Shein is one of the most popular shopping apps in the world. In fact, it’s the second most downloaded shopping app globally, with over 251 million downloads.  

The e-commerce platform is Googled more frequent than major brands like Nike and adidas. 

The Shein gained popularity for its inexpensive clothing. However, the company has faced significant criticism for its poor human rights record.  

Additionally, Shein has been exploited by scammers in various ways, including the use of fake gift cards on Instagram and counterfeit websites.  Shein has been used by scammers in a number of different ways, whether it’s using fake gift cards on Instagram or plenty of fake websites. 

That brings us to the focus of today’s report. Researchers from Harmony Email will discuss how hackers are impersonating Shein in an effort to steal user credentials. Over the past several weeks, they have identified more than 1,000 of these fraudulent emails.  

 
 

Email Example  

 

 

The email arrives with a tempting subject line: "Order Verification SHEIN" – claiming to be from Shein customer service. But a closer look reveals a red flag – the sender's email address doesn't match Shein's official one. 

The email excitedly announces you've received a mystery box from Shein. However, the included link won't bring you a surprise gift; it leads to a fake website designed to steal your personal information (a credential harvesting site). 

This phishing attempt is quite transparent. It preys on your excitement by claiming you've won a prize, and uses the trusted brand name "Shein" to gain your trust. However, a vigilant user can easily spot the scam: check the sender's email address (it shouldn't be random letters) and verify that any links lead to legitimate Shein webpages. 

 

Techniques 

Just like other phishing attempts, scammers are trying to capitalize on popular brands and current trends to trick you. This time, they're using Shein. 

There are several red flags that this email isn't legitimate. First, there's a strong sense of urgency surrounding the "mystery box" offer, which is designed to create excitement and pressure you into clicking. 

Another clue? The email address itself is a jumble of random letters, not a recognizable Shein address. You won't find any Shein branding or logos in the email either. Finally, the link in the email won't take you to an official Shein webpage, but to a fraudulent website designed to steal your information. 

 

Best Practices: Guidance and Recommendations 

  • Make sure you don't click on links from websites whose address isn't the official one and check the email's source. 
  • Check the address of the website and the sender's name for spelling and punctuation errors on websites that look real. 
  • Ensure the email is free of spelling errors. Pay attention to the language in the email: are you expecting to be addressed in this language by your shipping company?