Shopify Discussions

I received confirmation that the email sent is in fact sent from Shopify.  

I received the same thing as well. Working on how to handle it. I was wondering if this is an automated message if a store is opened for a certain period of time. When did you first launch your shopify store?

I've had my website for almost 4 years now.  

Wow. Iv had mine for 2. What are your possible plans of action here? 

I had a few products that I thought were borderline infringement so I will just remove them.   The Attestation for the sale of branded or trademarked products link in the email goes to a form you need to fill out.  For me I will just check off that I have deleted the products.  If you have documentation that you have the right to sell branded products then you would have to show them proof of that.  

Ok, very interesting. Do you others that went through the rest of the process? And know what the end result was? (Meaning is this a shopify PAYMENTS issue, or selling on shopify altogether?)

I don't think it has anything to do with Shopify payments.  Either someone reported your website or Shopify stumbled upon it and noticed that the item you are selling is branded with a trademark.  They want to make sure that you are authorized to be a distributor for that product.  If you are not then legally you are not allowed to sell it and the item has to be removed.  That's how I understand it.   

If you are authorized then supplying them with paperwork that says so should clear up your issue.

I got this email as well and I am a Fabric Retail Store with an actual physical store in Ontario Canada and since the pandemic I opened an online store to survive.   I purchase all my products through wholesalers based in Canada and I have always done this.   There is no other way for retailers to do business.  So I am not sure why I was flagged.  If for whatever reason after completing the attestation report they make a hasty decision to close my store I would like enough notice to move it to another hosting company.  I have a lot of product online and would not like to have to redo everything.  I  am actually a little worried about this and think that I should start looking to move my store elsewhere.  Can't afford to have them shut it down and not have any access.   Anyone know what brought this on??

@fabrics From my understandings reading this thread, I think you can always use another payment gateway like Paypal, Stripe or Authorized.net. That's in the case that the risk department won't like to process your payments. In your place, I won't be worried, unless you are selling high ticket items with a big risk of chargebacks.

Hi @LoriJean67 

Was any further action taken once you removed your products? Any further details you can provide on this after checking the last box would be appreciated! Thanks 

No further action at this time, but also no idea how long it takes them to process through such things.

Did they say they are reviewing it and will get back to you? Or was there no conclusion? 

I sent them an email reply and they were brief but courteous. They said no further action required. I did not remove my product because the name is merely a coincidence. I'm not stepping on any trademarks.

Hi Shay and other Shopify support team members; specifically targeting GRC.

Am an senior Information Security professional, CISSP #431307. I have conducted many (1000+) of these social engineering techniques to get people to give up information.

This particular format of an email is called Spear Phishing which uses key areas.

1. Claims to be from a reputable source
2. Is tailored and targeted by referencing a specific item the recipient would know.
3. Adds a sense of urgency by stating the store would be shut down.
4. Hides the true site by using a link.
5. Adds "legitimacy" by referencing a legal site as well as a ticket number.

The email that has been sent out to everyone, literally checks all of the boxes used in the spear phishing attack arsenal.

As an InfoSec professional, I knew to immediately contact support. That is even with possessing the technical ability to review email headers and safely investigate the url in the link sent. Not everyone has that luxury of understanding these attack signatures.

In that light, the Shopify GRC team should know better and should be a responsible net-citizen, not contributing to the behavior of bad actors.

Hence, my recommendation would be two fold.

1. As Shay and others pointed out, place this message in the Admin console.
2. Send out a notification email (with no links in it), requesting the person log into their Admin console to take action. Direct them where in the portal to take action.

Michael B. Morell, CISSP #431307
Information Security Professional and Evangelist
DirectionWeb Inc.

Am I the only one less than convinced about the wisdom of just signing such a document.? Shopify seems to be pushing very hard with the 'you're best to just sign it' without offering any info about why a particular store has been flagged and what evidence they are willing to supply to reinforce the demand that you sign.

My email, like most of the others, said it 'appears' that you selling branded etc etc. I replied telling them that I'm not and their only reply was to block access to my admin. 

@Smorris88  No further action was taken.  My store is still up and running after I removed the product that was violating the trademark issue.

