Basic recommended fraud prevention settings at a glance for Shopify Merchants.
The COVID-19 Pandemic has caused a dramatic shift in the dynamic of consumer spending from brick and mortar stores to online shopping. With the surge in activity in spending in the eCommerce space, bad-actors are also naturally taking advantage of increasing online traffic, in hopes that they can get away with online theft.
This article is a result of the rising search trends we’ve been seeing from merchants wanting to better understand Shopify’s configuration settings. Before making changes to your store, keep in mind that most of these settings involve adding friction to the checkout process between capturing payment to fulfilling the orders. Think carefully about how the changes will affect your online customer shopping experience.
As a word of precaution, many of the following tips are not 100% full proof of stopping high-risk orders, nor are the settings provided by Shopify meant to deter fraud. Instead, they are meant to deter potential bad-actors by adding friction to the checkout process. The effectiveness of the following suggestions depends on many factors such as the volume of orders your shop receives versus the fraud happening on your site, it may or not be worth it to explore some of the options.
Manually Capture Payments:
Something eventually every merchant will face is a chargeback. The dreaded chargeback happens when the payment gateway has to reverse a charge due to the unauthorized use of the customer payment account. You are probably familiar with this if you are reading this article.
The best way to prevent a chargeback from happening is to not capture the payment in the first place. I know this sounds extremely counter-intuitive, but hear me out. Chargeback can’t happen if you don’t capture the payment on a high-risk order. By selecting this option, it gives you time to investigate the customer order before fulfilling the order. If the order looks good and you have made the necessary research about the order and customer, then you can accept the payment later when you’re ready to fulfill the item.
Yes, this process is a lot slower than a payment that is automatically captured, this option is ideally suited for merchants facing huge issues with fraud orders.
The good news is that there are apps where you can automate the payment captures automatically like, “Beacon”. Otherwise, each order must be manually captured before being sent for either further review or for fulfillment.
To enable this option, simply head to your settings page > Payments > Scroll down to payment capture.
Enabling manual capture payment, you capture the order information along with the customer information. This setting is best used if you have less than 100 orders a month.
If you are running a high volume store, then you will need to automate the auto payment capture while higher risk orders are put on hold for review.
Enable Native ReCaptcha on checkout (Shopify Plus Only).
If you are having problems with automated bot signups or bot checkouts then this option is for you. Before I go on, just know that any Recaptcha solver is extremely easy to bypass with a well-written script attack. We know this very well because we were able to bypass this ourselves.
Unfortunately, this option is available only for (Shopify Plus) subscribers for less sophisticated bot signups. Shopify uses the Google ReCaptcha system for those stores that have issues with automated bot attacks.
The spam protection settings can be found in “Online stores” ->” Preferences” -> scroll down to where you would see “Spam Protection”.
Enable Captcha on checkout for Non-Shopify Plus Subscribers).
Shops that are not subscribed to Shopify Plus will need to bring in an expert that will modify Shopify’s checkout system to add a captcha system. This is an advanced modification that requires expertise in coding. Merchants would need to write a custom script under “Order Processing” indicated with a red arrow below.
Require Phone number on Checkout.
In a dated post direct from Shopify staff, they had previously “explored the possibility of making a phone number a required component of the checkout” process before and that the reason why it’s not required by default is that that has been found “negative impact on the conversion”.
“We have explored the possibility of making the phone number a required component of the checkout form, but we found that it had a very negative impact on conversion. Basically, we found that folks weren’t completing checkout because they didn’t want to give out their phone number, which is understandable. People are often concerned about their privacy.”
Shopify’s motto is to reduce checkout friction as much as possible without any regard for fraudsters. Unfortunately, as you make things simpler and easier, the more of a target you are to online thieves. If you are frequently a target of a cyber attack, then I would highly suggest requiring your customers to enter a phone number before checking out. Having a phone number allows you to have a second method of communication, which allows you to contact the customer directly via voice.
Require First and Last name
Unless you are accepting a payment method like bitcoins or COD, then it’s a given that having your customer require them to input their first and last name should be required by default.
Manually fulfill orders.
It goes without saying that having to manually fulfill every order can be quite a hassle unless you already got your fulfillment logistics in place. This particular setting is meant more for early Shopify users who are just starting out. As said before, you want to take the time to review each order carefully. These settings basically give you a time buffer between you deciding to cancel the order or fulfilling it.
More advanced shops will use this function to customize a rule base fraud system to decide whether or not you want to automatically fulfill the items or not. This could be useful later on for growing merchants thinking more about automating the fulfillment logistics while taking into account fraud orders.
Require Customer Accounts.
Shopify sets the account as optional by default for customers.
While this is good for reducing the restriction of checkout, it can also invite bad-actors as well. Requiring accounts gives the merchants a better ability to disable accounts of customers that are known to be high at risk.
A word of caution, disabling an account will only disable the account of the customer. This does not stop a customer from creating a new account. Selecting this option also requires customers to either create a new account or to log in before they are allowed to checkout.
We don’t see fraud decreasing anytime soon, so while enabling or disabling some of the options we have highlighted can help your shop reduce potential customers who are high at risk, most of these features will overall increase the checkout time of your customers. Most of these settings are recommended for merchants who are high at risk and don’t mind adding a bit of friction for the ease of mind of reducing chargebacks. Most bad-actors don’t want to deal with a store that is difficult to deal with, which hopefully stops them from making unwanted orders.
For additional resources on better-preventing fraud, consider reading up on our follow-up article on how to look out for fraud orders.
If you are looking for a much more advanced fraud system, please consider giving our official Shopify application a try one the Shopify app store. https://apps.shopify.com/beacon