What's your biggest current challenge? Have your say in Community Polls along the right column.

Re: Is this a legitimate email from Shopify?

Solved

Is this email from risk-management@shopify.com legitimate?

HotHeadstalls
Visitor
2 0 0

I’ve at some times received scammy emails  fake emails trying to be Shopify’. But I’m not sure is this one is legitimate. Any help or recommendations? I can’t have my store shut down. It’s the sole income for my husband and I.

email is from 

risk-management@shopify.com

01A563F9-58B7-45DB-974E-6F2906113EFA.png

Accepted Solution (1)
Shay
Shopify Staff (Retired)
3110 472 654

This is an accepted solution.

Hi everyone! Thank you again for all your feedback on this topic. Please continue to add it to this thread and I will make sure to add a like to your feedback to let you know that it has been received. I fully support the idea of adding these communications into the admin as well and I hope we can make that happen. 

To help with any confusion surrounding tickets of this type, the ticket ID for many of them will be formatted like this:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (8/4/4/4/12)

It will be a mix of letters and numbers and is different from the tickets numbers you would receive from our standard support. Our standard ticket numbers are only numerical and are around 8-10 numbers long. Tickets that match the format above are handled by a separate team and our live support doesn't have direct access to the content of these tickets. With the ticket number they should be able to confirm though if this ticket is legitimate. 

I am going to mark this response as the "Solution" so that other merchants in a similar situation can find this information easier. Please continue to add your feedback to this thread and I will make sure it is passed along on your behalf. 

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

View solution in original post

Replies 53 (53)

Darkruler
Excursionist
14 0 11

I received this email this AM and shopify chat confirmed mine is real. It has the exact same wording as yours. I actually made a post about it and another seller also said they received it.

LoriJean67
Excursionist
15 0 4

I received one also.  I sent a screenshot to Shopify Support and I'm waiting for them to confirm it for me.  I'll post as soon as I hear back from them.  

LoriJean67
Excursionist
15 0 4

I received confirmation that the email sent is in fact sent from Shopify.  

Sjstyles
Tourist
4 0 1

I received the same thing as well. Working on how to handle it. I was wondering if this is an automated message if a store is opened for a certain period of time. When did you first launch your shopify store?

LoriJean67
Excursionist
15 0 4

I've had my website for almost 4 years now.  

Sjstyles
Tourist
4 0 1

Wow. Iv had mine for 2. What are your possible plans of action here? 

LoriJean67
Excursionist
15 0 4

I had a few products that I thought were borderline infringement so I will just remove them.   The Attestation for the sale of branded or trademarked products link in the email goes to a form you need to fill out.  For me I will just check off that I have deleted the products.  If you have documentation that you have the right to sell branded products then you would have to show them proof of that.  

Sjstyles
Tourist
4 0 1

Ok, very interesting. Do you others that went through the rest of the process? And know what the end result was? (Meaning is this a shopify PAYMENTS issue, or selling on shopify altogether?)

LoriJean67
Excursionist
15 0 4

I don't think it has anything to do with Shopify payments.  Either someone reported your website or Shopify stumbled upon it and noticed that the item you are selling is branded with a trademark.  They want to make sure that you are authorized to be a distributor for that product.  If you are not then legally you are not allowed to sell it and the item has to be removed.  That's how I understand it.   

LoriJean67
Excursionist
15 0 4

If you are authorized then supplying them with paperwork that says so should clear up your issue.

fabrics
Excursionist
20 0 33

I got this email as well and I am a Fabric Retail Store with an actual physical store in Ontario Canada and since the pandemic I opened an online store to survive.   I purchase all my products through wholesalers based in Canada and I have always done this.   There is no other way for retailers to do business.  So I am not sure why I was flagged.  If for whatever reason after completing the attestation report they make a hasty decision to close my store I would like enough notice to move it to another hosting company.  I have a lot of product online and would not like to have to redo everything.  I  am actually a little worried about this and think that I should start looking to move my store elsewhere.  Can't afford to have them shut it down and not have any access.   Anyone know what brought this on??