I have vintage webshop and got the same email 2 days ago. I am stressed out and don't know what to do. I see that you can select the option "I sell used authentic products", maybe is that an option for the vintage sellers? Please let me know if anyone has an idea..

how did you know which product is trademark ?

If you are selling branded items and do not have a license to sell them then I would say those are the items you need to remove.

Hey after you removed the products that were trade marked did shopify uplift your payment holds or did they just refund all the customers?

Shopify never put any payment holds on my account.  I complied to their request before the date they gave me and it was business as usual.

Thank you @Shay for clearing that up for us.

Thanks @Shay , for your clear explanation!

Just got thiz email.

I sell used video games so I'm thinking that maybe its because I have Nintendo, PlayStation Xbox etc.

I do however have a resellers licensd plus a permit to buy and sell (pawn shop type license)

Am I ok with that?

If you have paperwork that allows you to sell branded material then you will most likely have to show them that paperwork.  Follow the link in the email.  You have various options to choose from when you reply to their email so select the option that pertains to your situation.  

Hello Sir;

I am wondering how it is illegal to sell branded or trademarks online if I bought it legally and it is authentic goods? what happened to the "First Sale Doctrine" law??

it was clear that you are not required  or need a reseller license or permit to resell authentic products you bought legally:

The First Sale Doctrine in Trademark Law

The first sale doctrine allows the resale of items bearing a trademark, such as a logo or brand name, after the trademark owner has sold those items, unless this is likely to confuse or deceive consumers. The U.S. Supreme Court applied the first sale doctrine to trademark law in Prestonettes, Inc. v. Coty, 264 U.S. 359 (1924).

The defendant in Prestonettes bought a product from the plaintiff, packaged it with other ingredients, and sold it to consumers. The packaging for the defendant’s product used the plaintiff’s trademarked name to indicate that the plaintiff’s product was included. The court held that this did not violate the plaintiff’s trademark rights.

As we understand you trying to protect consumers from fake products and protect yourselves from possible law suits from Trademark owners, This is very important topic for lot of stores that got affected by Shopify actions, , but  please advise us regarding this matter with much appreciation.

It does seem that many intellectual property holders have begun to be abusing the guidelines of the First Sale Doctrine. I recognize the very real concerns of black and grey market material from overseas factories producing an excess of licensed properties. We sell licensed products (largely Star Wars and Star Trek), but most of these items have been out of production for 30+ years and have been purchased on the secondary market from collectors or old shop stock. I received this form email today, with reference to a specific product they have now removed. 

Reading over the form, I can truthfully attest that we are within acceptable boundaries on this. But if Shopify starts going the direction of Amazon with this and requiring us to provide invoices to prove we are somehow approved to sell items from companies that often no longer exist, this would shut us down. We have largely moved off Amazon as a platform since it simply isn't possible (not just for us, but any vendor) to prove an original purchase invoice for a product that hasn't been in production for 20 years. 

Hi @Jaime_Chamberla 

This is great feedback and I want to know that it is being heard loud and clear. 

I wanted to expand a bit on my earlier post and take the time to share the difference between allowing these products to be sold while using Shopify as your platform and allowing Shopify Payments to be the payment processor for these orders.

Because the naming of our payment gateway is similar to the name of our platform, there can sometimes be honest confusion between the two of them when it comes to sensitive matters like this. Shopify, the platform, does allow the sale of trademarked items, high value items, branded items, etc as long as they follow our acceptable use guide and terms of service and are not illegally gained. 

Shopify Payments, the payment gateway many merchants have enabled on their store during their setup, has it's own set of rules and terms of service. 

High value and trademarked items like Louis Vuitton, Chanel, Fenty, etc, can be considered high risk merchandise as there could be an increased chance of receiving a chargeback on the order, a high risk of a merchant trying to sell fraudulent versions of the products as real and more. Shopify Payments, and the banking partners that power Shopify Payments, have the right to refuse to process orders of certain types of products. As independent banking institutes they can say what type of orders they want to process and what types they don't want. I recognize that can be incredibly not ideal when you've started selling and your payment gateway is removed after the fact. 

I would encourage merchants selling products like these to strongly consider the payment gateway they are using and if Shopify Payments is the right gateway for your business. Even if the gateway itself is not, that doesn't mean that your business is not welcome on the Shopify platform. 

