Hackers are no longer waiting in your inbox. A newly identified scam technique places fake invoices directly inside shopping app order histories, making them feel more credible than a typical phishing email.
Researchers have observed fraudulent receipts appearing inside the Shop app, the popular order-tracking application from Shopify, catching users off guard in a space they already trust.
The scam targets everyday shoppers by creating fake charges for high-value items or subscriptions. Victims see what looks like a real receipt inside an app they use for genuine purchases.
The fake order lists a phone number and urges them to call support if they did not place the order. That call is where the real damage begins.
Analysts at GenDigital identified and documented this technique after receiving reports from users finding fake orders inside the Shop app.
As GenDigital said in a report shared with Cyber Security News (CSN), scammers are placing fake purchase claims inside shopping app order experiences, where users are used to seeing real receipts and updates.
The impersonated brands include well-known names in technology and security. Reports have pointed to fictitious charges for security subscriptions, Apple gift cards, iPhones and PayPal-style payment claims.
The brand may change from one victim to the next, but the goal stays the same: create panic, then hand the victim a phone number.
Fake orders (Source – GenDigital)
Public reports on forums suggest this is not an isolated incident. Reddit threads show people encountering unrecognized orders inside the
Shop app with no matching bank charges and no follow-up emails from any real seller. The pattern points to a deliberate and ongoing abuse of trusted app infrastructure.
Hackers Leveraged Shopify Oder-Tracking App Shop
The Shop app gathers order confirmations, shipping updates and receipts in one place. It can pull order data from connected Gmail or Outlook inboxes by scanning for keywords like “tracking number” or “track your package.”
This makes it useful for real shoppers, but also creates a surface that scammers appear to have found a way to exploit.
Fake orders appear under generic seller names like “My Store,” with receipts claiming a subscription has been renewed for several hundred dollars.
The phone number is placed inside the product description, receipt body or even the shipping address field. The placement looks unusual, but inside a trusted app, users may not immediately question it.
GenDigital researchers noted the exact abuse path still needs confirmation. The fake order may be entering through a merchant workflow, email parsing or another mechanism scammers have found a way to misuse.
What is clear is that fraudulent content is appearing in a space where users expect to see real purchases.
What Happens When You Make the Call
If a victim calls the number inside the fake receipt, the conversation turns dangerous fast. The person answering may claim to represent billing support, a cancellation team or official brand support.
The script usually moves toward collecting payment details, passwords, one-time codes or remote access to the device.
By the time the caller suspects something is wrong, the scammer has already moved the interaction off the app and into a space they control entirely.
Work flow (Source – GenDigital)
The receipt served one purpose: create enough urgency to start that call. GenDigital researchers noted this follows the same logic seen in calendar invite scams, where the delivery channel changes how people judge a message far more than its actual content.
The social engineering is familiar, but the delivery surface is newer and harder to immediately distrust. A fake invoice inside a shopping app receipt can feel closer to a real charge than one sitting in a crowded inbox.
If you see a suspicious order inside a shopping app, do not call any number listed in the receipt.
Open your bank or card app directly to check whether a charge actually exists. Visit the brand’s official website to verify, and report suspicious stores through the option available inside the app.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Leveraged Shopify Oder-Tracking App Shop to Push Fake Invoices appeared first on Cyber Security News.
