Shein is a household name when it comes to fast fashion: An enormous web retailer with a bazaar of different brands, outfits, and accessories at suspiciously cheap prices. But is buying from Shein safe? We’re going to get to the bottom of that – from a cybersecurity standpoint at least.

Key points of this article:

  • Shein is a legitimate retailer, with its headquarters in Singapore and charting sales of $38bn in 2024
  • It’s generally safe to buy from Shein from a cybersecurity perspective but be aware of privacy concerns and impersonation scams.
  • Best practice: While Shein allows for a number of payment options, use either a virtual or single use credit card, or PayPal, to make purchases. Ensure your account has a unique password with Multi-factor Authentication (MFA) enabled and share as little personal data as possible.

What safe online shopping looks like

There are four key considerations when it comes to online shopping:

  • Security: Are your payment details and other sensitive data safe with Shein? Is your account secured against takeover? Should you worry about scams, malware, phishing, and payment abuse?
  • Privacy: Is your sensitive data encrypted by the merchant? How does the merchant use it? Are they collecting and storing data securely and with your permission? Are they sharing it with others? Where is the data stored, and which borders is it being moved across?
  • Consumer Protection: What happens when something goes wrong? Can you expect your order to arrive promptly, and are returns handled efficiently and properly? Are goods priced accurately and consistently, and is it easy to speak to someone when you need help?
  • Product quality: Are the products you buy of good quality, and are they legitimate? Have they harmed you, others, or the environment? Or will they?

This guide will address the first two elements. For the 2nd and 3rd elements click here.

Is Shein legit or a scam?

Shein is a legitimate company headquartered in Singapore with massive shipping and fulfillment capabilities. It originally started out in 2008 as a marketplace that shipped orders to customers in the US and Europe from a huge number of manufacturers and wholesalers in China. Nowadays, it runs its own supply chains and can be regarded as a fully integrated fashion retailer, with everything from in app social media channels to supply chains and e-commerce platforms under one roof.

There are a couple of things that might make people hesitate, but none are cybersecurity dealbreakers: Products can vary in quality and have sizing inconsistencies. It can be difficult to return items that aren’t needed or don’t fit, and talking to support can be frustrating (hardly a unique experience, of course). Finally, one of the biggest issues is that Shein is an attractive brand for scammers to impersonate.

Impersonation can take the form of fake sites or discount vouchers, phishing attacks, and so on. But this isn’t solely a Shein-related negative, as impersonation scams affect every successful commercial organization, as well as individuals.

How do scammers exploit the Shein brand?

Shein itself is a legitimate business - one of the many reasons scammers like to impersonate it. But how do they do that, exactly?

  • Fake storefronts: These might be dodgy domains incorporating or obfuscating the Shein name. Incorporations (also called combo-squatting) might be something like ‘sheinbargains’ while obfuscation (also called homoglyph attack) might be something like ‘she1n’, carefully picked to snag distracted or eager customers. They can also take the form of social media account impersonation, where an advert on social media looks like a legitimate communication from Shein but sends visitors to another site.
  • Phishing via email or SMS/messaging: Beware of messages about refunds, order confirmations or parcels that are on hold for delivery. The same goes for fake support chats, with someone claiming to be from Shein and wanting to discuss a recent order or return. None of this is unique to Shein, but all trade on the brand recognition of a large supplier or retailer. If you receive a message, no matter how legitimate it might look, the best option is to log into your account or the app to confirm. Often, these messages are written specifically to provoke urgency and panic to drive victims to act before thinking.
  • Coupon bait: Be wary of popups, emails or messages promising freebies, mystery boxes or discounts. Often, these are employed to prompt users to enter their account credentials, sign up for spurious subscriptions, or download less-than-savory software.
  • Account takeover: Attackers will try to steal your account details for fraud, ordering goods via your account for delivery elsewhere. They might also sell your credentials to others. Primarily, credential theft is executed through phishing emails, smishing, or coupon bait.
  • Deal ‘helpers’: Another social engineering scam is the promotion of fraudulent ‘helper’ apps or accounts that offer to find customers the cheapest deals or deepest discounts. These often ask the user to download additional software or to enable access to their mobile device or web browser, among other possible app permission asks.

Should I use the Shein app, or website?

