Your business seems to be running smoothly. You’re on top of your cash flow, and revenue looks good on your Shopify dashboard. But there’s a crucial issue: last month’s payout hasn’t arrived in your bank account, and it’s been weeks. Unfortunately, payments aren’t delayed; they’ve been redirected to someone else’s account.

Payout Fraud occurs when a hacker gains control of a merchant’s payment account—be it a Shopify account, an Airbnb host account, or a credit card payment gateway—and silently alters the payout banking details to their own. This diverts your hard-earned revenue into the hacker’s account.

Here’s how it works and, more importantly, how to protect yourself.

How Payout Fraud Works

Payout Fraud can target anyone accepting online payments and receiving payouts. For instance, if you’re a Shopify merchant, Shopify will pay your revenue to the bank account you’ve set up.

Hackers typically use phishing or stolen database credentials to access your account and change the payout banking details. Consequently, your funds are transferred to the hacker’s account instead of your own.

Protecting Yourself from Payout Fraud

A few minor tweaks to your Shopify account can greatly reduce if not totally eliminate this risk.

Password reuse

Databases are hacked more frequently than you think. There's an entire underground economy that revolves around stolen credentials from hacked websites. When security researchers (a.k.a. white hat hackers, or the good guys) find a database posted on the dark web, they'll contribute it to HaveIBeenPwned.com. This site is the de facto public tracker for all known database compromises. You can enter in your email address to see which database leaks your information might have been leaked online.

Password Reuse is a major risk factor. Using the same password across multiple sites makes all your accounts vulnerable if one site is compromised. To minimize risk, create unique passwords for each site. Password managers like 1Password can help you securely store and manage your passwords.

Defending Against Phishing Attacks

Phishing involves fake sites designed to steal your credentials. These sites mimic legitimate ones but are not exact copies. The most effective way to prevent phishing is to enable two-factor authentication (2FA). 2FA adds a second layer of protection, requiring not just your email and password but also a second factor, such as a one-time passcode sent to your phone.

Shopify requires 2FA for payout access, which is a good security measure. Not all 2FA methods are equally secure, but setting up 2FA is essential for any sensitive account.

To set up 2FA on Shopify:

1. Open Settings.
2. Click your name at the bottom of the left-hand menu.

3. In the new tab, go to the Security tab.

4. Add a passkey or 2FA.

Please note that passkeys are essentially another new form of 2FA, but are much stronger. It's recommended you set up a passkey with your device such as a fingerprint or face login, or even better a physical key.

Limit staff access

Now that you've secured your own account, you'll also need to consider all of your staff that have access to your Shopify store. If any one of these accounts have reused passwords, or lack of 2FA, and the staff member has access to change payout settings, then they are your weak link.

To view your staff's permissions, open your store's Settings, then open the Users & Permissions menu:

Then for each member, double check that only the most trusted staff members have access to manage Payout details and the settings on your store.

If a staff member absolutely needs these permissions, then you should absolutely require password manager use and make sure they have 2FA set up on their account to prevent account takeover (ATO) attacks.

Notifications as a Safety Net

Despite the flood of email notifications, enabling them is crucial. Under Payout schedule in the Payout section of your Shopify dashboard, ensure notifications are enabled. This will alert you each time a payout is processed, so you can expect it to hit your bank account within 2-3 business days.

If a payment is delayed, promptly review your payout settings to confirm that your bank account details are correct. If you find discrepancies, contact Shopify Support immediately to initiate a clawback. Act quickly, as recovery might be challenging once the funds are transferred.

Payout Fraud Affects Shopify Partners Too

Shopify Partners are also at risk since they receive payouts through Shopify. The same security measures apply: use unique, strong passwords, enable 2FA, and monitor notifications closely. Even small changes in security practices can make a significant difference in protecting your revenue.