Security Tips to Protect your Shopify Account from Phishing

Security Tips to Protect your Shopify Account from Phishing

By Alex Balaniuc

In the information age we currently live in, cyber attacks occur on a daily basis. Nowadays, nearly everyone has an online account of some sort, and this scenario dramatically increased the opportunities to steal people’s personal data via various hacking methods or phishing.

What is phishing? This term refers to scams based on identity theft through the use of fake websites, email or any other type of message. The goal of phishing attacks is to access your personal account and data, like your credit card info, and, as already mentioned, cyber criminals can do so by creating fake websites that look just about the same as the originals or by sending you messages that seem to come from a trusted source. Phishing messages are usually sent by fraudulent accounts or by accounts that have been previously hacked.

In this article, we’d like to warn you about the dangers of such practices on Shopify and give you tips about how to protect your account from phishing. Let’s get right into it!

How can we recognise fake accounts with phishing intentions?



First of all, it’s important to know how to tell if we’re the victim of a phishing attempt.

If you, for instance, get a message that asks you to complete one of these tasks:

  • click on a link
  • download a file
  • open an attachment

then it’s probably a phishing message. If you comply with whatever the message is telling you to do, your device might become infected with malware – malicious software such as worms, trojans, bots, and viruses. After your device is infected, an intruder can easily gain access to your personal information.

Phishing scams can also include direct requests for personal information, such as your bank account credentials. Phishing scams act by asking you to provide info in these ways:

  • by email or another messaging system
  • through a form
  • to a fraudulent phone number
  • to a phony physical address

Also, be suspicious when you’re asked to enter your email address and reset your password.

Warning signs of malicious intent



1) Excessively generic language

Messages that use an overly general language indicate that the sender doesn’t actually know you, although the organization that is sending the message might seem trustful. If the message presents vague sentences, such as ‘Dear account holder’, or the sender wants to offer you some sort of business opportunity without ever mentioning your name or business name, it might be a case of phishing.

2) Poor grammar or inconsistencies in the text/website

Cyber criminals are not usually good web content writers, since their only purpose is creating scam websites or pages with as little effort as possible, so, typos and other kinds of errors are pretty common. A website, page or message will look sketchy and fraudulent if these elements are inaccurate:

  • spelling
  • capitalization
  • numbers
  • punctuation
  • formatting

3) Personal accounts sending you business messages

Some attackers can get to the point of gathering enough information from your online presence to create a message that could plausibly come from one of your contacts. They usually do so by hacking into your contact’s business account, after which they create a new contact with a username that closely resembles an actual contact of yours:

  • TRUE – emmabrooks2473
  • FALSE – emmabrooks2489

4) Overexcited or alarmist tone

Watch out for messages that push you to act quickly and mindlessly or messages that make you incredible, too-good-to-be-true offers. If you get a message like ‘IT’S NOT A SCAM! CLICK HERE NOW TO GET 90% OFF DISCOUNT!’, you can be sure that it is indeed a scam.

Try getting in touch with the sender safely

If you have doubts about a message that was apparently sent to you by an organization you know and interact with, contact the organization through a phone number or email that appears on the organization’s website or on other reputable online sources websites. Don’t contact the same email or phone number through which the suspicious message was sent to you.

Check that the connection to the website uses HTTPS

The HTTPS protocol indicates that the connection to a site is encrypted, meaning that the personal information you’re asked to enter – such as username and password – can’t be intercepted en route and read. Never enter your personal data on websites that use the HTTP protocol. Always make sure that https:// and the lock appear in the URL.



Prevent the dangers of public Wi-Fi

Public Wi-Fi is very convenient but also very tricky. It does not offer encryption for individuals that use the same password and hotspot and your signals are broadcast across the immediate area. It is easy for someone else within your vicinity to eavesdrop on your communication and access your personal info. Here’s what you can do to protect your data when using public Wi-Fi:

  • verify hotspot names: if you’re, let’s say, in the vicinity of a coffee shop, before connecting to the shop’s hotspot ask an employee if the network is legit. This will avoid you connecting to a phishing Wi-Fi hotspot that is named like the actual coffee shop’s hotspot
  • disable access points to your device: protect your data by disabling file sharing within the network you’re connected to and enable your firewall to stop attackers from accessing your data. It is always better not to send or receive sensitive content while using a public Wi-Fi network, though
  • use a VPN for sending/receiving sensitive data: VPNs establish a secure, encrypted connection between the device you’re using and the VPN servers. Therefore, the content you send and receive via VPN can’t be intercepted by attackers

Contact Shopify if you suspect a phishing attempt

Lastly, forward any phishing messages that you receive to Shopify’s safety inbox at by building a record of attacks directed at merchants, Shopify can work to better protect you and your information.


%d bloggers like this: