Exposed: The Shopify scam that tricks merchants with fake support & code injections

21st May 2025 Kat Korson

It all began with what looked like a harmless email, followed by a glaring red banner warning: "Your store is under review by Shopify." For one unsuspecting merchant, this was the start of a nightmare involving fake Shopify Support emails, a sneaky code injection, and a hefty £2000+ loss to some seriously dodgy scammers.

In this article, we share the victim's story (anonymously, with permission) to help other Shopify merchants recognise and avoid scams like these. This is a sneaky scam involving both social engineering and technical trickery. Here's how it happened and what to look out for.

Quick summary: The scam timeline

A fake email masquerading as Shopify Support
A sneaky red warning banner injected into the store's theme.liquid code
A panic-inducing countdown timer
Dodgy requests for direct payments via PayPal, Payoneer, and Remitly

Let's look at how to spot these red flags and stay one step ahead.

How the scam started - with a fake email from "Shopify Support"

For this Shopify merchant, it all kicked off with an email that looked legit, claiming to be from Shopify Support. It flagged up "critical errors" on their store, and dialled up the urgency with a nail-biting 48-hour deadline.

The email claimed their Dawn theme (version 12.0.0) needed licensing registration, but that this process was being blocked by "malware-related issues" and an improperly configured "CRS file."

Here's the email they received:

"Hello, [Merchant name]'s

Thanks for providing us with the necessary information. Upon reviewing your business, we have noticed that your store is using one of Shopify Theme. Called ( Dawn ) Version 12.0.0, Unfortunately, While we attempted to proceed with your theme license registration, our system detected critical errors on your store, which have halted the process. Specifically, malware-related issues were found, and the CRS file has not been properly configured - a necessary requirement for obtaining a valid theme license.

Key Issues Identified:

Malware Errors: These errors are interfering with the security of your store, preventing the successful registration of your theme license.

CRS File Configuration: The CRS file is not configured correctly, which is required to move forward with the licensing process.

Solution: Before we can secure a valid theme license for your store, You need to resolve the malware-related issues which are affecting the registration, and the CRS file that has not been properly configured.

Please contact one of our senior experts 👉 HERE Who specializes in resolving such issues as soon as possible. within the next 48 hrs to schedule support for assistance in fixing and configuring the CRS file and eliminating the malware threats.

Note: Some Malware errors are free while some incur charges, So we recommend reaching out to our expert as soon as possible to schedule a solution. Once these issues are addressed, we will be able to complete the theme license registration process without further delay.

Please treat this matter with urgency to avoid any disruption to your store's functionality and compliance status.

Best regards,

Shopify Support Team

We can find several red flags in this message, which could easily be missed with the sense of panic it creates:

Red Flag #1

The email came from "suppor.shopify.teamui@gmail.com" - which isn't an official Shopify domain

Red Flag #2

The odd and somewhat awkward phrasing and grammatical errors present in the message, such as the 's after the merchant's name, lowercase letters after full stops)

Red Flag #3

The mention of "theme license registration" - Shopify's Dawn theme is free and doesn't actually require licensing

Red Flag #4

References to a "CRS file" - this is a fabricated abbreviation - Shopify doesn't use "CRS files"

Red Flag #5

Creating urgency and panic with warnings about "malware" and "disruption to your store's functionality" (a key scammer tactic)

The email asked the merchant to contact a "senior expert" who could fix these issues, some for free and others for a fee.

Stage two: The malicious code injection

After engaging with the scammer, the merchant noticed a bright red warning banner had appeared at the top of their Shopify store. The message read:

"ALERT: This store is under review by Shopify due to technical and security issues involving API and SQL vulnerabilities."

Below this, a countdown timer showed approximately 2-3 days remaining, creating a false sense of urgency that something terrible would happen when the timer expired.

"When I was contacted a while later, this time via WhatsApp, he asked me to check my site as there was something strange on there. These screenshots are from two different devices. I then thought it might be tied into some code I recently added to connect with Statcounter. I then studied the code on my tablet and realised the code was the culprit. Not well hidden, right at the top. All found in theme.liquid."

