Suss Confirmation Request | EMAIL SCAM 2024

Shopify Discussion

Topic summary

Shopify store owners are reporting a phishing scam involving fake order confirmation requests. The scam follows a consistent two-email pattern:

The Attack Method:

  • First email: Claims payment was withdrawn but no confirmation received, requests order verification
  • Second email: Includes a “bank statement” attachment via password-protected zip file or Google easy-exchange link
  • Uses fake identities like “Amy Brown” (teamoku.com), “Patricia Larson,” and “Annie Huber” (thetravellistindonesia.com)

The Actual Threat:
The attached file contains malware that grants remote access to the victim’s computer post-login, bypassing 2FA and passwords. Scammers then use website management systems to contact legitimate customers, requesting duplicate payments or Bitcoin for fake “glitches.”

Protective Actions:

  • Never open attachments or click links from these emails
  • Request specific order details (order number, date, payment info) - scammers won’t provide them
  • If clicked: Run deep scans with Malwarebytes, Bitdefender, AVG, or similar antivirus tools
  • Report and block the sender

Multiple users confirmed receiving identical messages. Previous reporting led to takedown of pinfairs.com. The discussion remains active as new variants emerge with different sender identities.

Summarized with AI on November 3. AI used: claude-sonnet-4-5-20250929.
3

Absolutely! Glad to hear that your post had an impact on getting pinfairs taken down. I appreciate your additional reddit info too.

I read this post under the Patricia Larson link which is helpful to know. So I’ll leave it here:

chownrootroot commented on post

This is a fun scam. While the tempting thing is to say “oh well the scam is to get refunded money for a non-existent order”, anyone with sense operating the website would look into their order system and say “nope, nothing here, no way you can possibly be refunded without an actual transaction.“

Instead, upon a reply of “got nothin’“, the scammer would then say “oh well I have a PDF file of my bank statement right here with the transaction, please look again”. Oh nothing bad can happen just looking at a PDF file, right? Well…The PDF will be delivered in a password-protected zip file. They provide the password in the same email of course (defeating the purpose of password-protecting the file anyway). This prompts you to use a Windows PC. And you unzip the file, do a simple double click on the PDF, and……well you’ve just been scammed. The file is actually executable and it runs code to steal your browser cache, which is a way to duplicate your logins on their computer and websites can’t tell the difference. Note that it’s not a login, it’s post-login, they don’t need to login anything, thus bypassing 2-factor and passwords.

And what do they do with this? Well with your website management system, they will look at orders coming in, they will contact customers (unbeknownst to you) and say they need to pay again because there was a glitch, send credit card payment or Bitcoin to blah blah blah, and they scam your customers. They delete the messages if they had to use the site itself to contact customers, and then it happens basically without a trace.

But you don’t sell things, they probably thought you sell things or you were about to setup the website to sell things.

Similar methods are going around with Airbnb hosts, with other small businesses, with freaking real estate firms (that one they tell you to change the routing information and you wire money to the wrong account and then you lose it forever, and you thought you were talking to the real estate company and you’re just trying to buy a house). Oh and it’s used in the “Elon is giving you crypto! Just send him crypto and he doubles it and sends it back!” YouTube scams.

1 Like