GoodWatch
Shopify Partner
9 0 7

@fabrics From my understandings reading this thread, I think you can always use another payment gateway like Paypal, Stripe or Authorized.net. That's in the case that the risk department won't like to process your payments. In your place, I won't be worried, unless you are selling high ticket items with a big risk of chargebacks.

Smorris88
Tourist
3 0 0

Hi @LoriJean67 

Was any further action taken once you removed your products? Any further details you can provide on this after checking the last box would be appreciated! Thanks 

Jaime_Chamberla
Tourist
5 0 2

No further action at this time, but also no idea how long it takes them to process through such things.

Smorris88
Tourist
3 0 0

Did they say they are reviewing it and will get back to you? Or was there no conclusion? 

daniel_long
Explorer
56 0 15

I sent them an email reply and they were brief but courteous. They said no further action required. I did not remove my product because the name is merely a coincidence. I'm not stepping on any trademarks.

Shay
Shopify Staff (Retired)
3110 472 654

This is an accepted solution.

Hi everyone! Thank you again for all your feedback on this topic. Please continue to add it to this thread and I will make sure to add a like to your feedback to let you know that it has been received. I fully support the idea of adding these communications into the admin as well and I hope we can make that happen. 

To help with any confusion surrounding tickets of this type, the ticket ID for many of them will be formatted like this:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (8/4/4/4/12)

It will be a mix of letters and numbers and is different from the tickets numbers you would receive from our standard support. Our standard ticket numbers are only numerical and are around 8-10 numbers long. Tickets that match the format above are handled by a separate team and our live support doesn't have direct access to the content of these tickets. With the ticket number they should be able to confirm though if this ticket is legitimate. 

I am going to mark this response as the "Solution" so that other merchants in a similar situation can find this information easier. Please continue to add your feedback to this thread and I will make sure it is passed along on your behalf. 

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

MorellCISSP
Visitor
1 0 3

Hi Shay and other Shopify support team members; specifically targeting GRC.

Am an senior Information Security professional, CISSP #431307. I have conducted many (1000+) of these social engineering techniques to get people to give up information.

This particular format of an email is called Spear Phishing which uses key areas.

1. Claims to be from a reputable source
2. Is tailored and targeted by referencing a specific item the recipient would know.
3. Adds a sense of urgency by stating the store would be shut down.
4. Hides the true site by using a link.
5. Adds "legitimacy" by referencing a legal site as well as a ticket number.

The email that has been sent out to everyone, literally checks all of the boxes used in the spear phishing attack arsenal.

As an InfoSec professional, I knew to immediately contact support. That is even with possessing the technical ability to review email headers and safely investigate the url in the link sent. Not everyone has that luxury of understanding these attack signatures.

In that light, the Shopify GRC team should know better and should be a responsible net-citizen, not contributing to the behavior of bad actors.

Hence, my recommendation would be two fold.

1. As Shay and others pointed out, place this message in the Admin console.
2. Send out a notification email (with no links in it), requesting the person log into their Admin console to take action. Direct them where in the portal to take action.

Michael B. Morell, CISSP #431307
Information Security Professional and Evangelist
DirectionWeb Inc.

Hellwood_Outfit
Explorer
55 1 14

Am I the only one less than convinced about the wisdom of just signing such a document.? Shopify seems to be pushing very hard with the 'you're best to just sign it' without offering any info about why a particular store has been flagged and what evidence they are willing to supply to reinforce the demand that you sign.

My email, like most of the others, said it 'appears' that you selling branded etc etc. I replied telling them that I'm not and their only reply was to block access to my admin. 

https://hellwoodoutfitters.com
SebTaylor
Visitor
2 0 5

How did you get your store unblocked?

