Incident: A merchant reports an unauthorized $622.37 transfer from their Shopify Balance to an unknown bank. They have disputed the transaction and question how bank details could be changed without stronger verification, noting poor support responsiveness.
Likely cause: Payout fraud following account compromise. Common vectors cited include password reuse and phishing pages mimicking Shopify login. After access, attackers replace payout banking details and may change notification settings. Shopify normally sends alerts on logins and banking changes, but those alerts can be disabled post-compromise.
Key terms:
Payout fraud: Redirecting a store’s payout to a fraudster’s bank account.
2FA/MFA: Two-/Multi-Factor Authentication requiring an additional code (e.g., from a phone) beyond password.
Recommended actions:
Open a Shopify support ticket and be ready to verify identity (e.g., driver’s license/passport).
We just got an email from Shopify informing us that there was a transfer of $622.37 from our Shopify balance to some bank that is different from ours. How can this happen? I know there are many credit card frauds in which they use your credit card number. But how can anyone use someone’s Shopify account to transfer their balance to their account or pay a bill from your shopify account balance?
This is shocking and unreal. It is severe for all of you who own Shopify stores. How can this even happen? How can Shopify allow this without verifying the bank change? Will this person who has conducted this type of fraud be able to get to our Shopify balance?
Can someone explain how this could even happen? We just disputed the transaction, but it is scary that this could happen.
I needed to post this issue here because Shopify management needs to do this and be aware that their help section for merchants is now unacceptable.
The most common way this happens is a bad actor compromises your Shopify account. And the two most common ways this happen is either from password reuse or you opened a phishing link that looked like a Shopify login page but was actually a copy designed to steal your email address and password.
Once the attacker has logged into your Shopify account, they’ll swap the payout banking details with their own and then wait for the payout.
Shopify will notify you on every login as well as when banking details are changed, but it’s also possible that the attacker changed your Shopify account’s notification settings. But by that point it’s too late.
Your best defense against this type of attack is implementing a unique password for your Shopify account, as well as set up 2FA (also known as MFA). That way even if the attacker has your email address and password, they still cannot login without physical access to your phone for the 2FA code that rotates every 30 seconds.
To regain access to your Shopify account, you’ll need to open up a support request. Be prepared to prove your identity with another means such as a Drivers License or Passport. Then immediately when you gain access, change your password and set up 2FA on your account and of course change the payout banking information.
I highly recommend using a service like 1Password to manage your passwords, so that way you can follow best practices by setting up a strong unique password for your Shopify account.