks

Emily Davis · 2026-06-25

You might think that seeing a purchase receipt in your order-tracking app is a harmless thing. But threat actors are now exploiting that trust by using Shop, the popular order-tracking app from Shopify, to push callback phishing attacks. They're adding fake purchase receipts to users' order histories, tricking them into handing over sensitive data or installing remote access software. It's a clever twist on an old scam, and it's happening more often than you'd think. Here's how it works: you get a notification that looks like a legitimate order from Shop. Maybe it's for a high-ticket item like a $500 laptop or a $200 pair of sneakers. The receipt includes a customer support number to call if there's an issue. But when you dial that number, you're not talking to a real company—you're connected to a scammer who pretends to help. They'll ask for your credit card details, login credentials, or even convince you to download remote access software like TeamViewer or AnyDesk. Once they're in, they can steal your identity, drain your bank account, or lock you out of your devices. ### Why This Attack Works The reason this phishing method is so effective is because it plays on our habits. Most of us don't double-check every notification from an app we trust. Shop is a legitimate service used by millions of people in the United States, so when a fake receipt pops up, it feels real. The scammers also use social engineering tactics—they create a sense of urgency by claiming your order is delayed or your payment failed. You're more likely to call that number quickly without thinking. What makes callback phishing different from traditional email phishing is that it bypasses many security filters. Email providers have gotten good at catching suspicious links. But a phone call? That's harder to block. And because the initial contact comes through a trusted app, you're already in a vulnerable mindset. ### How to Protect Yourself - **Don't call numbers in unsolicited receipts.** If you get a notification about an order you didn't place, don't use the phone number provided. Instead, open the Shop app directly and check your order history. If it's not there, ignore it. - **Verify through official channels.** If you're concerned about a charge, contact the retailer directly using a number from their official website—not the one in the notification. - **Never install remote access software for a stranger.** Legitimate customer support will never ask you to download TeamViewer or AnyDesk. If someone does, hang up immediately. - **Enable two-factor authentication.** This adds an extra layer of security to your accounts, even if a scammer gets your password. - **Monitor your accounts regularly.** Check your bank and credit card statements for unauthorized charges. Report anything suspicious right away. > "The scammers are getting smarter, but you can stay ahead by staying skeptical. If something feels off, it probably is." ### The Bigger Picture for Privacy Professionals For those of us working in digital privacy and antidetect browser solutions, this attack highlights a growing trend: threat actors are moving beyond email and into trusted third-party apps. Shop is just one example. We're seeing similar tactics on delivery tracking apps, food ordering platforms, and even ride-sharing services. The common thread is that these apps have access to your personal data and your trust. Using an antidetect browser can help protect your online identity in these scenarios. By masking your browser fingerprint and isolating your sessions, you reduce the risk of being tracked or targeted based on your browsing habits. It's not a silver bullet, but it's a powerful tool in your privacy arsenal. ### Final Thoughts Callback phishing through the Shop app is a reminder that no platform is immune to abuse. Stay vigilant, question unexpected notifications, and always verify before you act. Your privacy depends on it.