This issue was a major discussion point in the Shopify Partners Slack group before it was closed, and it urgently needs attention from the Shopify Experts team.
For the past six months, someone has been impersonating Shopify Experts using fake Gmail accounts (e.g. mattatvoltage@gmail.com). They’re contacting past clients who have left public reviews on our Experts listings, using screenshots of the Shopify Experts badge/logo to appear legitimate.
So far, at least six of our clients have reported being contacted — and there’s no telling how many others have been targeted or fallen victim. The impersonators are using multiple fake Gmail accounts, making reporting them to Google ineffective.
This issue is not unique to us. A dozen other partners raised the same concern in the Slack group before it was closed. The common thread seems to be that review names and client details on the Experts listings are visible and easily exploitable.
The only practical solution I can see is for Shopify to truncate or mask client names on public reviews to prevent scammers from harvesting them.
Shopify needs to take immediate action to protect partners and their reputations before further damage is done. Please escalate this to the appropriate team — this has gone on far too long without resolution.
One thing I’m considering is putting a notice on my contact page explaining how I reach out to merchants, what email domain I use and what to expect in those situations.
Another thing I’m considering, unfortunately, is removing my marketplace listing. I can only imagine the negative impact this is having on my reputation - hoping merchants can see through the scam.
This is an ongoing issue for us, too. Fortunately, most of our clients have recognized that something is not quite right and reached out to us about it, but at least one client (that we know of) was tricked into temporarily giving staff account access to the scammer.
As they are creating staff accounts, not partner accounts, some sort of warning when a merchant tries to add a staff email that is similar to a collaborator email/collaborator account name might be a mitigating measure.
@Lisa That is really scary. I wonder what type of permissions they are requesting, as they could take a client hostage by exporting and holding data ransom, or worse, scraping customer data and exploiting them.
In my case, I have reported this to Gmail, and since then, clients haven’t received these emails. I think Google has blocked his email. They were emailing through " info.clovecode@gmail.com "
I have done my own research and found their WhatsApp number and locations, if the Shopify team needs it to fix this issue. I emailed the Shopify legal team about this last month, also.
I hope we will find a solution for this soon.
This also happened to 2 of my past clients this week. One of the merchants paid for the scammers “services” and then contacted me to find out what was happening to their “job”.
The emails used were: evan.cooeecommerce@gmail.com, info.cooeecommerce@gmail.com
They appear to be targeting merchants who have their email address exposed on the contact page of their Shopify stores. I asked the merchants to copy and share the email header text so I can report to Gmail, but this appears to be too difficult for the merchants, unfortunately. Any other suggestions regarding how to get these email addresses blocked would be very much appreciated. I suspect this is out of Shopify’s control.
Kinda seems like partners need a pincode system too.
Or that there should be more provenance in access requests such as branding, clearly printing partner id numbers.
Or when accepting a request merchants need to copy in the email address that was used to make sure they are actually actively reading the email addresses.
Also comes down public facing contact emails not being the same as org/partner addresses that issue the access requests.
But some merchants just gonna click anything, but still a swiss cheese model is better than NONE of those things being done.
The first thing I have done is to ask merchants to mark their emails as spam. The next thing that I did was to report the Gmail account to Google. Report a Gmail account for abuse.
This has been happening to me for the past few weeks, it’s absolutely frustrating. Some of my clients have fallen for the scam and have been bombarded with emails asking for payment of at least £650 for the audit and to give them access to their account. I actually replied to their email and was in conversation with them and was asking how can I make payment and they said they would send an Upwork invoice? I also managed to find the email address that they are logging in to Shopify with and it is nauman.masood@yahoo.com Somehow they had added themselves to my Partner account team even though I have 2fa enabled. I have removed them and changed all passwords but I have no idea how they managed to do that.
I have tried to contact a Shopify about this but I keep getting directed to their ai chat bot which is no help. I’ve emailed help@shopify.com and support@shopify.com and received a reply saying the email address is no longer in use!
This is a major issue and needs resolving but I’m not sure how to stop them.
I actually think it could be an AI agent or a bot that is doing most of the work, as when I replied to them they didn’t seem to notice that they had been emailed by the person they were impersonating! They then went on to arrange a Google meet meeting with me and started pestering ME for payment for the audits they supposedly did on my client stores. Surely a human would have clicked on that they were emailing the person they were impersonating, I used my business email address with my full name that they are using and also had my email signature with my name and business name and they didn’t notice.
Are you contacting general support to trying to get to partner support through the partner dashboard.
also type “support-advisor”/“human” to try to bypass such bots faster.
Could be bots but generally you can get those to go off topic easier.
But lots of things are tiered, initiator is not always the communicator/call-center and downstream may not be given info this happens even in regular businesses. In the case of scammers it might ironically be to prevent the scammer from doing their own scams on their bosses scam.
Or they just don’t care, or literally they go through so many that being in their funnel is all that matters.
I joined Upwork to see his profile, he’s from nigeria and already has some completed jobs. Not sure if he’s the only one that is doing the work, there’s probably more of them
