Phishing emails spoofing Shopify’s “Account Security” team claim payouts are paused and ask for verification via a link. Messages appear to come from admin@mail.shopify.com (and variants like admin@mail.chopify.com), use generic greetings (“Dear account owner”), and link to non-Shopify domains.
Several merchants report receiving identical emails; one notes a 403 error (Forbidden) after clicking, suggesting the malicious page may have been taken down. Another suspects a fraudulent chat was launched from the phishing link.
Key concern: one merchant says a Shopify Support advisor validated the email (citing its Ticket ID) and instructed them to click the link and submit information; a second advisor later confirmed this was wrong and that the email was not from Shopify. The merchant is worried about account and device compromise.
Official guidance: a Shopify staff member states the email address is not associated with Shopify and advises sending email headers (technical metadata used to trace origin) to safety@shopify.com, plus referring to a security guide.
Status: ongoing. Conflicting support responses remain unresolved; action items are to forward headers to Safety and follow account protection steps.
Summarized with AI on December 24.
AI used: gpt-5.
I received what looked somewhat like a suspicious email, but it came from admin@mail.shopify.com and looked more legit that any phishing email I have ever received, so I wasn’t 100% sure. The email started:
My name is Harper, I am reaching out from Shopify’s Account Security team
We’ve had some trouble verifying your account information so we have paused payouts to your bank account until we can verify your details. Until you help us resolve this issue, we’ve temporarily limitеd what you can do with your ассоunt…
I got on support chat and I gave all of the details to the advisor. They said they looked into my account and that the email was from them. They even asked me for the Ticket ID from the email and said they cross referenced it and that the email was from them. I asked if I should go ahead and click on the email. Support told me to click on the link and provide my information.
At this point, I realized that my email program had flagged the email as a phishing email and there was a malware warning. I was hesitant to click it, so I told the support advisor what I was seeing. She insisted the email was from Shopify and that there was an issue with my account. Reluctantly, I clicked it and was brought to an error 403 page.
I started another support chat and was told by the person in the new chat that the email absolutely was not from Shopify and there was nothing wrong with my account. Now, I am realizing not only was my Shopify account put in jeopardy, but my entire computer was.
I just want to know if anyone else has ever encountered this? I am just kind of stunned that this could happen and I am worried that my accounts could be compromised.
I received exactly the same email proporting to come from admin@mail.shopify.com - the link the email asks you to click on has clearly nothing to do with shopify and they refer to you as ‘Dear account owner’ rather than your account name - apart from that its a very good scam - If you clicked the link and got 403 error it is an indication that some web authority has already removed the ‘bad’ webpage - hopefully you should be okay
I also suspect that the first chat advisor was not via shopify but rather a fraudulent chat link to the fraudsters with the chat link being generated from clicking the ‘update shopify account’ link in the email - very clever
That email address doesn’t look like it’s associated with Shopify. Because of this, you can send the email headers directly to our safety@shopify.com email. From there, our Safety team can take a closer look at the email’s contents and origins. I’d also like to share this guide on how to further protect your account against these types of emails.
Thanks a lot for your post. I’ve just received the same email, and it is very professional. I Googled it and found your post, so I’m grateful for the confirmation that its phishing.
That is not the problem I am having though. I realized it was a malicious phishing attempt. My issue is that Shopify Support repeatedly insisted it was sent from Shopify and insisted that I click on the link and enter my information. They even asked me for the Ticket ID and told me they double check it and it was sent from Shopify. The second person at Shopify Support confirmed that the first person told me this in error. I am very concerned that Shopify would keep insisting that I click on a malicious link.