This is not related to Shopify specifically, but came to our attention when one of our clients customer experienced this, and it's new to us (though probably not 'new'... The reason for drawing attention to it is that it coincided with the customer making a purchase from our client, and she used her mobile phone for shipping updates; she then, completely coincidentally, was hit by the phishing attempt and the customer thought it was related to her recent purchase from Shopify. It was not, but I'm copying here for info, just in case it is new - our client was spooked that Shopify had leaked or been hacked.
The working of the SMS (name removed for privacy) is (from number 46793):
If clicked, it resolves to a very plausible looking shipping site with a further button to click; I haven't explored that further, but guessing that the second button will have either a payload, or take the user to a payment screen.