Fraud Prevention for Shopify Stores
Ecommerce fraud cost online retailers $48 billion globally in 2024, with Shopify merchants collectively experiencing hundreds of millions in fraudulent chargebacks annually. The fraud landscape evolves faster than most merchants realize: sophisticated bot networks, synthetic identity fraud, and organized return fraud schemes specifically target Shopify stores because their payment flows are predictable.
This guide provides a multi-layer fraud prevention framework: understanding fraud types, leveraging Shopify's built-in tools, implementing third-party verification, and building operational processes that catch fraud before fulfillment.
Key Takeaways
- Shopify's Fraud Protect (US, Canada) covers chargebacks on orders it approves — use it if eligible
- The fraud analysis score in Shopify Admin is a starting point, not a definitive answer
- Card-not-present (CNP) fraud is the most common type — velocity checks and AVS/CVV matching are essential
- Chargeback rates above 1% of transactions trigger processor review and potential account termination
- Fulfilled orders cannot be recalled — the fraud window is the time between order placement and fulfillment
- Return fraud accounts for 10-15% of total fraud losses for apparel and electronics merchants
- Digital goods require the most aggressive fraud controls because there is no physical goods recovery
- Address Verification Service (AVS) mismatch is a strong fraud signal but also blocks legitimate international orders
Understanding Shopify Fraud Types
Card-not-present (CNP) fraud
The most common form. A fraudster uses stolen credit card details to place an order. The real cardholder disputes the charge, you issue a chargeback to the card issuer, and you lose both the goods and the revenue.
CNP fraud signals:
- Billing and shipping addresses do not match
- Multiple orders to the same address from different cards
- Order placed at unusual hours from the store's primary market
- High-value orders from a newly created account
- Expedited shipping selected (fraudsters want goods fast, before the card is cancelled)
Account takeover fraud
A fraudster gains access to a customer's existing account (via credential stuffing from data breaches) and places orders using saved payment methods and shipping to a new address.
ATO signals:
- Password reset followed immediately by a new order
- Shipping address changed followed immediately by an order
- Login from a new device or IP country followed by an order
Refund and return fraud
Customers (or organized fraud rings) exploit return policies to receive refunds while keeping merchandise, return different items, or claim non-delivery on delivered orders.
Friendly fraud (chargeback abuse)
A customer makes a legitimate purchase, receives the goods, then disputes the charge claiming non-delivery or unauthorized use. Difficult to prove, and banks often side with cardholders in ambiguous cases.
Promo abuse
Customers create multiple accounts to abuse welcome discounts, free shipping thresholds, or referral programs. Less financially devastating but volume-intensive and skews marketing metrics.
Shopify's Built-In Fraud Tools
Shopify Fraud Analysis
Every order in Shopify Admin includes a fraud analysis section with indicators:
| Indicator | Meaning |
|---|---|
| Green checkmark | This factor reduces fraud risk |
| Red X | This factor increases fraud risk |
| Gray dash | Information unavailable |
Key fraud indicators Shopify checks:
- AVS result (billing address matches card records)
- CVV result (security code matches)
- IP country matches billing country
- Email domain age and validity
- Proxy or VPN usage detection
- Prior chargebacks from this card
Reading the overall risk level:
- Low: Proceed with fulfillment
- Medium: Review the specific red indicators before fulfilling
- High: Hold fulfillment, contact customer for verification, or cancel
Shopify Protect (formerly Fraud Protect)
Available to eligible US and Canadian merchants using Shopify Payments. For orders that Shopify Protect approves, Shopify covers chargeback losses from fraudulent orders. Cost: varies per order, displayed before you fulfill. This effectively transfers fraud risk to Shopify for covered orders.
Requirements for Shopify Protect coverage:
- Order must be placed through Shopify Payments
- Order must receive a "Protected" badge in Admin
- Merchant must follow Shopify's fulfillment timing requirements
- Digital goods orders are generally not eligible
Setting up order risk thresholds:
In Shopify Admin > Settings > Payments > Fraud prevention, configure:
- Automatically cancel high-risk orders (aggressive but reduces manual review burden)
- Send notification for medium-risk orders for manual review
The right threshold depends on your margins and product category. High-value electronics: cancel all high-risk automatically. Low-value apparel: manual review for high-risk, automatically fulfill medium-risk.
Third-Party Fraud Prevention Tools
For stores processing more than $50,000/month in revenue, dedicated fraud prevention tools provide significantly better protection than Shopify's built-in analysis.
| Tool | Monthly Cost | Approach | Best For |
|---|---|---|---|
| NoFraud | Custom | ML scoring + chargeback guarantee | Mid to large merchants |
| Signifyd | Custom | ML + guaranteed coverage | Enterprise |
| Kount (now Equifax) | Custom | Network-based ML | High volume |
| Subuno | $49-199 | Rule-based + ML | Small to mid merchants |
| Fraud Scanner | $29-199 | Shopify-native rules | Small merchants starting out |
NoFraud: Provides a "Fail/Pass" decision on every order within seconds. For orders it marks "Pass," NoFraud provides a chargeback guarantee — they pay the chargeback if a "Pass" order turns out to be fraudulent. Cost per order is typically $0.05-0.20 depending on volume and category.