---

@khaldone 

You referenced the The First Sale Doctrine in Trademark Law in your post and asked that we speak to that. While I wish I was able to, I can't speak to that as I am not a trained legal professional or a lawyer. If you feel that this doctrine of the trademark law is not being considered appropriately you are welcome to email our legal team directly at legal@shopify.com or ask your legal representative to do so. 

---

@keoholo 

Welcome to the community forums and thank you for also sharing your experience here. I just wanted to assure you that there isn't a need to panic about receiving this notification. I know that these messages can be intimidating to receive and the wording can come across as stern or cold as they need to follow a specific legal guideline. If you have questions please let me know and I'll do my best to answer them for you.

@Shay Thank you for getting back. So as I mentioned I was panic and submitted a few attestations ( I was accidentally marked all the box for the first couple times) Will the Trust and Safety Team will see my other submissions? I deleted the product, and reviewed all of my products. I really hope that they don't take my account down.   

I understand your concern @keoholo. I would recommend replying back to the email that was sent to you and let them know they the first few submissions were incorrectly filled out and which attempt was the correct one for them to review. 

Any replies to the email you received from them go straight back to your risk analyst that is handling your case. They can only communicate through email so replying back that way is the best option. You can also reach out to our live support and ask them to add a note to your ticket for your risk agent as well, but that is not necessary if you are able to send them an email reply. 

@Shay Thank you so much for your help! 

Shay,

 Why am I not seeing any of my posts here? It seems you aren't seeing them either because you're not replying to me when you reply to each of the others posting. Are they being flagged? My question isn't about needing to complete a legitimate form. My concern is that I have received a phishing email because the link to the Attestation form is a crazy URL, not Shopify.com based. 

Hi @daniel_long 

Thanks for tagging me! I'm not sure if I missed your earlier messages but luckily I caught this one.

If you are unsure and wish to validate the email you received I would recommend reaching out to our live support and share your unique ticket ID code with them. These types of emails have tickets numbers that are much longer than our traditional ticket numbers as they are managed by a different team. 

To contact our live support please follow this link: Shopify Help Center - Contact Support, sign into your store account, search for "legal ticket" and use the contact support button at the bottom of the search results to see all our live support options. 

I can appreciate your concern about this email being legitimate and I have submitted official feedback to our developers and trust and safety team with everyone's thoughts and suggestions on this topic as well. 

Shay,

The system had flagged my posts as Spam. Looks like they've been released from purgatory now.

I followed your suggestions and it's been cleared up. Thank you! Yes, it's legit and a real request from the legal department at Shopify. i added in the chat to request that they stop making their important emails look like phishing attempts.

Hi @keoholo 

Was any further action taken once you removed your products? Any further details you can provide on this after checking the last box would be appreciated! 

Shay, thanks for responding. To clarify, I've read the message several times and it seems related to the Shopify platform broadly, not just Shopify Payments. 

@Jaime_Chamberla - As each situation and store is unique and I don't have direct access to the email you received, I am not able to confirm that for you. I would recommend replying back to the email and ask if that is the case for your store at this time. 

You can also reach out to our live support and they may be able to review the ticket and the communication you received and help you translate what it could impact on your store. Please note that some communications on topics like this are handled by a separate team, meaning that our front line support won't be able to review the ticket or the message within. 

If you have any questions about the content of your communications with our escalated teams please don't hesitate to reply back and ask for additional clarification.

I got this email this morning also.  I have got to say I am not comfortable clinking any link on that email. It looks like a total phishing email to me.  When this is addressable through my Shopify sellers console I will be comfortable responding to this request.  

Don't wait for it to happen any time soon. They can shut you down. I went through a lengthy process to confirm it and it's legitimate. 

Wow, Shopify confirmed my ticket ID through chat and it's alphanumeric with dashes. 

You click the link and the first thing it asks to fill in all your information.  If it is legit it is pretty absurd for us to trust an email that looks exactly like a phishing email then the first step is to enter all your personal information. 

I'm shocked the others on this thread were comfortable doing just that. 

I agree. It is unprofessional of them and absurd. I spent a lot of my own time making sure it was legit before completing the form. As you said, it should be from within the Shopify admin where other important notices and action requests are posted.

No way I was going to click on a link with such a hinky URL.