Handling fraud orders in Shopify when the fraudsters won't quit
Shopify stores are experiencing a new form of fraud orders, incurring massive transaction fees for merchants, and the fraudsters won’t quit. Worst of all, at this current moment, Shopify seems ill-prepared for this new form of fraud, but we have a solution.
What is this new form of fraud?
Tell me if this sounds familiar. You run a Shopify store, and suddenly you’re starting to see an increase in fraud orders coming through. Every fraud order has a different address and customer name, but they all use the same card issuer, and weirdly, every time they make an order, they contact you to cancel it.
This may just seem annoying but harmless at first, until you realise that they are racking up massive transaction fees for you, which you won’t be getting back, messing with your stock levels, and wasting your time.
I currently work with or manage approximately 200 different Shopify stores, primarily in New Zealand, and starting in March this year (2023), a number of our stores started experiencing an influx of very similar fraud orders:
- All fraud orders used bogus names and email addresses set up with Gmail.
- They seem to commonly target stores with high-value products, such as clothing boutiques.
- All fraud orders used the same card issuer; in our case it was “THE SAUDI NATIONAL BANK”.
- Every time they made a fraudulent order, they immediately contacted us and asked for it to be cancelled.
- The source IP address was from Saudi Arabia, but when we blocked the country using a Shopify app, they started using a VPN to spoof their address to other countries.
At first, this type of fraud may seem strange, as traditionally, fraud orders are trying to actually receive the goods using stolen credit cards, but in this instance, they do not want the goods, and they go as far as asking you to cancel the order. The reason why they do this at all is because they’re using your store to test a batch of stolen credit cards to make sure that they work before they use the card for themselves, which also means they won’t stop once they fail to receive the goods they ordered from you because that is not their goal.
My personal experiences with this form of fraud
When I first noticed this type of fraud in one of our stores, I did what I’ve done before when a store is targeted by fraud, which is:
- Install a Shopify app to block specific countries, IP addresses, and VPNs/proxies, such as https://apps.shopify.com/bm-country-ip-blocker
- Install a Shopify app to automatically cancel high-risk orders. The previous app also does this, but personally, I use https://apps.shopify.com/fraud-filter
But I noticed the fraudsters were circumventing the blockades set up by any app we installed. The reason they can circumvent it is because when you host your storefront with Shopify Liquid and use a Shopify app to block website visitors, the Shopify apps will always load after the website loads, giving the malicious user a window of time to add a product to the cart, create an account, and go to the checkout using browser scripts on their end. If they are really savvy, they can also block these apps from loading entirely by targeting the external scripts they load to operate.
You may be wondering what Shopify can do about your fraudulent orders, and the short answer is not much at all. This may change over time as the number of merchants that experience this type of fraud increases, but so far my personal conversations with Shopify support on this matter on behalf of the merchants I work with have been disappointing. They currently do not understand that this new type of fraud is not trying to receive the physical goods from their fraudulent orders, so any communication with their support team gives the same set of recommendations:
- Block the website visitors using a Shopify app.
- The fraudsters will give up once they realise they are unable to receive any goods from your store.
The first recommendation we already did with no success, and the second recommendation was categorically wrong.
Shopify should have the means to block these orders before they are made; they could provide you with the option to block a specific credit card issuer, or at least provide the option to require all users that log in to complete a recaptcha, but at this current moment you’re left on your own to fix this problem, all the while you’re racking up possibly thousands in transaction fees from these fraud orders.
Not refunding these orders is also not an option. Ethics aside, the bank will easily side with the cardholder, and chargebacks typically have another fee that you will have to pay. If you receive too many disputed transactions, your Shopify Pay account may also get suspended.
What can you do about these fraud orders?
The first thing you should do is go to Settings => Payments => and enable manual payment capture. What this will mean is that the payment method is validated at the checkout, but they are not charged until you manually process that in the admin, which you have a week-long window to do. With this enabled, you can still accept payment for the non-fraudulent orders, and simply cancel the fraud orders without incurring any transaction fees from Shopify.
If you are on the Shopify Advanced plan or higher, you can also use the Shopify Flow app to automatically capture the payments if they are not high fraud risk. I would also recommend considering excluding medium-risk fraud orders from being captured as well.
With this flow in place, you won’t have to worry about going through the effort of manually capturing payment for legitimate orders on your store.
Unfortunately, this won’t stop the fraudulent orders from coming into your store, but this will solve the most important issue that they cause (the massive transaction fees you’ll be forced to pay when you refund them).
Beyond enabling manual payment capture, you can make the fraudster’s job more difficult by installing an app to block certain countries or VPNs/proxies as outlined above.
If you want the fraudsters to not be able to visit your website at all, the best solution is hosting your storefront off of Shopify and instead using a platform such as Vercel with NextJS so that you can implement middleware to block users by their geolocation, ip address, or other factors before the site loads. Rebuilding your website to block frauds alone is an expensive endeavour that may not be worth it, but if you’re a large enough store that is targeted heavily by fraud orders that you are dead set on getting rid of, it may be worth it to you.
Update August 9th 2023: Shopify recently released a new app that blocks fraud orders at checkout called Fraud Control. With this app, you can block IP addresses from ordering through Shopify’s checkout. Unfortunately, you have to add the IP addresses yourself manually, but it is a good way to block repeat orders from the same IP address.