We keep seeing the same trick dressed up in slightly different clothes: a message that looks routine, a sense of urgency, and a phone number that feels safe to call. This time, the hook is a fake receipt inside the Shop app, and that detail matters because trust is doing a lot of the scammer’s work for them.
The basic play is ugly but familiar. A fake purchase appears alongside real orders, the user is told to dispute it, and the call ends with the attacker fishing for credentials, card data, or one-time passwords. Victims often describe feeling embarrassed afterward, and those first reactions — anger, confusion, a desire to move fast — are exactly what the scam relies on.
Why this version works so well
Shop is not some random inbox nobody checks. It is a legitimate order-tracking and shopping app from Shopify that centralizes receipts, shipping updates, and product discovery for merchants using the platform. The app is especially popular in North America, and the figures attached to it are hard to ignore: the Google Play listing shows 50,000,000+ installs, and the App Store listing carries millions of ratings, which is the kind of scale that makes a fake receipt look plausible at a glance.
That scale gives the scam a real advantage. A fake receipt inside an app people already trust feels more plausible than a stray email in a spam folder, and that is exactly why callback phishing keeps mutating instead of going away. Email-based fraud has trained a lot of us to squint at subject lines. In-app fraud skips that first line of defense, because we’re already used to trusting what the app sorts into our order history.
| Element | What the scam uses | Why it matters |
|---|---|---|
| Trusted surface | Shop order history | Users are more likely to believe a receipt that appears inside a shopping app they already use |
| Pressure point | A fake dispute phone number | It moves the victim off-platform and into a live social engineering call |
| Target data | Account credentials, payment card details, OTPs | These are the details attackers can use immediately |
| Escalation | Remote access software | Some victims are pushed into installing tools that give the scammer control of the device – we’ve seen this pattern mirrored in other phishing runs that weaponize remote access tools using fake business documents and remote-access prompts |
What the researchers found
Security researchers at Gen Digital say scammers are inserting fake orders that mimic purchases from brands such as Norton, McAfee, Apple, and PayPal. The phony receipt includes a phone number and frames the call as a way to dispute the charge. Once the victim calls, a scammer posing as a support agent tries to extract sensitive information.
That list of brands is doing a lot of work here too. People do not need to fully understand the app ecosystem to know those names. If we see an invoice tied to a large purchase from a familiar company, our brains do the rest, which is why the researchers point out that some victims may overlook obvious grammar mistakes in the fake receipts. We also see the same rapid escalation — fake support number, pressure to call, then a push toward remote tools — in other recent phishing patterns that blended spyware claims and targeted messaging linked to alleged spyware-style campaigns.
Callback phishing, but with a better delivery vehicle
Callback phishing is not new. The familiar pattern usually starts with an email that claims a subscription, order, or account action needs attention, then pushes the target to call a support number. The scammer’s goal is to get the victim into a live conversation where pressure, confusion, and urgency can do the heavy lifting.
What changes here is the delivery channel. Gen Digital says placing the fake receipts inside Shop appears to be more effective than sending fraudulent notifications by email, because users inherently trust the app. That is the real lesson here for all of us: the best phishing campaigns do not always look more technical. Sometimes they just sit in a place we already believe.
How the fake receipts may be getting in

There is still an open question around the source of the fraudulent notifications. Researchers say Shop can populate orders from multiple sources, including email parsing, account association, and order workflows, but they could not confirm which path was being used for these fake receipts.
Just as important, there is no evidence that Shop, Shopify, or the impersonated brands were compromised. That distinction matters because it keeps the focus where it belongs, on abuse of trust and workflow, not on a breach narrative that the evidence does not support. The convenience features that automatically match confirmations to accounts are exactly the affordance an attacker needs: helpful in normal use, hazardous when an attacker spoofs a vendor confirmation.
What we should do if a suspicious receipt shows up
The advice here is refreshingly simple, which is rare in security stories and always a bit suspicious in its own right. If a receipt appears for an order you did not place, do not call the number listed on it. Verify any supposed charge directly with your bank instead.
If someone already called and shared information, the next steps are straightforward:
- Reset account passwords immediately.
- Contact the card issuer to cancel the card if payment details were exposed.
- Treat any shared OTPs or login codes as compromised.
- Be alert for requests to install remote access software, because that can turn a scam call into a device takeover.
The part that should worry us
The scary part is not that scammers found one more fake receipt trick. It is that they found a place where a fake receipt looks normal. Shop is designed to organize purchases and shipping updates, which makes it useful for shoppers and attractive to anyone looking for a believable way in.
That is where this lands for me. The scam is not sophisticated in the cinematic sense. It is opportunistic, socially engineered, and annoyingly effective because it exploits a service people already expect to be helpful. People who’ve shared their stories online are angry and warn others, and that communal frustration is one of the few reliable defenses we have left.
For the rest of us, the takeaway is simple enough to remember without writing it on a sticky note: trust the app less than the charge itself, and verify every unexpected purchase somewhere attackers cannot edit.