Hacking shopify fraud

I’ve stumbled upon plenty of fraud attempts and fraudulent orders in the past several years, and things aren’t going the right way in the industry, with plenty of fraud attempts in 2019 as well. Even with a powerhouse like Shopify behind them, merchants are still vulnerable to fraudsters. In fact, U.S. merchants and credit card issuers faced $9.1 billion in losses due to transaction fraud in 2018 alone.

Shopify’s built-in risk analysis feature greatly assists in your likelihood of avoiding fraudulent interaction. As long as you are using Shopify Payments, all suspicious orders are flagged as being potentially fraudulent and are graded on a risk rating of “low, medium, or high” in a risk analysis summary on the Order page.

If you are subscribed to notification emails, all flagged orders are automatically sent to you for instant review.

Only businesses that meet certain criteria are eligible for Fraud Protect. For example, your business must be based in the United States and must use Shopify Payments. If you see a Fraud Protect section on the Shopify Payments page in your Shopify admin, then you are eligible for Fraud Protect.

Only online orders processed through Shopify Payments are eligible for protection through Fraud Protect. Orders that are not eligible – such as PayPal or point of sale orders – continue to be processed in the same way they were before you set up Fraud Protect.

If you edit an order after it’s been protected by Fraud Protect, then the order is evaluated again. In some cases, an edit to an order that requires an additional payment from the customer can cause an order’s Fraud Protection status to change to partially protected if any part of the new order isn’t protected.


  1. From your Shopify admin, click Settings.
  2. Click Payment providers.
  3. Click Manage in the Shopify Payments section.
  4. Click Set up Fraud Protect.
  5. Read and accept the terms of service.
  6. Select whether you’d like unprotected Shopify Payments orders to be manually captured or automatically captured. Manual capture means you can review unprotected orders before capturing payment.
  7. Click Activate Fraud Protect.
  8. Click Done.

You can confirm that Fraud Protect is set up by checking the Shopify Payments page in your Shopify admin at any time.

For many merchants, fraud isn’t always obvious. Not being able to confidently determine if an order is fraudulent or legitimate can have serious consequences on the health of a business. Fraudulent orders that are approved can result in chargebacks that cost merchants not only the value of the lost product and shipping charges, but also the financial and personnel costs of managing and representing chargebacks. But being too conservative is risky, too. Merchants that decline legitimate transactions risk losing the lifetime value of good customers.

To evaluate these gray-area transactions, Shopify Fraud Protect uses advanced fraud algorithms and fraud filters to determine the legitimacy of an order. Any gray-area orders are allowed to process and are marked as “Not Protected”.

Here’s a potential Shopify fraud alert, as received by one user.

What you should do in order to make sure the order isn’t a fraud attempt is to:

1. eMail or give a phone call to the entity that ordered just to make sure they are legit. In this particular case, you should write to the customers and ask them how come the billing and shipping address entered are different. Be frank and tell them that the order was flagged as a potential fraud and that you need additional confirmation before processing.

2. Verify the IP Address – The IP address from which an order was placed is a good indicator of potential fraud. Is the customer’s IP address located in a different general area from where they claim to be? The IP address is for a web hosting company? Is the IP address a proxy service IP address?

If you’ve answered yes to any of the questions, then you should probably contact the customer to verify the authenticity of the order.

There are free tools available which you can use to quickly look up the geographical location, ISP, and other information about a specific IP address, some of those tools are listed below:

3. Verify that the billing and shipping addresses match

A fraudster is likely going to provide a shipping address that does not match the billing address. You can use Google Maps to map out addresses and visualize the distance between them. If the distance between two addresses is significant (different continents, for example), then the order is fraudulent. Keep in mind that legitimate shoppers sending a gift or buying on behalf of someone else might have different addresses.

4. Check if multiple orders use different billing addresses for the same shipping address

Are there multiple orders with different billing addresses located in different states, with different names, but sharing the same shipping destination? This is usually a sign of fraudulent orders. Proceed carefully, and contact the customers using the information provided at checkout.

5. Review high value orders

If you receive an order which is substantially higher than normal, then you should verify the customer’s identity. Most frauds are made for high(er) orders than the usual ones.

6. Install fraud prevention apps

You can also install various apps to help reduce the chance of fulfilling fraudulent orders. There are many available in the app store that serve unique purposes.

To block users who try to make repeat fraudulent orders, you can use Shopify’s Fraud Filter app.

In the end, I highly recommend you to install a fraud prevention app from the Shopify App Store.
Have you been a target of frauds? How did you find out they were fake orders? Comment below.