We’ve gotten some pretty savvy fishing emails from people posing as Shopify Support. Is there a place to forward the email to Shopify so they can be aware?
Topic summary
A user asked where to report sophisticated phishing emails impersonating Shopify Support.
Official reporting channel: Shopify staff initially directed users to forward phishing messages to safety@shopify.com, where the company tracks attacks and works to improve security measures.
Key warning signs include:
- Requests to visit links
- Download files
- Open attachments
Recommended action: Before clicking any suspicious email links, contact Shopify Support directly to verify legitimacy.
Unresolved issue: A subsequent user reported that the safety@shopify.com address returned an unmonitored mailbox message, raising questions about the correct reporting channel. This concern remains unanswered in the thread.
Hi, @reneewood_1 !
Thanks for taking the time to ask about how to report phishing emails, we appreciate your help! Please forward any phishing messages that you receive to Shopify’s safety inbox at safety@shopify.com. We build a record of these attacks, and work to better protect you and your information.
We have a help article about phishing including knowing the warning signs, and how to protect yourself that I recommend reading through. As a reminder, phishing describes identity theft scams involving phony websites and emails or other messages. A phishing attack tries to gain access to your account and sensitive information.
A phishing message might ask you to:
- Visit a link.
- Download a file.
- Open an attachment.
It’s always best to be cautious with suspicious emails. If you are unsure about an email you receive, before clicking any links, or following any instructions in the email, please reach out to Shopify Support directly. Our team can confirm whether or not you have received a legitimate email. Thanks again for your help with this!
Hi there. I reported a pretty slick phishing attempt today to the [email removed] email address, but received a reply that it is not monitored. What/where is a better place to send phishing attempts?