Is this a legitimate email from Shopify?

Solved
HotHeadstalls
New Member
2 0 0

I’ve at some times received scammy emails  fake emails trying to be Shopify’. But I’m not sure is this one is legitimate. Any help or recommendations? I can’t have my store shut down. It’s the sole income for my husband and I.

email is from 

risk-management@shopify.com

01A563F9-58B7-45DB-974E-6F2906113EFA.png

Replies 48 (48)
Smorris88
Tourist
3 0 0

Did they say they are reviewing it and will get back to you? Or was there no conclusion? 

daniel_long
Excursionist
49 0 13

I sent them an email reply and they were brief but courteous. They said no further action required. I did not remove my product because the name is merely a coincidence. I'm not stepping on any trademarks.

Shay
Shopify Staff
Shopify Staff
937 147 195

This is an accepted solution.

Hi everyone! Thank you again for all your feedback on this topic. Please continue to add it to this thread and I will make sure to add a like to your feedback to let you know that it has been received. I fully support the idea of adding these communications into the admin as well and I hope we can make that happen. 

To help with any confusion surrounding tickets of this type, the ticket ID for many of them will be formatted like this:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (8/4/4/4/12)

It will be a mix of letters and numbers and is different from the tickets numbers you would receive from our standard support. Our standard ticket numbers are only numerical and are around 8-10 numbers long. Tickets that match the format above are handled by a separate team and our live support doesn't have direct access to the content of these tickets. With the ticket number they should be able to confirm though if this ticket is legitimate. 

I am going to mark this response as the "Solution" so that other merchants in a similar situation can find this information easier. Please continue to add your feedback to this thread and I will make sure it is passed along on your behalf. 

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

MorellCISSP
New Member
1 0 3

Hi Shay and other Shopify support team members; specifically targeting GRC.

Am an senior Information Security professional, CISSP #431307. I have conducted many (1000+) of these social engineering techniques to get people to give up information.

This particular format of an email is called Spear Phishing which uses key areas.

1. Claims to be from a reputable source
2. Is tailored and targeted by referencing a specific item the recipient would know.
3. Adds a sense of urgency by stating the store would be shut down.
4. Hides the true site by using a link.
5. Adds "legitimacy" by referencing a legal site as well as a ticket number.

The email that has been sent out to everyone, literally checks all of the boxes used in the spear phishing attack arsenal.

As an InfoSec professional, I knew to immediately contact support. That is even with possessing the technical ability to review email headers and safely investigate the url in the link sent. Not everyone has that luxury of understanding these attack signatures.

In that light, the Shopify GRC team should know better and should be a responsible net-citizen, not contributing to the behavior of bad actors.

Hence, my recommendation would be two fold.

1. As Shay and others pointed out, place this message in the Admin console.
2. Send out a notification email (with no links in it), requesting the person log into their Admin console to take action. Direct them where in the portal to take action.

Michael B. Morell, CISSP #431307
Information Security Professional and Evangelist
DirectionWeb Inc.

Hellwood_Outfit
Excursionist
29 0 3

Am I the only one less than convinced about the wisdom of just signing such a document.? Shopify seems to be pushing very hard with the 'you're best to just sign it' without offering any info about why a particular store has been flagged and what evidence they are willing to supply to reinforce the demand that you sign.

My email, like most of the others, said it 'appears' that you selling branded etc etc. I replied telling them that I'm not and their only reply was to block access to my admin. 

https://hellwoodoutfitters.com
LoriJean67
Tourist
13 0 3

@Smorris88  No further action was taken.  My store is still up and running after I removed the product that was violating the trademark issue.

ThriftOn
New Member
4 0 0

I have vintage webshop and got the same email 2 days ago. I am stressed out and don't know what to do. I see that you can select the option "I sell used authentic products", maybe is that an option for the vintage sellers? Please let me know if anyone has an idea..

mehdi_elb
New Member
7 0 0

how did you know which product is trademark ?

LoriJean67
Tourist
13 0 3

If you are selling branded items and do not have a license to sell them then I would say those are the items you need to remove.