Email Security beginner

How to Protect Your Shopify Store from Phishing Attacks

Protect your Shopify store from phishing. Identify attacks, secure your domain, and train your team.

10 minutes
6 steps
beginner level

Before You Start

  • SecurEcommerce installed
  • Access to your Shopify admin

Types of Phishing Targeting Shopify Merchants

Phishing attacks against Shopify stores fall into several categories. Understanding each type helps you recognize them and defend against them.

Fake Shopify Platform Emails

These emails impersonate Shopify itself. They use Shopify’s logo, color scheme, and email formatting to look like official platform communications. Common variants include:

  • “Your account has been suspended” — Claims your store has been flagged for a policy violation and directs you to a fake login page to “verify your identity”
  • “Payment processing issue” — Says your payment provider has been disconnected and asks you to re-enter banking details on a spoofed page
  • “Urgent security update required” — Tells you to install a “security patch” by clicking a link that leads to a credential harvesting site
  • “New Shopify feature requires verification” — Asks you to log in through a link to “activate” a new feature
  • “Your store has been reported” — Creates urgency by claiming intellectual property complaints and demanding immediate action

These are dangerous because they exploit the trust you have in Shopify as your platform provider. The urgency and threat of account suspension pushes merchants to act without thinking.

Customer Impersonation Emails

Attackers pose as customers contacting your store. These are harder to spot because customer inquiries are a normal part of running a store.

  • Fake order disputes — “I was charged twice for order #12345. Please issue a refund to this account.” Includes a link to a fake refund portal.
  • Shipping complaints with attachments — “My order arrived damaged, see attached photos.” The attachment contains malware.
  • Large wholesale inquiries — “We want to place a bulk order. Please review our requirements in the attached document.” The document contains a macro that installs malware.
  • Requests to change order details — “Please update my shipping address, here is my account” with a link to a phishing page that mimics your store’s customer login.

Supplier and Partner Phishing

If you work with suppliers, fulfillment partners, or other vendors, attackers may impersonate them.

  • Fake invoices — An email that appears to come from your supplier with an attached invoice. The attachment is malicious, or the payment details in the invoice have been changed to the attacker’s bank account.
  • Vendor portal login requests — “We have updated our portal, please log in to confirm your details.” Links to a fake version of the vendor’s website.
  • Shipping carrier notifications — “Your package could not be delivered. Track your shipment here.” The link leads to a credential-stealing page.

Domain Spoofing Against Your Customers

This type does not target you directly but targets your customers by impersonating your store. Attackers send emails that appear to come from your domain (e.g., orders@yourstore.com) to your customers, usually containing:

  • Fake order confirmations with links to phishing sites
  • “Account verification” requests that harvest customer login credentials
  • Fake shipping notifications with malicious tracking links
  • “Refund available” notices that collect payment information

This damages your brand reputation and customer trust. Customers blame your store, not the attacker. Email authentication (SPF, DKIM, DMARC) is the primary defense against this type.

Step 1: Learn to Identify Phishing Emails

Train yourself and your team to recognize phishing before it does damage. Check every suspicious email against these indicators.

Check the Sender Address

The display name can be anything — “Shopify Support” or “Your Store Name” — but the actual email address tells the truth.

  • Legitimate: noreply@shopify.com, support@shopify.com
  • Phishing: noreply@shopify-support-team.com, support@sh0pify.com, shopify@gmail.com

Look carefully at the domain portion (after the @). Common tricks include:

  • Extra words: shopify-billing.com instead of shopify.com
  • Character substitution: sh0pify.com (zero instead of ‘o’)
  • Subdomains: shopify.malicious-domain.com (the actual domain is malicious-domain.com)
  • Misspellings: shopfy.com, shoppify.com

Hover over any link without clicking it. Your email client or browser will show the actual URL in the bottom-left corner or in a tooltip.

  • Legitimate: https://accounts.shopify.com/...
  • Phishing: https://accounts-shopify.com/... or https://shopify.login-verify.com/...

Check that the domain in the URL matches the expected domain exactly. Pay attention to hyphens, extra words, and unfamiliar domain extensions.

Look for Urgency and Threats

Phishing emails almost always create artificial urgency:

  • “Your account will be suspended in 24 hours”
  • “Immediate action required”
  • “Your payment method has been removed”
  • “Respond within 2 hours to avoid permanent closure”

Legitimate platform communications from Shopify do not threaten immediate account closure via email. They provide reasonable timeframes and multiple ways to contact support.

Check for Grammar and Formatting Issues

While phishing emails have improved in quality, many still contain:

  • Unusual phrasing or awkward grammar
  • Inconsistent formatting (mismatched fonts, colors, spacing)
  • Generic greetings (“Dear Merchant” instead of your store name)
  • Missing or broken images
  • URLs with HTTP instead of HTTPS

Examine Attachments Carefully

Legitimate Shopify emails do not send attachments. If an email claiming to be from Shopify includes an attachment (especially .zip, .exe, .doc with macros, or .html files), it is almost certainly phishing.