AquaMan
Visitor
1 0 0

Hi Shay

Just wondering if this email is a legit Shopify email.
legal@legal-mailer.shopify.com

Thank you

LoriJean67
Excursionist
15 0 4

@Smorris88  No further action was taken.  My store is still up and running after I removed the product that was violating the trademark issue.

ThriftOn
New Member
4 0 0

I have vintage webshop and got the same email 2 days ago. I am stressed out and don't know what to do. I see that you can select the option "I sell used authentic products", maybe is that an option for the vintage sellers? Please let me know if anyone has an idea..

mehdi_elb
New Member
9 0 0

how did you know which product is trademark ?

LoriJean67
Excursionist
15 0 4

If you are selling branded items and do not have a license to sell them then I would say those are the items you need to remove.

 

mwalk22
Visitor
1 0 0

Hey after you removed the products that were trade marked did shopify uplift your payment holds or did they just refund all the customers?

 

LoriJean67
Excursionist
15 0 4

Shopify never put any payment holds on my account.  I complied to their request before the date they gave me and it was business as usual.

Shay
Shopify Staff (Retired)
3110 472 654

Hi @HotHeadstalls and fellow merchants,

I understand that some of you have recently received email notifications from Shopify's Trust and Safety team and have some questions about what this means and the next steps. While I don't work with that team directly and I am not able to confirm what products could be affected by your notices, I can share some general information with you.

Licensed, branded or trademarked products have legal protection to ensure that the unique brand's integrity is maintained. Some examples that we see frequently is products being sold with name brands like Disney, NFL/NHL/MLB etc and luxury brands like Louis Vuitton and Dolce and Gabbana. Unless you are a licensed reseller you are generally not allowed to sell products under these brand names. Even second hand, you need a special reseller license usually to do so. To learn more about this, I would recommend reaching out to a local small business legal representative to better understand the laws in your area. 

If you continue to sell licensed products on your store without the appropriate license or proof that you are eligible to sell these items then our Trust and Safety team may need to close the account to stop further sales. If you are unsure what products are being targeted you can reply back to the email you received. Keep in mind that our T&S team can take up to 2-3 business days to reply back and that regardless of that, action does need to be taken on those products and the attestation needs to be filled out by the deadline provided. 

@Sjstyles - You asked if this was an automated message that gets sent out to all merchants and if this is in relation to Shopify Payments or the Shopify platform itself.

You will only receive this email if the systems we have in place believe that your store is carrying a product that you should not be. Please make sure to reply back to your email and fill out your attestation form!

This message is in relation to both Shopify Payments and the Shopify platform. If you are selling items without the proper license, that could be considered an illegal use of a trademark/copyright which we can't allow on the Shopify platform. Also, certain brand name items can be considered high risk sales and may not be supported with Shopify Payments as well. 

Please feel free to ask any other questions you have about this email you received and I will do my best to assist you.

-Shay

 

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

LoriJean67
Excursionist
15 0 4

Thank you @Shay for clearing that up for us.

Sjstyles
Tourist
4 0 1

Thanks @Shay , for your clear explanation!

Luis_Carpio
Tourist
11 0 1

Just got thiz email.

 

I sell used video games so I'm thinking that maybe its because I have Nintendo, PlayStation Xbox etc.

I do however have a resellers licensd plus a permit to buy and sell (pawn shop type license)

Am I ok with that?

LoriJean67
Excursionist
15 0 4

If you have paperwork that allows you to sell branded material then you will most likely have to show them that paperwork.  Follow the link in the email.  You have various options to choose from when you reply to their email so select the option that pertains to your situation.  

khaldone
Visitor
1 0 1

Hello Sir;

I am wondering how it is illegal to sell branded or trademarks online if I bought it legally and it is authentic goods? what happened to the "First Sale Doctrine" law??

it was clear that you are not required  or need a reseller license or permit to resell authentic products you bought legally:

The First Sale Doctrine in Trademark Law

The first sale doctrine allows the resale of items bearing a trademark, such as a logo or brand name, after the trademark owner has sold those items, unless this is likely to confuse or deceive consumers. The U.S. Supreme Court applied the first sale doctrine to trademark law in Prestonettes, Inc. v. Coty, 264 U.S. 359 (1924).