Signifyd: Similar model to NoFraud but with a larger merchant network database. Their "Commerce Protection" offering covers the entire order lifecycle from placement through return fraud.
Address Verification and Identity Checks
AVS (Address Verification Service)
AVS compares the billing address provided by the customer against the address on file with the card issuer. Shopify Payments and most payment processors support AVS.
AVS response codes:
| Code | Meaning | Risk Level |
|---|---|---|
| Y | Full match (street + ZIP) | Low risk |
| A | Street matches, ZIP doesn't | Medium risk |
| Z | ZIP matches, street doesn't | Medium risk |
| N | No match | High risk |
| U | Unavailable (non-US card) | Medium risk |
Important: Non-US cards often return "U" (unavailable) for legitimate orders because international card issuers do not participate in AVS. If you ship internationally, do not automatically cancel AVS "U" orders — review holistically.
CVV matching
The CVV (Card Verification Value) is the 3-4 digit code on the card. Shopify Payments checks that the provided CVV matches the card record. A CVV mismatch should always trigger manual review or automatic cancellation.
Email verification
Disposable email domains (guerrillamail.com, mailinator.com, etc.) are used almost exclusively by fraudsters. Block orders from known disposable email domains using a validation rule. Tools like Kickbox or Hunter verify email deliverability at checkout — an undeliverable email is a strong fraud signal.
Phone number verification
For high-risk orders, require phone number and verify it is a real, reachable number. SMS verification during checkout (sending a code to the provided phone number) dramatically reduces CNP fraud but also increases checkout abandonment. Use for orders above a risk threshold, not all orders.
Building Fraud Rules for Your Specific Store
Effective fraud prevention uses rules calibrated to your store's specific risk profile. Generic rules over-block legitimate customers; under-tuned rules miss fraud.
Velocity rules (detect rapid repeat abuse):
| Rule | Trigger | Action |
|---|---|---|
| Same card, multiple orders, different addresses | 3+ orders in 24 hours | Flag for review |
| Same address, different cards | 5+ different cards in 7 days | Block new orders from address |
| Same email, multiple accounts | Detected via email hash | Block account creation |
| Same IP, multiple cards | 3+ cards in 1 hour | Flag for review |
Geographic rules:
- Orders shipping to high-risk geographic areas (freight forwarders, reshipping addresses)
- Orders with billing country significantly different from shipping country without a plausible explanation
- Orders from countries you do not typically serve
Order characteristic rules:
- First order, high value (over $500), expedited shipping: always review
- Gift wrapping selected without a message: sometimes used by fraudsters sending gifts to recipients
- Guest checkout (no account) + high value: higher risk than registered customer
Implementing rules in Shopify using Flow:
Shopify Flow (available on Basic and above) can automate fraud rule enforcement:
Trigger: Order created
Condition: Order risk level is HIGH
AND Order total is greater than $200
Action: Tag order with "fraud-review-required"
Action: Send email to [email protected] with order details
Action: Do NOT fulfill (hold fulfillment)
Chargeback Management
Even with excellent fraud prevention, chargebacks happen. How you respond to disputes determines how many you win.
Types of chargebacks:
- Fraud chargebacks (Reason code 10.4, 83): Cardholder claims unauthorized use. Difficult to win without 3DS authentication proof.
- Non-receipt (Reason code 13.1): Cardholder claims they did not receive the goods. Win with delivery confirmation.
- Significantly not as described (13.3): Cardholder claims goods differ materially from description. Win by demonstrating accurate listing.
- Friendly fraud (10.4 disputed, unauthorized): Legitimate customer disputing a genuine charge. Win with purchase history and communication records.
Winning chargeback disputes — evidence package:
Compile this evidence for every chargeback response:
- Order confirmation email sent to customer's address
- Delivery confirmation with tracking number and delivered scan
- Customer account history (if they have an account showing past purchases)
- Communication history (any emails, chat logs showing the customer acknowledged the order)
- IP address of order placement
- AVS and CVV match confirmation
- Device fingerprint data (from Shopify or a fraud tool)
- Signed delivery proof (for high-value orders requiring signature)
- Product description screenshots showing accurate representation
Chargeback response deadlines:
Visa: 30 days from chargeback notification Mastercard: 45 days American Express: 20 days Discover: 30 days
Missing the response deadline means automatic loss regardless of merit.
