How to report a Security Issue?

Shopify Discussion

Topic summary

A merchant received a suspicious phishing email impersonating Shopify and asked how to report it and alert the community.

Red flags identified:

  • Email requests bank account information
  • Uses an unknown domain (not an official Shopify domain)
  • Contains questionable formatting and details

Shopify Community staff confirmed this is a phishing attempt, noting that Shopify never requests bank account information via email.

Recommended actions:

  • Forward the phishing email to safety@shopify.com
  • Include email header information (obtainable through email provider settings or using MX Toolbox’s guide)
  • Attach the email as a .eml file or copy the source code into a .txt file
  • Avoid clicking any links in suspicious emails
  • Review Shopify’s account security best practices documentation

The issue was resolved with clear reporting instructions provided.

Summarized with AI on November 21. AI used: claude-sonnet-4-5-20250929.
1

Received a malicious email yesterday. What is the best way to report to Shopify and warn other merchants and developers?

Giveaways are no name reference and URL is https:// t . co which is not a known Shopify domain.

Screenshot 2023-04-22 at 12.10.31 pm.png
Screenshot 2023-04-22 at 12.10.31 pm.png1728×1420 193 KB

2

Hey, @Affiliapps! Welcome to Shopify Community!

Great spotting! In addition to those questionable details you mentioned, we can tell that this is a phishing email as we never request our merchants to enter their bank account information via email.

To report this phishing email, you may share it to our safety inbox along with the email header information. Email headers are a part of the email code that includes sender details and they allow us to determine the email’s source and report it to the appropriate parties if it is a phishing campaign. You can follow the steps below to obtain the email header and send it to our safety inbox.

  1. View MX Toolbox’s guide for Getting Email Headers.
  2. Select your email service provider on the left-hand navigation.
  3. Follow the steps outlined there to download a copy of the .eml file or copy the email’s source code and paste it into a .txt file.
  4. Attach the file to the email you received and forward it to safety@shopify.com.

I hope you didn’t click any links on this email. If you did, or you didn’t but want to secure your account for good measure, please go over this help doc and perform the best account security practices explained on the page.

Thanks for bringing this email to our attention!

3

Thank you.