How to spot a phishing email: A guide for Shopify store owners

Cybercriminals are constantly coming up with new ways to get into your business and steal your data. Even with the growth of new types of attacks, phishing is still a headache for online retailers. Just look at forums, support groups and subreddits and you'll see regular posts about phishing. Is this email legit? But, it looks so real! What should I do?

For retailers specifically, 40% of webshop attacks started from phishing or malicious emails in 2024. Falling for a phishing scam can be detrimental to your business. Hackers can steal your credentials and in turn, you can lose money and even your store.

So, how can you protect yourself? The most important step is to be suspicious.

A suspicious user community is a well-protected user community. This guide will help sharpen your suspicious instincts and give you tips to identify phishing emails before they cause damage.

What is phishing?

Phishing is a cyberattack where scammers send fake emails pretending to be from a legitimate source, such as Shopify, payment processors or banks. The hackers prey on your willingness to trust and often create a sense of urgency or panic to trick you into providing sensitive information like login credentials or payment details.

One scary thing about phishing attacks is that they happen fast. It takes less than 60 seconds for users to fall for phishing emails: 21 seconds to click on the malicious link and another 28 seconds to enter the data.

Less than one minute.

The risks of clicking on a phishing email

For e-commerce managers, the stakes are exceptionally high. A single successful phishing attack can lead to:

• Stolen login credentials: Hackers can gain access to your Shopify admin, payment gateways and customer data, potentially locking you out of your own business
• Financial losses: Cybercriminals may steal funds, make fraudulent transactions or request unauthorized payouts
• Opertional disruption: Your store can suffer significant downtime and lost sales while your restore your online store
• Malware infection: Clicking a malicious link can install keyloggers (malicious software that records your keystrokes and sends it to an attacker) or ransomware on your device
• Loss of customer trust: If customer data is compromised, your brand's reputation takes a hit and your business may be subject to legal liabilities under data protection regulations

An example of an actual phishing email pretending to be from Shopify support.

How to spot a phishing email

Phishing emails are designed to look legitimate, but a closer look can often reveal red flags. Here are some key ways to identify a phishing attempt:

1. Check the sender's email address

Always check the actual email address and not just the display name. Legitimate Shopify emails always come from the official domains: @shopify.com, @email.shopify.com, @em.shopify.com and @shopify-billpay.melio.com.

Scammers often create domains that appear legit at first glance, so be suspicious of addresses like:

• support@admin.shopify.com
• billing.shopify@gmail.com
• accounts@shopify.net

2. Look for urgent or threatening language

Phishing emails often try to create panic to prompt immediate, unthinking action. Be wary of messages such as:

• "Your Shopify account will be suspended in 24 hours."
• "Unauthorized login detected. Reset your password immediately."
• "Payment processing halted. Verify your details now."

If an email pressures you into immediate action, pause and verify before clicking anything.

3. Hover over links before clicking

Before clicking any link:

• Hover over it with your mouse to preview the destination URL. On mobile, press and hold a link to see where it leads
• Check if the URL begins with "https://" and leads to an official domain

Shopify's official login page is always https://accounts.shopify.com. If the URL looks suspicious or doesn't lead to an official Shopify page, don't click it.

4. Watch for grammar and spelling mistakes

Many phishing emails contain typos, awkward phrasing or poor grammar. Shopify and other reputable companies invest in professional communications, so errors can be a sign of a scam.

Watch out for:

• Grammatical errors and typos
• Inconsistent formatting
• Poor-quality logos or images
• Unusual tone or writing style

5. Question unexpected attachments or requests for sensitive information

Shopify will never ask you to:

• Download an attachment to update your account
• Enter your login credentials or security codes via email
• Provide payment details over email
• Share two-factor authentication (2FA) codes

If an email purporting to be from Shopify asks you for any of the above, it's likely a scam.

6. Compare with previous official emails

If you're unsure, compare the email with previous Shopify communications. It's a good idea to keep a folder of legitimate emails from Shopify and payment providers. Compare suspicious emails with known official emails to spot inconsistencies in:

• Email templates
• Signature formatting
• Communication tone
• Header and footer info

When in doubt, log in to your Shopify admin directly rather than clicking email links.

What to do if you receive a phishing email

If you suspect an email is phishing, you should do the following:

1. Don't interact with the email. Do not click any links or download attachments
2. Forward the email to Shopify at safety@shopify.com to report the scam, or to the relevant platform provider
3. Follow your company's cybersecurity policies and inform your team about the potential threat
4. Delete the email immediately after reporting it
5. If applicable, update your company's security training or phishing Slack channel to include real-life examples of recent phishing attempts

What to do if you clicked a phishing link

Accidents happen. If you or a team member clicked on a phishing link or entered your credentials in a suspicious email, you need to take action.

1. Change credentials immediately for all potentially affected accounts, including your Shopify password
2. Enable two-factor authentication if you haven't already
3. Check for unauthorized activity in your Shopify admin and payment settings
4. Run a malware scan on your device to ensure hackers didn't install a keylogger or virus
5. Reset API keys if your store integrates with third-party apps
6. Monitor financial accounts for unauthorized transactions
7. Contact Shopify Support if you believe your account is compromised
8. Consider performing a security audit of your entire retail store

Protecting your Shopify store from phishing attacks

Prevention is always more effective than remediation. The best way to prevent phishing attacks is through proactive cybersecurity measures:

• Educate your employees on phishing risks and how to recognize scams. Consider regular security training for all team members with access to your store
• Create a phishing response plan so everyone know what to look out for and how to respond when suspicious emails land in their inbox
• Use strong, unique passwords and never reuse them across different accounts. Consider using a password manager
• Enable 2FA on all business accounts to add an extra layer of security
• Regularly back up your store's data to ensure business continuity and prevent data loss if compromised
• Actively monitor your online store for cyber threats to ensure your store is protected against evolving threats

Remember: Be suspicious

Phishing attacks are becoming more sophisticated. AI-generated content now mimics legitimate communications, and scammers use highly personalized details from social media.

By recognizing the signs of phishing and taking action quickly, you can keep your Shopify store and customer data safe.

Staying informed is your best defense against these evolving threats. Remember, it takes just 60 seconds to fall for phishing. Slow down and be suspicious to reduce the risk.