It goes without saying but only download the Shein app from an official app store such as Google Play Store or Apple’s App Store. That said, we’d suggest using a web browser instead for several reasons:

  • Apps will access device identifiers and may run other background activity, representing a privacy and security risk.
  • Apps often ask for more permissions than they need: location, camera access, and microphone access, for example.
  • Web browser-based shopping with strict permission controls (say ‘no’ to popups asking you to share your location or other data) is likely the most privacy-conscious option.
  • If you really want to use a smartphone-based app, keep both it and your mobile OS updated, review all permissions, deny any not needed for shopping (for example, contact or microphone), and turn off notifications. If you’re only using the app every now and then, consider uninstalling it.

How safe is the Shein website?

This is a bit of a trick question. Shein’s web uses the TLS and HTTPS certificates to reduce the risk of data being intercepted as it goes back and forth between you and its website or app, but that doesn’t prevent your account from being taken over.

Shein’s website is safe — right up until it isn’t. In 2022, Shein’s parent company was fined for hiding the extent of a customer data breach that involved the compromise of 39 million customer accounts, despite claiming only 6.42 million accounts had been compromised.

Realistically, you should be more concerned about the day-to-day risks of attacks like credential-stuffing, phishing, and using devices rife with malware such as infostealers. Thankfully, these can be addressed with some simple, pragmatic steps: avoiding password re-use and using multifactor authentication (MFA), thinking before you click or reply (especially if communication is framed as urgent), and using a strong cybersecurity solution on your devices.

Securing your Shein account to prevent takeover and fraud

There are a few fundamentals that apply to general internet life that will massively reduce your risk exposure:

  • Pick a long, complicated, unique password. Password managers, including the ones built into your smartphone or web browser, can be used to generate long passwords. Use this password exclusively for your app or web account—never re-use it anywhere else. Also consider changing your password regularly, especially if you suffer a cyberattack or are adding or changing devices linked to your account. You can also use the ESET Password Generator for an easier time in creating strong, unique passwords.
  • Always use MFA if available and be wary if it isn’t. Technology giants like Google or Microsoft offer Authenticator apps for smartphones, and these provide another layer of protection for your account. SMS authentication is another option, but it’s not as secure.
  • Watch for takeover signals. Are you getting password reset emails you didn’t request? Do new addresses turn up in your account info? Are there orders you don’t remember placing? All of these are signs your account is compromised.

Shein and privacy

It is always recommended to share the absolute minimum of required information with any third party, and this definitely applies to online retailers.

What data may be collected? Online retailers usually collect data regarding: your identity and contact information, shipping address or addresses, your purchase history, support interactions, device identifiers (a way to understand which devices you usually use to access its services), cookie and advertising IDs, and a whole raft of other behavioral analytics.

Bear in mind that the French National Commission on Informatics and Liberty (CNIL) fined a subsidiary of Shein 150 million Euros for failing to comply with cookie placement rules.

What data may be shared? Shein and other merchants will share data with payment processors, logistics companies, analytics and attribution vendors, ad networks, and fraud prevention services. ’Retailers’ partners may not be fully compliant with privacy norms and regulations. 

What should I be concerned about? There is a big distinction between sharing data to achieve the outcome the customer is asking for (i.e. making a sale and delivering it safely without fraudulent activity by criminals) and either selling or sharing data for targeted advertising.

The main concerns are data breaches and credential theft. Large databases are popular targets for cybercriminals. Once exposed, your data may be abused for identity fraud.

Top tips for guarding your privacy

  • Have a dedicated email address just for shopping, or just for Shein interactions. Many email providers now offer this functionality. In fact, if you use an iPhone, you should see it (hide my email) whenever you set up an account. This makes it easier to spot scams and phishing attempts, and it also separates your shopping activity from the rest of your life somewhat. This goes for pretty much any other commercial account you might want to set up.
  • Don’t use your social accounts for login or share them unless you absolutely must. It might seem easier to create an account using an existing social network identity such as Facebook Login, but it also ties the two accounts together and facilitates data sharing.
  • Don’t save payment methods unless you have to. Storing credit or debit card data in your Shein app or account is, just like elsewhere, a potential risk in the event of a breach.
  • Cut marketing consent and personalized ads back as far as possible. Say ‘no’ to these if you can possibly help it.
  • Use a browser rather than an app. Browser-based shopping often involves handing over fewer device permissions than an app.

How should I pay Shein for my purchase?

