Hi Shay and other Shopify support team members; specifically targeting GRC.
Am an senior Information Security professional, CISSP #431307. I have conducted many (1000+) of these social engineering techniques to get people to give up information.
This particular format of an email is called Spear Phishing which uses key areas.
- Claims to be from a reputable source
- Is tailored and targeted by referencing a specific item the recipient would know.
- Adds a sense of urgency by stating the store would be shut down.
- Hides the true site by using a link.
- Adds “legitimacy” by referencing a legal site as well as a ticket number.
The email that has been sent out to everyone, literally checks all of the boxes used in the spear phishing attack arsenal.
As an InfoSec professional, I knew to immediately contact support. That is even with possessing the technical ability to review email headers and safely investigate the url in the link sent. Not everyone has that luxury of understanding these attack signatures.
In that light, the Shopify GRC team should know better and should be a responsible net-citizen, not contributing to the behavior of bad actors.
Hence, my recommendation would be two fold.
- As Shay and others pointed out, place this message in the Admin console.
- Send out a notification email (with no links in it), requesting the person log into their Admin console to take action. Direct them where in the portal to take action.
Michael B. Morell, CISSP #431307
Information Security Professional and Evangelist
DirectionWeb Inc.