For emails from customers or suppliers, verify the sender through a separate channel before opening any attachment.

Step 2: Set Up SPF, DKIM, and DMARC

Email authentication prevents attackers from sending emails that appear to come from your domain. This protects your customers from receiving phishing emails that impersonate your store.

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email on behalf of your domain. Set up an SPF record in your DNS that includes all services that send email for you.

A basic SPF record for a Shopify store:

v=spf1 include:_spf.shopify.com include:_spf.google.com ~all

Add includes for every service that sends email on your behalf: Shopify, your email provider, marketing platforms, helpdesk tools, and any other sender.

For detailed SPF setup instructions, see our SPF record guide.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your outgoing emails. The receiving server verifies this signature against a public key published in your DNS. If the email was altered in transit or sent by an unauthorized party, the DKIM check fails.

Shopify handles DKIM automatically for emails sent through their platform. For other services (Google Workspace, Klaviyo, etc.), follow each provider’s DKIM setup instructions to add their DKIM keys to your DNS.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Without DMARC, receiving servers make their own decisions about failed emails. With DMARC, you control the policy.

Start with monitoring mode:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Progress to enforcement after verifying all your legitimate email passes authentication:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

For the full DMARC setup process, see our DMARC setup guide.

Verification in SecurEcommerce

After configuring SPF, DKIM, and DMARC:

  1. Open SecurEcommerce and go to Email Security
  2. Click Refresh Check to scan your DNS records
  3. All three indicators (SPF, DKIM, DMARC) should show green
  4. SecurEcommerce will monitor these continuously and alert you to changes

Step 3: Secure Your Shopify Account

Even with email authentication, you need to protect your actual Shopify account from compromise.

Enable Two-Factor Authentication (2FA)

If an attacker obtains your Shopify password through a phishing email, 2FA stops them from accessing your account.

  1. Log into your Shopify account at accounts.shopify.com
  2. Go to Security
  3. Under Two-step authentication, click Turn on
  4. Choose your method:
    • Authenticator app (recommended) — Use Google Authenticator, Authy, or 1Password
    • Security key — Use a hardware key like YubiKey for the strongest protection
    • SMS — Least secure option due to SIM-swapping attacks, but better than nothing
  5. Follow the prompts to complete setup
  6. Save your backup codes in a secure location

Require 2FA for All Staff

If you have employees or contractors with Shopify access:

  1. Go to Shopify Admin > Settings > Users and permissions
  2. Review each staff account
  3. Require that every person with admin access enables 2FA on their account
  4. Remove accounts for people who no longer need access

Use Unique Passwords

Your Shopify password should not be used for any other service. Use a password manager (1Password, Bitwarden, Dashlane) to generate and store unique passwords for every account.

Review Connected Apps

Periodically audit which third-party apps have access to your Shopify store:

  1. Go to Shopify Admin > Settings > Apps and sales channels
  2. Review each installed app
  3. Remove apps you no longer use
  4. Check that remaining apps are from verified developers

A compromised third-party app can be an entry point for attackers.

Step 4: Train Your Team

If you have employees, they are both a vulnerability and a defense. Phishing only works when someone takes the bait.

Establish Clear Procedures

Create simple rules for handling sensitive requests:

For emails requesting password changes or account access:

  • Never click links in the email
  • Go directly to the website by typing the URL in your browser
  • Log in through the normal process

For emails with financial requests (invoice changes, refund requests, bank detail updates):

  • Verify through a separate communication channel (phone call, verified Slack, in-person)
  • Never update payment details based solely on an email request
  • Confirm with the sender using contact information you already have, not the contact info in the email

For emails with attachments from unknown or unexpected senders:

  • Do not open attachments without verifying the sender
  • If the email claims to be from a known contact but seems unusual, call them to confirm
  • Forward suspicious emails to SecurEcommerce for analysis before interacting with them

Run Recognition Exercises

Periodically share examples of phishing emails (with sensitive content redacted) with your team and discuss:

  • What indicators identified it as phishing
  • What the attacker was trying to achieve
  • What the correct response would be

This builds muscle memory for recognizing threats. A team that has seen examples is far less likely to fall for an attack.

Create a Reporting Process

Make it easy for team members to report suspicious emails without fear of judgment:

  1. Designate a specific email address or Slack channel for reporting
  2. Acknowledge every report, even false alarms
  3. Provide feedback on what was found
  4. Thank people for being cautious — you want to encourage reporting

A culture where people feel embarrassed about reporting suspicious emails is a culture where phishing succeeds.

Step 5: Respond If You Have Been Phished

If you or a team member clicked a phishing link or entered credentials on a suspicious site, act fast. Speed matters.

