keepshoppers logo
Community
Sign In

How to Prevent Your Shopify Account From Being Hacked

Brody Hall
By Brody Hall
Davor Štefanović - Editor for KeepShoppers
Edited by Davor Štefanović

Updated April 27, 2023.

Internet-hacker

Even though spam emails are an old trick, hackers still manage to con people into handing over valuable information.

Many Shopify merchants and partners have reported an increase in spam and phishing emails recently, perhaps due to the economy situation. Some sellers have fallen for the scam, clicked through the emails, and ended up giving away their login credentials. This can happen to anyone of us, no matter how vigilant.

If your store gets fraudulent orders, Shopify may identify and block them. Also, your email provider automatically detects and filters out spam emails. Nevertheless, some hackers manage to get past the firewall and place an order or land their email in your inbox.

» Pro Tip: Consider a good social proof app to solidify your brand integrity so that your e-mails and promotions don't end up in spam inboxes!

Spam Emails Can Include Different Types of Tricks and Offers

Hackers may email you on behalf of a friend, after they've hacked her/his email account, asking you to buy gift cards and send codes to the friend's email address. They can also create an email address that contain the name of the company they're pretending to represent (e.g. Shopify) and ask you to verify your bank account or credit card details.

Some merchants received emails stating that Shopify is holding their funds until they update their account details. Others received emails from fake customers, saying that a payment has failed or that their account got locked and they need help.

The motives behind spam emails always revolve around promoting a product/service or trying to steal people's information and money. There are a lot of other examples for scam emails and spammers get very creative to overcome the hindrances that we put in their way. For this reason, you shouldn't trust your email provider to protect you completely, and rather learn how to spot those emails.

» Learn how to write good e-mails for customer retention

How to Identify Whether an Email Was Sent From Shopify or From a Hacker

Open a couple of emails that you know for certain that Shopify sent, and compare the suspicious email with them.

  1. Look for the sender's email address. This is probably the most important step. Check to see if the email was sent from a Shopify official email address.
  2. Poor English Many hackers are not native English speakers, therefore funny language, bad grammar, spelling mistakes, and unprofessional formatting are also good signs to help you identify that the email was sent from a hacker and not from Shopify.
  3. Compare the email design to other Shopify emails See if the email is designed like other emails you received from Shopify. Usually, spammers will not use the same design, so the header, footer, colors, and even fonts may be different than official Shopify emails.
  4. Watch out for strange requests A hacker's emails may contain unusual requests, like asking you to verify your bank account details, change your email password, help a friend in trouble, etc.

7 ways to protect your Shopify merchant account

Internet security




It may seem tempting to click if the spammer wrote a convincing message. Sometimes an email can contain a message, alert, or some other kind of important information about your Shopify account, and you're not sure if the email is genuine or spam. Still, you should never go through any link click within a suspicious email, since they're trying to steal your data, credentials, etc. Simply open a new tab on your browser, or even open a new browser, log into your partner/merchant Shopify account, and if there's an important message or alert you'll see it there.

2. Report spam emails.

Every email provider has an option to report emails as spam. When many people report the same email address, the provider will automatically mark all emails sent from that address as spam.

3. Report spammers to Shopify.

Simply forward the email to [email protected].

4. Change your passwords.

If you clicked a spam message, change the password of your email and Shopify accounts immediately.

5. Use a unique password for your Shopify account.

Don't use the same password for multiple websites/accounts, especially for accounts that contain sensitive or valuable information. This way, even if one of your accounts is hacked, the others are protected.

6. Be extra careful.

Verify that orders are legit before shipping them, especially if an order looks suspicious in any way.

7. Set up multi-factor or two-factor authentication for your Shopify account.

This is probably the most effective measure one can take to prevent their account from being hacked.

Enabling multi-factor authentication in your Shopify account (or any other account for that matter), will protect you even if a hacker steals your password or hacks your email account.

Two-factor (aka two-step) authentication means that you'll need to use two different methods to prove that you're the owner of your account, in order to log in.

For example, you can use your email and your phone number as two separate steps to log into your Shopify account. In that case you'll need to enter your login credentials (email address + password). Then, Shopify will send a verification code to your mobile phone, that you'll have to enter. Only if you can complete these two steps you'll be able to log in to your Shopify account.

The idea behind this authentication method is that it's much harder and unlikely for a hacker to steal your Shopify credentials and your mobile phone too. And so, if someone steals your credentials and tries to hack your Shopify account, they will not be able to enter the verification code that is sent to your phone.

Moreover, if you get a text message from Shopify with a verification code, you'll know that someone is trying to hack your account and you can immediately log in by yourself to change your email and password. Or, if Shopify identifies that someone is trying to log into your account but can't complete the two steps, they can block access and notify you about it.

When setting up two-factor authentication for your Shopify account, you'll be instructed to use two completely separate authentication methods so that a hacker can't potentially get hold of both them at the same time.