Recognizing Phishing Scams Targeting Online Sellers

Phishing Scams That Target Ecommerce Specifically

Fake platform notifications are the most common phishing scam targeting online sellers. You receive an email that looks exactly like a notification from Shopify, WooCommerce, BigCommerce, or whatever platform you use. The email claims your account needs urgent attention: your store has been flagged for a policy violation, your payment processing is about to be suspended, your SSL certificate is expiring, or a security vulnerability requires you to log in immediately to fix. The email includes a button or link that leads to a perfect copy of the platform's login page. When you enter your credentials, they go directly to the attacker. The real platform sends the form to its own servers, the fake version sends your username and password to the attacker's server. These fake notifications are convincing because attackers clone the exact email templates, logos, and formatting used by the real platforms.

Payment processor impersonation emails claim to be from Stripe, PayPal, Square, or your bank, warning about a held payment, a compliance issue, or an account limitation. Payment processor credentials are particularly valuable to attackers because they provide access to your funds, your customer payment data, and the ability to modify where payments are deposited. PayPal phishing is especially prevalent because PayPal is used by millions of online sellers and the account compromise can result in direct financial theft, not just data access.

Fake customer service requests impersonate customers with urgent problems. An "angry customer" sends an email claiming they received the wrong product, with a link to "see the photo of what I received" that leads to a malware download or a fake login page. Variations include fake copyright infringement notices from "lawyers" with attached documents containing malware, fake supplier invoices with payment links redirecting to attacker-controlled accounts, and fake wholesale order inquiries with malicious attachments disguised as product catalogs or purchase orders.

Supplier and wholesale fraud targets store owners who source products from manufacturers or distributors. You receive an email appearing to be from your regular supplier informing you that their bank details have changed and requesting you send your next payment to a new account. This is called business email compromise (BEC), and it results in the most direct financial losses of any phishing category, with the average BEC loss exceeding $125,000. The email may come from a spoofed email address that looks identical to your supplier's real address, or from a compromised email account at the supplier's actual domain.

Hosting and domain scams send fake renewal notices for your domain name or hosting account, often with urgent "your domain will expire in 24 hours" warnings. The link leads to a fake payment page that captures your credit card information, or a fake hosting login that captures your control panel credentials. Domain registrar phishing is particularly dangerous because control of your domain means the attacker can redirect all your store traffic to their own server, intercept your email, and issue themselves SSL certificates for your domain.

How to Identify Phishing Emails

Check the sender's actual email address, not just the display name. Phishing emails typically have a display name like "Shopify Support" or "PayPal Security" but the actual email address is something like support@shopify-secure-notice.com or security@paypa1.com (note the numeral 1 instead of letter l). On desktop email clients, hover over the sender name to reveal the full email address. On mobile, tap the sender name to expand the details. If the domain after the @ sign is not the exact official domain of the company (shopify.com, paypal.com, stripe.com), it is almost certainly phishing.

Hover over links before clicking. On desktop, hover your mouse over any link or button in the email without clicking. The actual destination URL appears in the bottom left corner of your browser or email client. Check that the domain matches the legitimate company. Phishing links often use domains that look similar but are not identical: shopify-login.com instead of shopify.com, paypal-resolution.com instead of paypal.com, or accounts-google.com instead of accounts.google.com. On mobile, press and hold the link to preview the URL. If the destination does not match the legitimate website, do not tap it.

Watch for urgency and fear tactics. Phishing emails almost always create artificial urgency: "Your account will be suspended in 24 hours," "Immediate action required to avoid service interruption," "Your store has been compromised, log in now to secure it." Legitimate companies do communicate urgent issues, but they provide specific details, reference your account by name or ID, and usually follow up through multiple channels. An email that demands immediate action while providing minimal specific information is almost always phishing.

Look for grammar and formatting issues. While sophisticated phishing emails are often grammatically perfect (especially those generated by AI tools), many still contain subtle errors: inconsistent capitalization, unusual spacing, generic greetings like "Dear Customer" instead of your actual name or business name, and formatting that does not quite match the company's normal emails. Compare suspicious emails against legitimate emails you have received from the same company.

Be suspicious of unexpected attachments. Legitimate ecommerce platforms and payment processors almost never send attachments. If you receive an "invoice," "receipt," "compliance document," or "product photo" attachment from a sender you were not expecting, do not open it. Malicious attachments can contain malware that installs silently when opened, including keyloggers that capture every password you type and ransomware that encrypts your entire computer.

What to Do When You Receive a Suspicious Email

Never click links in the email. Instead, open a new browser tab and type the company's website address directly (shopify.com, paypal.com, stripe.com), or use a bookmark you saved previously. Log into your account through the direct URL and check for any notifications, alerts, or issues referenced in the email. If the issue is real, you will see it in your account dashboard. If there is nothing in your dashboard, the email was phishing.

Contact the company directly if unsure. Use the contact information on the company's official website, not any phone number or email address provided in the suspicious email (which may also be controlled by the attacker). Explain that you received an email claiming to be from them and describe the content. The company's support team can confirm whether the communication was legitimate.

Report the phishing attempt. Forward phishing emails to the impersonated company (most have a dedicated reporting address like phishing@shopify.com, spoof@paypal.com, or abuse@stripe.com). Report them to your email provider as phishing, which improves spam filtering for everyone. In the U.S., report phishing to the Anti-Phishing Working Group at reportphishing@apwg.org and the FTC at reportfraud.ftc.gov.

What to Do if You Fell for a Phishing Attack

If you entered your credentials on a phishing page, act immediately. Time is critical because attackers often use stolen credentials within minutes. Change the compromised password immediately by going directly to the real website. If you used the same password on any other account, change those too. Enable two-factor authentication on the compromised account if it was not already active. Check the account for unauthorized changes: new admin users, modified payment settings, injected code, changed email addresses, added forwarding rules, or exported data. Review your email account for forwarding rules the attacker may have added to intercept future messages. If the compromised account was your ecommerce platform admin, scan your store for malware and injected scripts. If the compromised account was your payment processor, contact them immediately to freeze your account and review recent transactions.

Technical Defenses Against Phishing

Email authentication (SPF, DKIM, DMARC) configured on your business email domain helps prevent attackers from spoofing your email address to target your customers or suppliers. SPF (Sender Policy Framework) specifies which servers are authorized to send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails that recipients can verify. DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do with emails that fail SPF and DKIM checks. Configuring all three on your business domain prevents attackers from sending emails that appear to come from your address, protecting your customers, your brand reputation, and your email deliverability.

Password managers with URL matching are an often-overlooked anti-phishing tool. When you use a password manager's auto-fill feature, it checks the current website's URL against the URL stored with the credential. If you visit a fake paypal-login.com page, your password manager will not offer to fill in your PayPal password because the URL does not match paypal.com. This automatic verification catches phishing pages that are visually perfect replicas but hosted on the wrong domain, which is exactly the scenario where human judgment most often fails.

Security keys like YubiKey ($25 to $70) provide hardware-based two-factor authentication that is completely immune to phishing. Even if you enter your password on a phishing page, the attacker cannot complete the login without the physical security key in your possession. Security keys use a protocol called FIDO2/WebAuthn that cryptographically binds the authentication to the specific website domain, so the key will not respond to a fake site even if it looks identical to the real one. Google, Shopify, Stripe, and most major ecommerce services support security keys.