Shopify Discussions

I sent them an email reply and they were brief but courteous. They said no further action required. I did not remove my product because the name is merely a coincidence. I'm not stepping on any trademarks.

Hi Shay and other Shopify support team members; specifically targeting GRC.

Am an senior Information Security professional, CISSP #431307. I have conducted many (1000+) of these social engineering techniques to get people to give up information.

This particular format of an email is called Spear Phishing which uses key areas.

1. Claims to be from a reputable source
2. Is tailored and targeted by referencing a specific item the recipient would know.
3. Adds a sense of urgency by stating the store would be shut down.
4. Hides the true site by using a link.
5. Adds "legitimacy" by referencing a legal site as well as a ticket number.

The email that has been sent out to everyone, literally checks all of the boxes used in the spear phishing attack arsenal.

As an InfoSec professional, I knew to immediately contact support. That is even with possessing the technical ability to review email headers and safely investigate the url in the link sent. Not everyone has that luxury of understanding these attack signatures.

In that light, the Shopify GRC team should know better and should be a responsible net-citizen, not contributing to the behavior of bad actors.

Hence, my recommendation would be two fold.

1. As Shay and others pointed out, place this message in the Admin console.
2. Send out a notification email (with no links in it), requesting the person log into their Admin console to take action. Direct them where in the portal to take action.

Michael B. Morell, CISSP #431307
Information Security Professional and Evangelist
DirectionWeb Inc.

Am I the only one less than convinced about the wisdom of just signing such a document.? Shopify seems to be pushing very hard with the 'you're best to just sign it' without offering any info about why a particular store has been flagged and what evidence they are willing to supply to reinforce the demand that you sign.

My email, like most of the others, said it 'appears' that you selling branded etc etc. I replied telling them that I'm not and their only reply was to block access to my admin. 

@Smorris88  No further action was taken.  My store is still up and running after I removed the product that was violating the trademark issue.

I have vintage webshop and got the same email 2 days ago. I am stressed out and don't know what to do. I see that you can select the option "I sell used authentic products", maybe is that an option for the vintage sellers? Please let me know if anyone has an idea..

how did you know which product is trademark ?

If you are selling branded items and do not have a license to sell them then I would say those are the items you need to remove.