TL;DR
Scammers are inserting fake purchase receipts into the Shop app to trick users into calling support lines or clicking malicious links. Users should verify transactions carefully and avoid engaging with suspicious notifications.
Cybercriminals are inserting fake purchase receipts into the Shop app order histories, impersonating legitimate companies like Apple and PayPal. These fraudulent entries aim to trick users into calling scam support lines or sharing personal information, posing a significant security risk for millions of users.
Recent reports from cybersecurity researchers reveal that scammers are embedding fake invoices and order notifications within the Shop app user histories. These fake receipts often claim that large charges, subscriptions, or order preparations have been processed. They include contact details for disputing the charges, but calling these numbers leads to scammers who seek to steal login credentials, credit card info, or install malware.
Shop has acknowledged the issue, stating that they are implementing new controls to prevent such manipulations, but details on how the fake entries are inserted remain unclear. Experts note that these scams are part of a broader callback phishing tactic, frequently used by PayPal impersonators, which relies on convincing notifications to lure victims into malicious interactions.
Why Fake Shop Receipts Pose a Serious Security Threat
This scam is particularly concerning because it leverages a trusted app, making users less suspicious of fake notifications. The fake receipts may lead to identity theft, financial fraud, or remote device access if users engage with scammers. Since Shop app integrates with email and shipping data, the fake entries can appear highly convincing, increasing the risk of victims falling for the scam.

RUNBOX Wallet for Men -Slim RFID Leather Mens Bifold Wallets 2 ID Window With Gift Box Men's Accessories
Slim and Thin Wallet – This minimalist bifold wallet measures 4.3×3.2×0.6 inches and stores up to 15 cards….
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background on Shop App Security Incidents
The Shop app, used by millions for order tracking and payment, pulls data from Shopify stores and email messages, which scammers are exploiting to insert fake purchase records. While Shop has not reported a breach of their systems, the scam involves malicious third-party actors manipulating user histories. Similar callback phishing schemes have been reported before, but this specific tactic of inserting fake receipts into app histories is a recent development that cybersecurity experts are currently investigating.
“The way these fake receipts are integrated into user histories makes them appear legitimate, which can easily deceive unsuspecting users.”
— an anonymous researcher

BUISAMG Data Blocker, USB A & USB C Data Blocker for iphone17 16 and Any USB C Mobile Phone Charge, Protect Against Juice Jacking, Refuse Hacking, Only Charging (Red 6-Pack)
【Combination set】: More affordable, The data blocker combination kit shown in the main image, which can meet your…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Unclear Details About How Fake Orders Are Inserted
It is not yet confirmed how threat actors are inserting these fake receipts into user histories, nor whether Shop, Shopify, or any of the companies being impersonated have been breached. The specifics of the attack vector remain under investigation, and Shop has not provided detailed technical explanations.

Nezyo 2 Pack Identity Protection Roller Stamp Identity Theft, Confidential, Privacy Roller Stamp Information Blocker and 4 Pack Refill Ink for ID Account Data Address Security(Yellow)
Protect Your Privacy Effectively: you can use this identity protection roller stamp to flip personal information in under…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Next Steps for Users and Shop Security Measures
Users should verify any suspicious receipts against their bank or vendor accounts and avoid calling any phone numbers or clicking links in unrecognized notifications. Shop is expected to enhance security controls and provide further guidance on identifying authentic transactions. Cybersecurity researchers will continue investigating the method of insertion and the scope of the scam.

Atlancube PasswordPocket Offline Hardware Password Keeper with Bluetooth Auto-Fill for iPhone and Android, Stores 1,000 Logins, Military-Grade AES-256 Encryption (Black)
Auto-Fill Feature: Say goodbye to the hassle of manually entering passwords! PasswordPocket automatically fills in your credentials with…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How can I tell if a Shop receipt is fake?
Check your bank or credit card statements for matching charges. Look for poor grammar, spelling errors, or unfamiliar contact details in the notification. If in doubt, verify directly with the vendor through official channels.
What should I do if I receive a suspicious receipt?
Do not call any support numbers or click links. Report the suspicious receipt to Shop and the legitimate vendor. If you have engaged with scammers, change your passwords and monitor your accounts for unusual activity.
Is my Shop account or device compromised?
There is currently no evidence that Shop or Shopify systems have been breached. The scam appears to involve third-party manipulation of user histories rather than a direct breach of the platform.
Will Shop implement new security controls?
Yes, Shop has announced they are working on ‘new controls’ to mitigate the insertion of fake receipts, though specific measures have not yet been disclosed.
Should I stop using the Shop app?
No. Continue using the app but remain vigilant. Verify transactions carefully and report any suspicious activity to Shop support.
Source: Lifehacker