The defendant in Prestonettes bought a product from the plaintiff, packaged it with other ingredients, and sold it to consumers. The packaging for the defendant’s product used the plaintiff’s trademarked name to indicate that the plaintiff’s product was included. The court held that this did not violate the plaintiff’s trademark rights.

As we understand you trying to protect consumers from fake products and protect yourselves from possible law suits from Trademark owners, This is very important topic for lot of stores that got affected by Shopify actions, , but  please advise us regarding this matter with much appreciation.

 

Jaime_Chamberla
Tourist
5 0 2

It does seem that many intellectual property holders have begun to be abusing the guidelines of the First Sale Doctrine. I recognize the very real concerns of black and grey market material from overseas factories producing an excess of licensed properties. We sell licensed products (largely Star Wars and Star Trek), but most of these items have been out of production for 30+ years and have been purchased on the secondary market from collectors or old shop stock. I received this form email today, with reference to a specific product they have now removed. 

Reading over the form, I can truthfully attest that we are within acceptable boundaries on this. But if Shopify starts going the direction of Amazon with this and requiring us to provide invoices to prove we are somehow approved to sell items from companies that often no longer exist, this would shut us down. We have largely moved off Amazon as a platform since it simply isn't possible (not just for us, but any vendor) to prove an original purchase invoice for a product that hasn't been in production for 20 years. 

 

 

Shay
Shopify Staff (Retired)
3110 472 654

Hi @Jaime_Chamberla 

This is great feedback and I want to know that it is being heard loud and clear. 

I wanted to expand a bit on my earlier post and take the time to share the difference between allowing these products to be sold while using Shopify as your platform and allowing Shopify Payments to be the payment processor for these orders.

Because the naming of our payment gateway is similar to the name of our platform, there can sometimes be honest confusion between the two of them when it comes to sensitive matters like this. Shopify, the platform, does allow the sale of trademarked items, high value items, branded items, etc as long as they follow our acceptable use guide and terms of service and are not illegally gained. 

Shopify Payments, the payment gateway many merchants have enabled on their store during their setup, has it's own set of rules and terms of service

High value and trademarked items like Louis Vuitton, Chanel, Fenty, etc, can be considered high risk merchandise as there could be an increased chance of receiving a chargeback on the order, a high risk of a merchant trying to sell fraudulent versions of the products as real and more. Shopify Payments, and the banking partners that power Shopify Payments, have the right to refuse to process orders of certain types of products. As independent banking institutes they can say what type of orders they want to process and what types they don't want. I recognize that can be incredibly not ideal when you've started selling and your payment gateway is removed after the fact. 

I would encourage merchants selling products like these to strongly consider the payment gateway they are using and if Shopify Payments is the right gateway for your business. Even if the gateway itself is not, that doesn't mean that your business is not welcome on the Shopify platform. 

---

@khaldone 

You referenced the The First Sale Doctrine in Trademark Law in your post and asked that we speak to that. While I wish I was able to, I can't speak to that as I am not a trained legal professional or a lawyer. If you feel that this doctrine of the trademark law is not being considered appropriately you are welcome to email our legal team directly at legal@shopify.com or ask your legal representative to do so. 

---

@keoholo 

Welcome to the community forums and thank you for also sharing your experience here. I just wanted to assure you that there isn't a need to panic about receiving this notification. I know that these messages can be intimidating to receive and the wording can come across as stern or cold as they need to follow a specific legal guideline. If you have questions please let me know and I'll do my best to answer them for you.

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

keoholo
Tourist
4 0 1

@Shay Thank you for getting back. So as I mentioned I was panic and submitted a few attestations ( I was accidentally marked all the box for the first couple times) Will the Trust and Safety Team will see my other submissions? I deleted the product, and reviewed all of my products. I really hope that they don't take my account down.   