PayPal has good buyer protection and probably represents the lowest exposure to risk out of all the payment options available. Credit card providers also offer some form of buyer protection - but check your local rules to be sure. For example, credit card users in the United Kingdom get a lot of buyer protections that aren’t available to those in the USA. Depending on the jurisdiction, credit cards have better buyer protection than debit card options. Another route, if you want to avoid both PayPal and credit card accounts, is to use prepaid cards or virtual cards.

Once you’ve made a payment, keep an eye on your bank or PayPal account to check for any suspicious-looking transactions.

If you spot a suspicious account, tell your payment provider immediately and ask it to freeze or lock your account or payment method. Dispute any unauthorized charges. Also change your Shein account password and remove any saved addresses or payment methods just in case - although if your account has been compromised by credential stuffing or a similar attack, it’s possible the damage has already been done.

How to shop on Shein safely

shein_infographics

  1. Before you shop: Use a dedicated email or email alias when setting up your Shein account and secure it with a unique password and MFA. Don’t save payment methods in your account until absolutely unavoidable and consider not saving them at all.
  2. When you checkout: Use PayPal or a prepaid credit card if you can. Avoid using a debit card. Don’t shop or finish orders on public Wi-Fi and consider always using a VPN to mask your connection. Moreover, delete any payment information such as credit card numbers from your Shein account.
  3. Once you’ve received your order: Delete any saved payment info, keep an eye on your bank account for any suspicious transactions that might signal account takeover, and review any app permissions regularly if you must use the app instead of a web browser.

What can I do to secure my returns and customer service?

Some top tips: Screenshot all your interactions and keep all the emails you get from Shein during a transaction. Pick and use a payment method that has a robust dispute mechanism if you order something that doesn’t get delivered or is completely different from what you bought.

Expert insights

“The biggest risk with shopping online is rarely the checkout itself but everything that surrounds it such as random communications associated with a brand or online shop. Popular brands generate noise and criminals hide inside that noise using fake discounts, cloned websites and urgent delivery messages to trick people into handing over their logins or payment details. If an account is compromised, cybercriminals can quietly change delivery addresses, drain saved payment methods or harvest personal data for resale.

Therefore, the safest behavior is to only use the official site or app, never reuse your passwords from anywhere else, enable MFA, and assume that any unexpected messages about refunds are fraudulent. With fast fashion, the real danger is not cheap clothes but how easily a rushed click can turn into a costly mistake.”

- Jake Moore, Global Security Advisor

Stay safe online

Concerned about scams, fake websites, or stolen data? ESET HOME Security Ultimate helps protect what matters most during your everyday online activities, including banking, browsing, and staying connected. It includes:

  • Safe Banking & Browsing
  • Anti-Phishing
  • Browser Privacy & Security
  • Ransomware Shield
  • Identity Protection
  • Secure VPN

Whether you’re managing finances, working remotely, or using public Wi‑Fi on the go, you’re covered. For mobile protection, install ESET VPN and ESET Mobile Security for Android - both included in your ESET HOME Security Ultimate subscription - so you can stay protected anytime, anywhere.

Home Security Ultimate banner

Conclusion

Should I shop Shein: yes or no? In many ways, shopping on Shein is as risky and as safe as any other online transaction. However, there are a few extra considerations that should be considered based on how it has handled data breaches in the past and how invasive mobile apps are becoming.

Yes:

  • You use a form of protected payment, harden and secure your account, avoid using the app and keep your expectations realistic about how long it will take to receive items, their quality and fit, and how tricky it might be to return them if they’re not what you want.

No:

  • If you’re sensitive about your privacy, have been a victim of identity theft in the past, or if you need something delivered fast or that can provide a lot of customer support, you might want to avoid using Shein.

Frequently asked questions 

Is it safe to order from Shein?

Generally safe enough if you use protected payments and account hardening, but the biggest risks are post-purchase via impersonation scams and account takeover.

Does Shein sell your data?

Shein claims it does not sell or share customer data with anyone. A more useful frame is whether data is collected and shared for advertising or service delivery. Minimize what you provide and restrict permissions.

Is it safe to use a credit card on Shein?

Use PayPal or a virtual/single-use card when available. If you use a credit card, monitor statements and dispute unauthorized charges quickly. Avoid using a debit card for online transactions generally.

Is the Shein app safe?

For any app, install only from official stores, keep them updated, and minimize permissions. Again, favor purchases via the retailers Browser Checkout, that approach can reduce permission exposure.

Has Shein had a data breach?

There is documented enforcement tied to Zoetop (then owner of Shein/Romwe) related to breach handling. Use it as a reason to harden your account hygiene.