Invoice Phishing Attacks Are Abusing the Shop App

KnowBe4 Team | Jul 9, 2026

Threat actors are abusing Shop, a legitimate app developed by Shopify, to launch phishing attacks, according to researchers at Gen Digital. Shop is used for making purchases and tracking orders, but threat actors are exploiting the platform to generate in-app notifications for phony invoices.

“Norton customers have reported fake Norton invoices appearing inside the Shop app” the researchers write.” Public reports suggest the same technique is not limited to Norton. Similar suspicious Shop app notifications have used McAfee, Apple gift cards, iPhones, PayPal-style payment claims and other high-value purchases as bait. The impersonated brand may change, but the mechanics are familiar: make the user believe they have been charged, then give them a phone number to call.”

Gen notes that most users are more likely to fall for a phishing attack that comes through an unexpected avenue.

“Most people understand that email can be spam,” the researchers write. “They may still fall for phishing, but at least the inbox is a place where scams are expected. Order-tracking apps are different. Their purpose is to collect receipts, shipping updates, and purchase information in one place. A notification from that environment can feel as if it has already passed through some layer of trust, even when the content inside the order is fraudulent. We have seen the same logic with calendar invite scams. The message itself is not always convincing, but the delivery channel changes how people read it. A fake invoice in an inbox is one thing. A fake invoice inside a calendar reminder or shopping app receipt can feel closer to a real event.

The researchers add that using a legitimate app to launch these attacks makes them harder to block with security tools.

“For security products, this also creates a detection problem,” Gen adds. “The first visible alert may not be an email, SMS, or malicious website. It may be a legitimate app notification carrying fraudulent text. The scam still depends on social engineering, but the delivery surface is harder to classify with the usual rules.”

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Gen Digital has the story: https://www.gendigital.com/blog/insights/research/fake-invoices-shopping-apps

See KnowBe4 Security Awareness Training in Action

See how you can efficiently safeguard your organization from sophisticated social engineering threats.

Request a Demo

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.