Categories: Shopify


Shopify Fraud prevention tips: Here are five things you need to look at to prevent fraud orders from happening.

Learn these important tips to help you prevent future Shopify fraudulent orders.

Image source: Beacon Fraud Detection System.

It’s natural that commerce companies are now moving towards eCommerce as more shoppers are making their purchases online. As the proliferation of online shopping grows so does the presence of bad actors. These days, it’s a lot easier to steal from someone online than in person. Over 60 billion dollars were lost globally to online fraud last year with a growth rate of 5% year over year.”

Each year, we hear about countless companies having their customer data stolen or leaked, data including sensitive information, such as customer names, passwords, addresses, phone numbers, credit card information and more. Unfortunately for many businesses, these instances of hacking are likely to increase, making it impossible to prevent such personal data from making its way into the wrong hands. Bad actors are using what’s known as the dark web to sell and source this stolen information, often targeting eCommerce businesses with high-value and/or popular products.

When it comes to fraud, merchants are on the losing end: customers will receive reimbursement from the credit card payment providers, but at a cost to the merchant. Chargeback insurance might help cover the reimbursement costs, but it does nothing to dissuade bad actors and prevent future attacks from happening. All of this results in merchants ultimately losing money, time, and even their payment provider, who could potentially cut ties due to the high-risk environment.

Here are five basic ways to better protect your online shop.

Using Shopify’s fraud analysis:

1.Checking the IP Address:

An IP address is a set of special numbers that point to where a device is connected to on the internet. Each device has this special set of numbers assigned to it. The IP address contains specific information about the geolocation of the device.

The customer’s IP address can be found in the customer’s order page and clicking on「View Full Analysis」.

Shopify is capable of measuring things like the distance between the shipping address and the IP address to determine how far the actual distance between the buyer’s home address and where the order was made. A greater distance usually indicates a significant risk while a shorter distance means less risk.

The IP address will often also provide the city and country of where the order was placed. If there is a mismatch between the countries, Shopify will often flag this with a red circle icon.

High-Risk Fraud detected by Shopify

A word of caution: oftentimes, the IP address can easily be hidden by experienced bad actors using a VPN and can be manipulated to make it look like the order was made in the same country as the billing address.

2. Look at Shopify’s Conversion Summary

One of the lesser-known ways of detecting fraudulent behavior is looking at the conversion summary. You can find this summary in the order detailed page just above the fraud analysis.

Shopify Conversion Summary of a new order coming from an unusual source with only 1 visit with 1 purchase.

The conversion summary includes two important metrics.

A: Session count combined with order count:

A session count is the number of times a customer has been to your site before making a purchase. Shopify also records the total number of orders a customer makes.

The number of session counts is important because it can determine how well the customer knows your brand. Historically, a session count of one as the first purchase is more risk-prone than a customer with multiple sessions before making their first order.

B: Direct versus 3rd party incoming traffic.

Knowing how a customer reached your site can also tell you a lot about fraud behaviors. Normal traffic usually flows from referral sources, such as active marketing campaigns and email newsletters. The other common flow of conversion traffic is through your search engine optimization (SEO) efforts where customers will be coming from search engines like Google. What’s not common is traffic from privacy-focused search engines like DuckDuckgo. DuckDuckgo is a privacy-first search engine that does not track its user. It’s also the default search engine for many web browser that focuses on hiding the web footprints of a user. This information is important because it tells the merchant that the customer who converted over a privacy-focused search engine does not want to be tracked and want to be hidden from normal web traffic.

3. Check The Local Time Zone

What time was the order placed relative to the customer’s time zone? If a customer lists themselves as being located in California, but they placed an order at 4 am in Pacific Time, then you know this could be an indicator of a risky order.

For domestic orders made in Japan where there is no time zone, merchants can check the usual time customers are making orders to compare a given order to the standard.

4. Email Address Domain

You can also tell a lot by looking at the email address domain., and such email addresses are very common and used by a lot of people. What’s less common are temporary or disposable email address domains, such as or People use these temporary email services in order to cheat the system while hiding their identities.

5. Compare the Countries

Oftentimes comparing the countries retrieved from the IP address, billing address, shipping address, and phone number can be a strong indicator of suspicious activities. If any of the countries retrieved from these data do not match, then follow-up with the customer is strongly recommended.


This guide serves as an introductory to what attackers might do to take advantage of a website.

The five methods listed here are not foolproof methods of discovering fraud nor will it prove conclusively that an order is actually bad. False positives can still happen. False-positive refers to a situation in which an order is flagged as fraud, but in fact, the order is actually a non-fraud order. If anytime a merchant is unsure about the order, it’s recommended to contact the customer directly to avoid a lost sale. Merchants must take all of the available data and make good judgments based on what previous good orders look like.

By looking at the five points, IP address, conversion summary, time zone, email domain, and countries, merchants can better help themselves in preventing more fraud orders from happening. This usually converts to more money and time saved and makes your store a lot more secure in the event of future attacks.

These days, fraud detection systems use much more complex patterns of malicious behavior detection combined with big data and AI to model new fraud patterns. Every fraud detection system has its own secret recipe for what they think is the best way to grade how risky an order is and don’t often publish how the system works to prevent bad actors from figuring out alternative ways for an attack.