Your DMARC passed, SPF green, DKIM verified. Still a scam. How?

Scammers hijack legitimate platforms like Shopify to send phishing emails that your email gateway trusts completely. The authentication checks pass because the email genuinely originates from Shopify's infrastructure.

This exploit turns your most trusted security layer into a delivery mechanism for credential theft.

Why This Matters Now

The Kroll crypto wallet scam demonstrates a structural weakness in how organizations evaluate email legitimacy. Attackers leveraged Shopify's transactional email service to impersonate settlement notices tied to the actual Kroll data breach.

Users who were genuinely affected by the breach received fake compensation offers that appeared authentic. The email arrived from a trusted domain, referenced a real incident, and passed every technical validation your gateway performed.

When users clicked through to connect their crypto wallets for supposed settlements, they granted irreversible access to fraudulent sites. No technical control stopped this because the delivery mechanism was legitimate.

This pattern is spreading. Attackers abuse transactional email services, marketing platforms, and notification systems to bypass filters while targeting users conditioned to trust familiar brands.

Three Strategic Gaps Exposed

Email Filters Trust Legitimate Domains Without Verifying Sender Intent

Your gateway validated that Shopify sent the email. It could not determine whether Shopify intended to send it or whether an attacker exploited their service.

• DMARC authentication confirms the sending domain, not the legitimacy of the message content or sender relationship.
• Platforms like Shopify allow transactional emails from third parties, creating opportunities for abuse that technical controls cannot detect.
• Filters lack context about whether the recipient has an actual business relationship with the entity using the platform.
• This gap forces the decision burden onto end users who may lack the training to identify domain misalignment or reply-to discrepancies.

Users See Domain Misalignment Only If They Inspect Reply-To Addresses

The scam email displayed Shopify's domain in the sender field but routed replies to a suspicious address at ginsgin.com.

• Most users never hover over or inspect reply-to fields before clicking links embedded in the message body.
• The visual layout mimics legitimate settlement notices, reducing suspicion even when minor inconsistencies exist.
• Prior contact from Kroll about the real breach primes users to expect follow-up communications, lowering their guard.
• Training that emphasizes reply-to inspection provides a manual defense layer when technical controls fail to flag the message.

Crypto Wallet Prompts Feel Urgent After a Breach, and Access Grants Are Irreversible

Once users connect their wallets to the fraudulent site, attackers gain access that cannot be revoked or reversed through conventional password resets.

• Crypto transactions operate outside centralized recovery mechanisms, making wallet theft permanent.
• Scammers exploit the urgency framing around settlements and compensation deadlines to rush users past scrutiny.
• Users affected by breaches are already anxious and primed to take action on communications that reference their exposure.
• This time pressure bypasses the deliberate verification habits that training aims to instill.

The Strategic Shift Required

Technical email authentication validates infrastructure, not intent. Your gateway cannot assess whether a legitimate platform is being exploited by a third party to deliver phishing content.

This reality requires shifting verification responsibility to users, but only after equipping them with specific recognition criteria. Training must move beyond generic warnings about suspicious emails to concrete indicators like reply-to mismatches, unexpected wallet connection requests, and domain age verification.

Organizations must also measure baseline phish-prone behavior before assuming their current posture is sufficient. Many teams discover their exposure only after an incident.

• Establish baseline phish-prone percentages through simulated phishing campaigns that mirror real-world tactics.
• Train users to inspect reply-to addresses, verify domain registration dates using WHOIS lookups, and question unexpected requests for wallet connections.
• Reinforce skepticism around urgent communications tied to prior breaches, even when they reference real incidents.
• Measure improvement over time rather than relying on one-time training interventions.

How Security Awareness Training Addresses This

KnowBe4's approach targets the specific behaviors that allow these scams to succeed.

• Email Filters Trust Legitimate Domains: The Phishing Security Test establishes your organization's baseline phish-prone percentage using simulations that mirror the Shopify domain tactic. This reveals how many users click before verifying sender details.
• Users Miss Domain Misalignment: Security Awareness Training modules teach users to hover over sender fields, inspect reply-to addresses, and verify domain age through WHOIS lookups before acting on unexpected requests.
• Crypto Wallet Prompts Feel Urgent: Customizable training scenarios replicate breach-related urgency framing, conditioning users to pause and verify even when messages reference real incidents they were exposed to.

Who This Is For

• IT Security Managers responsible for reducing phish-prone behavior across user populations
• Security Awareness Managers building training programs that address platform abuse tactics
• CISOs evaluating whether current technical controls leave exploitable gaps
• Compliance Managers documenting user training requirements for frameworks that mandate awareness programs

Call to Action

Measure your organization's phish-prone percentage and train users to recognize domain misalignment before the next breach-related scam arrives. Visit https://content.optrics.com/knowbe4-security-awareness-training

FAQ

Why do DMARC-validated emails still contain phishing content?
DMARC validates that the sending domain authorized the email, not that the content is legitimate. Attackers exploit transactional email platforms like Shopify that allow third-party use, causing your gateway to trust the delivery source while the message itself remains fraudulent.

How do users identify domain misalignment when the sender field looks correct?
Users must inspect the reply-to address, which often differs from the sender domain. In the Kroll scam, emails sent from Shopify routed replies to ginsgin.com. Training users to hover and verify reply-to fields before clicking provides a manual check when technical filters pass the message.

What makes crypto wallet phishing more damaging than credential theft?
Crypto wallet access cannot be revoked through password resets or account lockouts. Once users connect wallets to fraudulent sites, attackers gain permanent access. This irreversibility makes wallet phishing significantly costlier than traditional credential compromise.

How does phish-prone percentage measurement improve security posture?
Baseline testing reveals how many users click phishing simulations before receiving training. This metric identifies high-risk populations and measures improvement over time, allowing security teams to allocate training resources where exposure is greatest and demonstrate risk reduction to leadership.