I’ve at some times received scammy emails fake emails trying to be Shopify’. But I’m not sure is this one is legitimate. Any help or recommendations? I can’t have my store shut down. It’s the sole income for my husband and I.
email is from
Solved! Go to the solution
I sent them an email reply and they were brief but courteous. They said no further action required. I did not remove my product because the name is merely a coincidence. I'm not stepping on any trademarks.
This is an accepted solution.
Hi everyone! Thank you again for all your feedback on this topic. Please continue to add it to this thread and I will make sure to add a like to your feedback to let you know that it has been received. I fully support the idea of adding these communications into the admin as well and I hope we can make that happen.
To help with any confusion surrounding tickets of this type, the ticket ID for many of them will be formatted like this:
It will be a mix of letters and numbers and is different from the tickets numbers you would receive from our standard support. Our standard ticket numbers are only numerical and are around 8-10 numbers long. Tickets that match the format above are handled by a separate team and our live support doesn't have direct access to the content of these tickets. With the ticket number they should be able to confirm though if this ticket is legitimate.
I am going to mark this response as the "Solution" so that other merchants in a similar situation can find this information easier. Please continue to add your feedback to this thread and I will make sure it is passed along on your behalf.
Hi Shay and other Shopify support team members; specifically targeting GRC.
Am an senior Information Security professional, CISSP #431307. I have conducted many (1000+) of these social engineering techniques to get people to give up information.
This particular format of an email is called Spear Phishing which uses key areas.
1. Claims to be from a reputable source
2. Is tailored and targeted by referencing a specific item the recipient would know.
3. Adds a sense of urgency by stating the store would be shut down.
4. Hides the true site by using a link.
5. Adds "legitimacy" by referencing a legal site as well as a ticket number.
The email that has been sent out to everyone, literally checks all of the boxes used in the spear phishing attack arsenal.
As an InfoSec professional, I knew to immediately contact support. That is even with possessing the technical ability to review email headers and safely investigate the url in the link sent. Not everyone has that luxury of understanding these attack signatures.
In that light, the Shopify GRC team should know better and should be a responsible net-citizen, not contributing to the behavior of bad actors.
Hence, my recommendation would be two fold.
1. As Shay and others pointed out, place this message in the Admin console.
2. Send out a notification email (with no links in it), requesting the person log into their Admin console to take action. Direct them where in the portal to take action.
Michael B. Morell, CISSP #431307
Information Security Professional and Evangelist
Am I the only one less than convinced about the wisdom of just signing such a document.? Shopify seems to be pushing very hard with the 'you're best to just sign it' without offering any info about why a particular store has been flagged and what evidence they are willing to supply to reinforce the demand that you sign.
My email, like most of the others, said it 'appears' that you selling branded etc etc. I replied telling them that I'm not and their only reply was to block access to my admin.
I have vintage webshop and got the same email 2 days ago. I am stressed out and don't know what to do. I see that you can select the option "I sell used authentic products", maybe is that an option for the vintage sellers? Please let me know if anyone has an idea..