Shay
Shopify Staff (Retired)
3110 472 654

I understand your concern @keoholo. I would recommend replying back to the email that was sent to you and let them know they the first few submissions were incorrectly filled out and which attempt was the correct one for them to review. 

Any replies to the email you received from them go straight back to your risk analyst that is handling your case. They can only communicate through email so replying back that way is the best option. You can also reach out to our live support and ask them to add a note to your ticket for your risk agent as well, but that is not necessary if you are able to send them an email reply. 

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

keoholo
Tourist
4 0 1

@Shay Thank you so much for your help! 

daniel_long
Explorer
56 0 15

Shay,

 Why am I not seeing any of my posts here? It seems you aren't seeing them either because you're not replying to me when you reply to each of the others posting. Are they being flagged? My question isn't about needing to complete a legitimate form. My concern is that I have received a phishing email because the link to the Attestation form is a crazy URL, not Shopify.com based. 

Shay
Shopify Staff (Retired)
3110 472 654

Hi @daniel_long 

Thanks for tagging me! I'm not sure if I missed your earlier messages but luckily I caught this one.

If you are unsure and wish to validate the email you received I would recommend reaching out to our live support and share your unique ticket ID code with them. These types of emails have tickets numbers that are much longer than our traditional ticket numbers as they are managed by a different team. 

To contact our live support please follow this link: Shopify Help Center - Contact Support, sign into your store account, search for "legal ticket" and use the contact support button at the bottom of the search results to see all our live support options. 

I can appreciate your concern about this email being legitimate and I have submitted official feedback to our developers and trust and safety team with everyone's thoughts and suggestions on this topic as well. 

 

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

daniel_long
Explorer
56 0 15

Shay,

The system had flagged my posts as Spam. Looks like they've been released from purgatory now.

I followed your suggestions and it's been cleared up. Thank you! Yes, it's legit and a real request from the legal department at Shopify. i added in the chat to request that they stop making their important emails look like phishing attempts.

Smorris88
Tourist
3 0 0

Hi @keoholo 

Was any further action taken once you removed your products? Any further details you can provide on this after checking the last box would be appreciated! 

Jaime_Chamberla
Tourist
5 0 2

Shay, thanks for responding. To clarify, I've read the message several times and it seems related to the Shopify platform broadly, not just Shopify Payments. 

Shay
Shopify Staff (Retired)
3110 472 654

@Jaime_Chamberla - As each situation and store is unique and I don't have direct access to the email you received, I am not able to confirm that for you. I would recommend replying back to the email and ask if that is the case for your store at this time. 

You can also reach out to our live support and they may be able to review the ticket and the communication you received and help you translate what it could impact on your store. Please note that some communications on topics like this are handled by a separate team, meaning that our front line support won't be able to review the ticket or the message within. 

If you have any questions about the content of your communications with our escalated teams please don't hesitate to reply back and ask for additional clarification.

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

EnquiringMind
Excursionist
11 0 4

I got this email this morning also.  I have got to say I am not comfortable clinking any link on that email. It looks like a total phishing email to me.  When this is addressable through my Shopify sellers console I will be comfortable responding to this request.  

daniel_long
Explorer
56 0 15

Don't wait for it to happen any time soon. They can shut you down. I went through a lengthy process to confirm it and it's legitimate. 

daniel_long
Explorer
56 0 15

Wow, Shopify confirmed my ticket ID through chat and it's alphanumeric with dashes. 

EnquiringMind
Excursionist
11 0 4

You click the link and the first thing it asks to fill in all your information.  If it is legit it is pretty absurd for us to trust an email that looks exactly like a phishing email then the first step is to enter all your personal information. 

 

I'm shocked the others on this thread were comfortable doing just that. 

daniel_long
Explorer
56 0 15

I agree. It is unprofessional of them and absurd. I spent a lot of my own time making sure it was legit before completing the form. As you said, it should be from within the Shopify admin where other important notices and action requests are posted.