Preventing friendly fraud:
- Use 3DS2 authentication for high-value orders (Shopify Payments enables this)
- Require signature on delivery for orders above $150
- Follow up with customers before and after delivery ("Your order shipped" + "Your order was delivered" emails)
- Respond to all customer service contacts — a customer who contacts you is less likely to file a chargeback
Digital Goods: Highest Risk Category
Digital goods (software licenses, downloadable files, gift cards) have zero recovery once delivered and are the primary target of CNP fraud.
Digital goods fraud prevention:
-
Delay delivery for high-risk orders: Instead of instant delivery, add a 24-hour review window for digital goods orders over $50 from new accounts or flagged addresses.
-
Limit initial purchase quantities: Restrict first purchases from new accounts to 1-2 units. Fraud rings buy in bulk.
-
Require account creation: Guest checkout for digital goods is high risk. Require account creation with email verification before delivery.
-
IP velocity limiting: One new account per IP address per 24 hours maximum.
-
Device fingerprinting: Use a tool that identifies when the same device is used across multiple accounts or orders.
-
Activation-based delivery: For software licenses, require device registration before activation. This limits damage per stolen card and provides investigation data.
Frequently Asked Questions
What chargeback rate is considered "high" by payment processors?
Visa and Mastercard's chargeback monitoring programs trigger when chargebacks exceed 1% of monthly transactions. Merchants above this threshold enter a "monitoring program" that carries additional fees ($50-100 per chargeback), requires remediation plans, and eventually leads to account termination if not resolved within 3-6 months. Most acquirers start reaching out informally at 0.5% chargeback rates. Aim to keep your rate below 0.5% to maintain a safe buffer.
Should I accept high-risk orders that Shopify flags?
It depends on your product type, margin, and risk tolerance. High-value electronics and digital goods with high fraud rates warrant automatic cancellation of high-risk orders. Lower-value products with wide margins may make manual review of high-risk orders economical. Calculate your expected fraud loss versus expected revenue for orders at different risk levels. For most merchants, high-risk orders convert to chargebacks at 30-50% — meaning accepting them is mathematically negative if your margin is under 50%.
How do I handle a customer claiming their order never arrived but tracking shows delivered?
First, verify the delivery scan is at the correct address (compare delivery scan location with shipping address). If the tracking shows delivery to the correct address: (1) Ask the customer to check with neighbors and household members — many packages are received by others, (2) File a carrier investigation claim — carriers investigate "delivered but not received" cases, (3) Request a police report for the customer — this screens out opportunistic fraud. For orders under $30, consider a replacement without investigation — the goodwill value often exceeds the cost.
Is 3D Secure (3DS) worth enabling? Does it hurt conversion rates?
3DS authentication shifts chargeback liability to the card issuer for orders where 3DS authentication succeeds. Modern 3DS2 uses risk-based authentication — it only challenges high-risk transactions with additional verification (OTP, biometric). Low-risk transactions complete seamlessly without any customer action. Studies show 3DS2 reduces fraud chargebacks by 60-80% with less than 2% abandonment impact versus a 10-15% abandonment impact from older 3DS1. Enable 3DS2 through Shopify Payments settings — it is worth it.
What data should I keep for chargeback disputes?
Retain the following for every order for at least 18 months: order confirmation details, IP address, device fingerprint, AVS/CVV match results, all customer communication (email, chat, support tickets), carrier tracking history with all scan events, and delivery confirmation or photo proof. Most fraud chargebacks arrive 60-120 days after the transaction — 18 months of retention covers the entire dispute timeline including appeals.
Next Steps
Building and maintaining an effective fraud prevention system for a Shopify store requires ongoing calibration as fraud patterns evolve, new tools emerge, and your order volume and product mix changes.
ECOSIRE's Shopify support and maintenance services include fraud prevention setup, chargeback management workflows, rule calibration based on your specific product categories, and ongoing fraud monitoring to protect your revenue.
Speak with our fraud prevention specialists about hardening your Shopify store against ecommerce fraud.
Written by
ECOSIRE Research and Development Team
Building enterprise-grade digital products at ECOSIRE. Sharing insights on Odoo integrations, e-commerce automation, and AI-powered business solutions.
Related Articles
Australian GST Guide for eCommerce Businesses
Complete Australian GST guide for eCommerce businesses covering ATO registration, the $75,000 threshold, low value imports, BAS lodgement, and GST for digital services.
eCommerce Bookkeeping: Revenue Recognition and Sales Tax
Master eCommerce bookkeeping with correct revenue recognition timing, sales tax collection across marketplaces, and reconciliation for Shopify, Amazon, and more.
US Sales Tax Nexus: State-by-State Guide for Online Sellers
Comprehensive US sales tax nexus guide covering Wayfair economic nexus thresholds for all 45 states, marketplace facilitator laws, product taxability, and compliance strategies.