Here is the code the merchant discovered in their theme.liquid file:

<div id="suspension-warning"> ALERT: This store is under review by Shopify due to technical and security issues involving API and SQL vulnerabilities. <div id="countdown">Countdown: loading...</div> </div>

<script> 
(function () { 
  const countdownElement = document.getElementById("countdown"); 
  const countdownKey = "countdownStartTime"; 
  const countdownDuration = 3 * 24 * 60 * 60 * 1000; // 3 days in milliseconds 

  // Get stored countdown start time or set a new one 
  let startTime = localStorage.getItem(countdownKey); 
  if (!startTime) { 
    startTime = new Date().getTime(); 
    localStorage.setItem(countdownKey, startTime); 
  } else { 
    startTime = parseInt(startTime); 
  } 

  const endTime = startTime + countdownDuration; 

  function updateCountdown() { 
    const now = new Date().getTime(); 
    const distance = endTime - now; 

    if (distance <= 0) { 
      clearInterval(timer); 
      countdownElement.innerHTML = "Countdown expired."; 
      return; 
    } 

    const days = Math.floor(distance / (1000 * 60 * 60 * 24)); 
    const hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60)); 
    const minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60)); 
    const seconds = Math.floor((distance % (1000 * 60)) / 1000); 

    countdownElement.innerHTML = "Countdown: " + days + "d " + hours + "h " + minutes + "m " + seconds + "s"; 
  } 

  // Start countdown 
  updateCountdown(); // initial call 
  const timer = setInterval(updateCountdown, 1000); 
})(); 
</script>

This code snippet does several clever (albeit shameful and malicious) things:

Creates an alarming red warning banner that looks official
Implements a countdown timer that creates panic and urgency
Stores the start time in the browser's localStorage, making the timer appear to continue across visits

Most concerning, the banner warns of "API and SQL vulnerabilities" - technical-sounding terms that might confuse merchants who aren't familiar with these technologies.

The payment requests and relationship building

With the fake warning banner splashed across the victim's store, the scammer swooped in, posing as the 'hero' ready to save the day...except this knight's armour came with a hefty price tag.

In an attempt to fix the problem, the merchant ended up forking over cash, including:

First through PayPal (somewhat fortunate, as PayPal provides some buyer protection)
Later through Payoneer, with the payment request stating "I work on Fiverr" despite no actual Fiverr involvement
Eventually through Remitly, after the scammer claimed that there were issues with previous payment methods

Scammer using Payoneer claiming to work on Fiverr

The scammer was crafty, using sneaky social engineering tricks to build trust and squeeze out more cash:

Calling the merchant "friend" right from the start
Prying into personal life with questions about family and hobbies
Acting like they were in it for the long haul, building a fake sense of trust
Attempting to get more money by suggesting other services, like TikTok shop integration

How to protect yourself from similar scams

If you encounter any suspicious banner on your Shopify store or receive emails about theme licensing or security issues, here's what you need to do:

1. Verify all communications directly with Shopify

Legitimate Shopify communications will:

Come from an @shopify.com email address, never Gmail or other free email services
Be accessible in your Shopify admin panel under "Notifications"
Not request direct payments outside of Shopify's billing system
Be clearly written without major grammatical errors

When in doubt, contact Shopify support directly through your admin panel or via the official website.

2. Check your theme code for unauthorised changes

Go to your Shopify admin panel → Online Store → Themes
Click "Actions" → "Edit code" on your active theme
Check the theme.liquid file for any unusual code like the example above
Look particularly at the beginning and end of the file

Need help? If you ever need help checking your Shopify code for unauthorised code, Red Eagle Tech will assist you, free of charge.

3. Never make payments outside official channels

Legitimate Shopify theme charges appear in your Shopify billing
Theme developers sell through the Shopify Theme Store or their official websites
Be wary of requests for payment via Payoneer, Western Union, cryptocurrency, or direct bank transfers

4. Be suspicious of urgency tactics

Countdowns and warnings of imminent store suspension are classic pressure tactics
Shopify would never put a countdown timer on your storefront like this
Take time to research and verify before making any payments

5. Ensure theme updates are handled properly

Shopify's Dawn theme is free and official - it never requires licensing
Theme updates are handled through the Shopify admin panel
If you need help with theme customisation, use Shopify Experts or verified developers

What to do if you've already been scammed

If in the unfortunate event that you've fallen victim to this (or a similar scam):

Contact your payment provider immediately to try to reverse the charges
Report the incident to the police, especially if substantial amounts were lost
Remove any malicious code from your theme (or restore from a backup)
Change all passwords associated with your Shopify store and email
Enable two-factor authentication on your Shopify admin account
Contact Shopify support to report the scam and get guidance

Stay vigilant and protect your business

Thanks to the Shopify merchant who shared their experience with us, we've been able to shed light on this devious scam. Together, we hope to expose these criminals and protect the wider e-commerce community.

E-commerce scams are getting sneakier by the day, preying on busy store owners and threatening their livelihoods. These scams are no joke - they use slick visuals, technical trickery, and crafty social engineering to trip up even the savviest merchants.

We'll keep you informed about these tactics, but in the meantime, remain sceptical about unexpected warnings. Legitimate service providers won't use scare tactics or demand unusual payment methods from you.

If you encounter anything suspicious on your Shopify store, take a moment to step back, verify through official channels, and remember you're not alone. If you're in doubt, drop me a message at hello@redeagle.tech and I'll be happy to help you determine whether what you're seeing is legitimate or cause for concern.