Your First Wave of Fraudulent Orders: A Shopify Merchant's Survival Guide
There's a moment every Shopify merchant remembers. You wake up to a flood of new orders and for a split second you think your marketing finally cracked the code. Then you look closer. The orders have mismatched billing and shipping addresses. The email addresses look auto-generated. Three of them used different credit cards but shipped to the same apartment in a city you've never heard of. One customer placed six orders in ten minutes.
That feeling, the one where your stomach drops and your first instinct is to Google "Shopify fraud what do I do," is more common than you'd think. Fraud isn't something that only happens to stores processing thousands of orders a month. It happens to five-product stores with modest traffic. It happens to brand new stores that just went live. And when it hits, the clock is ticking.
This post is for merchants who are either dealing with this right now or want to be ready before it happens. We'll walk through what's actually going on behind these orders, what you should do immediately, and how to set up your store so the next wave bounces off instead of getting through.
What Fraudsters Are Actually Doing to Your Store
Most of the fraudulent order activity hitting Shopify stores falls into a few categories, and understanding them matters because the response is different for each one.
Card testing is the most common. Fraudsters have lists of stolen credit card numbers, often purchased from dark web marketplaces after data breaches. They need to figure out which cards are still active, so they run small transactions against real stores. Your store becomes the testing ground. They'll target your cheapest product and place dozens or hundreds of orders in rapid succession, each with a different card number. Most will fail at checkout, but the ones that go through confirm a live card that the fraudster can then use for bigger purchases elsewhere. Meanwhile, you're left with a mess: hundreds of abandoned checkouts clogging your analytics, a handful of actual orders you didn't want, and processing fees on every transaction that touched your payment gateway.
Stolen card purchases are the next step up. Once a fraudster has confirmed a card works, they use it to buy something real from your store. They'll often choose expensive items and ship to an address that's different from the billing address. The real cardholder eventually notices the charge, contacts their bank, and files a chargeback. You lose the product, you lose the payment, and you get hit with a chargeback fee on top of it. Shopify can help you submit evidence to dispute the chargeback, but the decision ultimately sits with the cardholder's bank, and banks tend to side with cardholders.
Friendly fraud is harder to spot because it comes from real customers. Someone places a legitimate order, receives the product, and then tells their bank they never authorized the charge or that the item never arrived. This accounts for a surprisingly large portion of chargebacks across the industry.
The Real Cost of Doing Nothing
The financial hit from a single fraudulent order is bad enough: you lose the product, the shipping cost, the payment, and a chargeback fee (typically $15-25). But the compounding damage is what really hurts.
Card networks like Visa and Mastercard monitor your chargeback ratio. Visa's VAMP (Visa Acquirer Monitoring Program), which went into effect in April 2025, tracks both disputes and fraud across your account. If your ratio crosses certain thresholds, you can face fines, increased processing fees, or even get placed on a terminated merchant list that makes it difficult to accept credit cards at all. Shopify Payments can also restrict or disable your account if chargebacks get out of hand.
The bottom line: a few unaddressed fraudulent orders today can snowball into a systemic problem that threatens your ability to process payments altogether.
What to Do Right Now If You're Under Attack
If you're currently seeing a wave of suspicious orders, here's the sequence.
Stop fulfilling anything that looks suspicious. This sounds obvious, but in the panic of a fraud wave, merchants sometimes keep shipping because they're afraid of angry customers. If an order has red flags, hold it. An unfulfilled order is far easier to deal with than a shipped one.
Check Shopify's built-in fraud analysis. Every credit card order in your store gets a fraud recommendation: low, medium, or high risk. You can find this in the "Order risk" section on any order page. Shopify's system checks AVS (Address Verification System), CVV matches, IP geolocation, and behavioral patterns. If an order is flagged high risk, that's a strong signal not to fulfill it.
Cancel and refund fraudulent orders immediately. If you haven't captured payment yet, cancel the order. If payment has been captured, issue a refund before the cardholder files a chargeback. A refund costs you the processing fee but avoids the chargeback fee and the mark on your chargeback ratio.
Document everything. Keep records of which orders you identified as fraudulent, what the red flags were, and what action you took. If you do end up in a chargeback dispute, this documentation becomes your evidence.
Setting Up Your Defenses
Once you've handled the immediate crisis, it's time to build the infrastructure that prevents the next one.
Switch to manual payment capture. By default, Shopify automatically captures payment the moment a customer places an order. If you switch to manual payment capture, the card is authorized but not charged until you explicitly capture the payment. This gives you a window to review the order's fraud analysis before any money changes hands. If the order looks bad, you cancel it. No charge, no chargeback risk.
The catch is that manual capture adds a step to every order, which can slow things down if you process high volume. That's where Shopify Flow comes in.
Automate with Shopify Flow. Shopify Flow lets you create workflows that automatically handle high-risk orders. For example, you can set up a flow that automatically captures payment for low and medium-risk orders, but holds high-risk orders for manual review. Another useful template automatically cancels orders from email addresses that have been associated with previous fraud. There's also a template that restricts customers to five orders per day, which stops card testing bots in their tracks.
Install the Fraud Control app. Shopify's own Fraud Control app gives you a dashboard showing your fraud risk levels and lets you create checkout rules. You can block checkouts based on IP address, zip code, or other conditions. This is especially useful during an active card testing attack where the attempts are coming from a specific region or IP range. Keep in mind that aggressive rules can also block legitimate customers, so use them carefully and review the results.
Enable 3D Secure authentication. If you're using Shopify Payments, 3D Secure adds an extra verification step during checkout where the customer's bank confirms the transaction. This shifts the liability for chargebacks from you to the card issuer in many cases. Not every transaction will trigger 3D Secure (it depends on the bank and the risk assessment), but having it enabled provides an important safety net.
Know about Shopify Protect. For U.S.-based stores using Shop Pay, Shopify Protect automatically covers eligible fraud-based chargebacks at no additional cost. You need to fulfill orders within seven days and provide tracking from a supported carrier. If those conditions are met and you get a fraud chargeback, Shopify covers the order cost and the chargeback fee. This only applies to Shop Pay transactions, so it won't cover everything, but it's free protection worth taking advantage of.
Patterns Worth Watching
Over time, you'll develop an eye for suspicious orders. Here are some of the most common red flags.
Orders where the billing country and shipping country don't match, especially when the shipping destination is in a high-fraud region. Multiple orders from the same IP address in a short time window. Email addresses that look randomly generated (strings of letters and numbers at free email providers). Orders for unusually high quantities or your most expensive items from first-time customers with no previous purchase history. Customers who place an order and then immediately email asking to change the shipping address.
None of these are automatic proof of fraud. Legitimate customers travel, buy gifts for people in other countries, and sometimes have weird email addresses. But when multiple red flags stack up on a single order, it's worth investigating before you ship.
The Uncomfortable Truth
No fraud prevention system is perfect. Shopify's built-in tools are good, and they're getting better with machine learning improvements across millions of stores. Third-party fraud apps add another layer. But determined fraudsters adapt, and new attack patterns emerge regularly.
The merchants who handle this best aren't the ones with the most expensive tools. They're the ones who have a process. They review orders before fulfilling. They use manual capture or Flow automations to create a buffer between order and payment. They monitor their chargeback ratio. And they treat fraud prevention as an ongoing practice, not a one-time setup.
If you're reading this because you just got hit with your first wave of fraud, know that it happens to almost every store eventually. Handle the immediate problem, set up the defenses, and get back to running your business.
Pasilobus builds Shopify apps for merchants who take their stores seriously. If you need help with anything from store analytics to customer experience, we're here.