Immediate Actions (First 15 Minutes)

  1. Change your Shopify password immediately — Go directly to accounts.shopify.com (type it in your browser, do not click any links) and change your password
  2. Change passwords for any other accounts that use the same or similar password
  3. Enable 2FA if it is not already enabled
  4. Check for unauthorized changes in your Shopify admin:
    • New staff accounts you did not create
    • Changed payout information
    • New or modified scripts
    • Changed theme code
    • New or suspicious apps installed
  5. Revoke active sessions — In Shopify account security settings, log out all other sessions

Within the First Hour

  1. Review recent orders for anything unusual — fraudulent orders, changed shipping addresses, unauthorized refunds
  2. Check your email account for:
    • Forwarding rules you did not create (attackers set these up to intercept emails)
    • Filter rules hiding certain emails
    • Sent emails you did not write
  3. Notify your team that a phishing attack occurred and to be alert for follow-up attempts
  4. Forward the phishing email to SecurEcommerce for analysis (see email analysis guide)

Within 24 Hours

  1. Contact Shopify Support if you believe your account was compromised. They can help identify unauthorized changes and secure your account.
  2. Notify affected customers if customer data may have been exposed. Be transparent about what happened, what you have done to secure the account, and what they should watch for.
  3. Document everything — Save the phishing email, note the timeline of events, and record all actions taken. This documentation helps if you need to file reports or pursue legal action.

Report the Attack

  • Report to Shopify: Forward phishing emails impersonating Shopify to safety@shopify.com
  • Report to your email provider: Most providers have a “Report phishing” option
  • Report to authorities: File a report with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov if you are in the US, or Action Fraud in the UK

Step 6: Use SecurEcommerce’s Email Analysis Tool

SecurEcommerce can analyze suspicious emails to determine whether they are legitimate or phishing.

How to Analyze an Email

  1. Open SecurEcommerce in your Shopify admin
  2. Navigate to Email Security > Email Analysis
  3. Forward the suspicious email to your SecurEcommerce analysis address (shown in the dashboard)
  4. Wait for the analysis to complete (usually within minutes)

What SecurEcommerce Checks

When you forward an email for analysis, SecurEcommerce examines:

  • Sender authentication — Did the email pass SPF, DKIM, and DMARC? Failed authentication is a strong indicator of spoofing.
  • Header analysis — The full email headers reveal the true sending server, routing path, and whether the claimed sender matches the actual origin.
  • Link inspection — Every link in the email is checked against known phishing databases and analyzed for suspicious patterns (domain age, redirects, lookalike domains).
  • Attachment scanning — If the email contains attachments, they are checked for known malware signatures and suspicious file types.
  • Content analysis — The email body is evaluated for common phishing patterns: urgency language, credential requests, mismatched branding, and social engineering tactics.

Understanding the Results

SecurEcommerce provides a risk assessment for each analyzed email:

ResultMeaningAction
Low riskEmail appears legitimateNo action needed
Medium riskSome suspicious elements detectedReview the specific warnings before interacting
High riskStrong indicators of phishingDo not interact; delete the email
Confirmed phishingKnown phishing campaignDelete immediately; change passwords if you interacted

Building a Habit

Make email analysis part of your routine:

  • Forward any email you are unsure about — there is no penalty for checking a legitimate email
  • If an email asks you to click a link, log in, provide credentials, or take urgent action, analyze it first
  • If an email arrives from a familiar sender but with unusual content or requests, analyze it
  • Share analysis results with your team so everyone learns to recognize patterns

Ongoing Phishing Prevention Checklist

Use this checklist monthly to maintain your defenses:

  • SPF record is current and includes all sending services
  • DKIM is configured for all email sending services
  • DMARC policy is at appropriate enforcement level
  • SecurEcommerce Email Security dashboard shows all green
  • All staff accounts have 2FA enabled
  • Unused staff accounts have been removed
  • Unused apps have been uninstalled
  • Team has been reminded about phishing identification
  • Any new team members have received phishing awareness training
  • DMARC reports have been reviewed for unauthorized senders

What’s Next

With phishing defenses in place, continue securing your store’s email:

Related Guides

Guide

Set Up Email Security Monitoring

Scammers can send emails pretending to be your store. Set up DMARC, SPF, and DKIM monitoring to stop spoofing and protect your customers.

Read more Guide

How to Set Up DMARC for Your Shopify Store

Step-by-step DMARC setup for Shopify stores. Configure DNS records, choose policies, and monitor reports.

Read more Guide

Analyze a Suspicious Email

Got a suspicious email claiming to be from your brand? Forward it for analysis to determine if your domain is being spoofed and what to do next.

Read more

Let SecurEcommerce Handle This For You

This guide works, but it takes time. SecurEcommerce automates security so you can focus on growing your business.

Install SecurEcommerce Free
★★★★★ 5/5 on Shopify 7-day free trial No credit card required