How to help your customers — and yourself — stay safe shopping online
by Michael Hill
In early 2020, there were widespread reports of text messages with purported shipping “tracking links” in them being sent to thousands of mobile phone users.
Unfortunately, clicking on the link opened a rabbit hole of online danger — since users were often sent to websites collecting personal information and sensitive data such as payment information.
As a Shopify store owner, you could have been indirectly affected by this widespread scam — since your customers may have, in fact, been expecting tracking information from the major shipping companies mentioned in the SMS scam messages that went out.
While there’s nothing you can do about scams like this from being sent out, there are ways that you can help your customers become more educated about online safety and verify information.
Most of these tips are also a great way to protect yourself from fraud when you shop online — whether from other Shopify stores or any other ecommerce sites.
Since Shopify typically takes care of sending out order confirmation texts and email notifications and is aware of potential scams, they’ve already taken some great steps to make sure the messages they send on your behalf look professional and genuine.
For example, Shopify notifications typically contain information such as the customer’s name, store name, order number, and other details that help identify it as legit.
The idea here is that the chances of a scammer being able to “guess” that someone ordered a particular product from a specific store is pretty low.
Keep in mind, however, that the 2020 scam messages did typically feature the recipient’s name. The scammers were likely able to match up phone numbers with names thanks to public records — so it’s important to keep in mind that just because a notification has the correct name or any other information, it’s not guaranteed to be genuine.
Make sure the design is consistent across all email notifications. For example, if Shopify emails the order confirmation but another service sends a shipment notification, the emails should look similar. In the case of SMS messages, look for ways to make the messages’ tone sound similar.
It’s worth noting that sticking with default design can have both pros and cons. The advantage is that as more and more people shop through Shopify powered stores, they’ll become more familiar with the look and feel of the standard notification. However, because of Shopify’s popularity, scammers could try to mimic the notification design.
Be sure to proofread all of the text in your notifications thoroughly. Many fraudulent notifications have poor grammar, odd capitalization or misspellings, so you don’t want your legitimate emails to be mistaken for scams because of some typos.
If you use images in your HTML email notifications, be sure they have alt tags with your company name. This helps users who block images by default identify what the information is and that it’s legitimate. A hidden advantage is that customers are also more likely to “always allow” images from your email address in the future, making subsequent notifications and email marketing more effective.
When possible, include some level of detail that only the customer would know, such as an order summary. Keep in mind that email and SMS are not considered secure methods of communication, so information such as credit card numbers (including the last four digits) should never be included. Shipping addresses are generally considered safe to include, however. There are also certain industries where order information is more sensitive and should be removed.
Another good idea is to prominently feature your customer service phone number or email address at your store’s domain (and not a free email service) so customers can contact you if they have any concerns about the legitimacy of the notification — plus it’s a great way to build a close relationship with customers.
You may also want to add a note in your notifications and email marketing that reminds customers that you and your company will never call or email to ask for sensitive information such as credit card numbers, usernames or passwords (and, if you are doing this, it’s probably a good idea to stop).
It’s also becoming more common for Shopify store owners to find themselves targets of scam emails that appear to be from Shopify, such as:
“Urgent” account notifications saying your store is suspended and requesting immediate payment.
Emails about your domain name expiring or trying to sell you additional domain related services.
Emails asking for bank account information to set up your shipping account, payment gateway or processor.
Emails saying your store is in violation of certain policies or laws and requesting personal or financial information to resolve the problem or “settle” the case.
Emails asking you to add certain tracking or verification code snippets to your Shopify theme code.
Here’s how you, as a store owner, you can protect yourself:
Shopify will email you if there’s a problem with the payment method linked to your account or issues with how you receive your store profits. However, to be extra safe, it’s always a good idea to manually type in your domain name followed by /admin and then navigate to the account settings to update the information there rather than clicking on any links in the email.
The same rule applies for notifications about your domain name. If you bought your domain through Shopify, login to your admin panel to make any changes. If you bought it from another provider, go directly to their site and log in manually rather than clicking links.
In most cases, any offers to sell you additional domain services aren’t necessary with the possible exception of domain privacy services. However, most domains bought through Shopify include this for free already — and other domain registrars will often include it too, so make sure you’re not signing up for something you already have.
It’s also common for scammers to make you think you’re buying an “add on” service but in reality you’re really transferring your domain registration to them — which can result in not only breaking your Shopify store, but also losing control to your domain completely.
There are obviously legitimate reasons that Shopify or a third-party service you’ve signed up for will need your bank account information. However, always double check that you’re actually using the service. Again to be extra safe, don’t click links in email or SMS notifications, but rather visit the site and log in manually.
If you receive a notification about policy or law violations, it’s a good idea to reach out to the provider directly to verify the issue is legitimate. Never click any links or provide payment information to anyone claiming that paying a fee will resolve an issue. If you receive an email purportedly from an attorney about your site, it’s always important to seek out your own legal counsel to verify if the issue raised is legitimate or not.
Never give out your Shopify username or password to anyone. Shopify will never contact you for this information. If a developer or partner needs to access your Shopify account, use the “collaborator access” feature.
There are many legitimate reasons for adding tracking or verification scripts to your Shopify theme code. However, always make sure it’s for a service you’re using, and it’s usually best to log in to the service’s website to grab the code rather than from an email. Adding fraudulent tracking or verification snippets can result in the scammer getting access to confidential information about your store or even taking over your store’s appearance.
At the end of the day, if you ever do suspect a notification is fake, it’s always better to be safe than sorry.
If possible, call the purported source of the notification via a phone number you look up independently (don’t rely on phone numbers in the email since they could be fake).
If that’s not possible, find the official support email or contact form and double check. Again, don’t rely on email addresses or hit “reply” to the suspicious email — look up the email by yourself and double check the spelling of it.