Preventing Fraud on Shopify: Tools, Rules & Best Practices

shopify-fraud-prevention

Fraud is the tax on running a Shopify store. You don't see it in your unit economics—until you do. A single chargeback dispute costs you the order value plus $15–$100 in processing fees. Chargebacks also damage your payment processor relationship. Five chargebacks in 90 days, and some processors will flag or terminate your account.

This guide covers the fraud prevention architecture that works at every revenue stage—from your first $10K to $1M+ in annual sales. You'll learn what automated tools handle, where you need human judgment, and how to keep your chargeback rate below the 1% threshold that keeps you safe.

Understanding Fraud Economics on Shopify

Fraud comes in two forms: friendly fraud (customers disputing legitimate charges) and criminal fraud (stolen cards, synthetic identities). Your exposure depends on your store size, customer base, and payment processing stack.

The numbers matter. Shopify merchants processing over $500K annually lose an average of 0.8% of gross revenue to fraud and chargebacks, according to 2024 data from the Nilson Report. That's not a percentage of profit—it's a percentage of total sales. A $1M/year store loses roughly $8,000 to fraud. A $5M store loses $40,000. These costs compound: investigation time, customer service overhead, payment processor fee increases, and recovery attempts.

Most merchants don't know their actual fraud rate because chargebacks arrive 60–180 days after purchase. By then, you've already reinvested the capital. Prevention isn't optional—it's the cost of competitive margins.

Three Fraud Detection Layers

Shopify fraud prevention works in three sequential layers: pre-purchase screening, checkout-level rules, and post-order analysis. Each layer handles a different fraud pattern.

Layer 1: Pre-Purchase Order Screening

Before a customer clicks "Place Order," Shopify's built-in fraud analysis checks the order against signals like:

  • Address Verification System (AVS) mismatch: Billing address doesn't match the card issuer's records. Stripe reports that AVS mismatches correlate with 3.2x higher fraud likelihood.
  • IP geolocation conflicts: Customer location (based on IP) doesn't match billing address. A New York customer suddenly checking out from Singapore is a red flag.
  • Card velocity: How many orders from the same card in the last 24 hours? Three orders in two hours is abnormal.
  • Device fingerprinting: Cookies, browser type, and hardware identify repeat customers or risky devices.

Shopify's default Fraud Analysis (free on most plans) blocks obvious patterns. But it has low sensitivity—it prioritizes false negatives (letting fraud through) over false positives (blocking legitimate orders). You need more.

Layer 2: Checkout Rules Engine

Shopify Plus and Advanced plans (and third-party apps) let you build custom rules at checkout. These override defaults:

  • Velocity filters: Reject orders from the same card if X orders appear in Y hours.
  • Amount thresholds: Flag or block orders above $500 (or your custom limit) without manual approval.
  • Country restrictions: Block orders from high-fraud countries if your business doesn't operate there.
  • Email domain rules: Reject orders from disposable email providers (guerrillamail.com, tempmail.org).
  • Shipping address rules: Require shipping address to match billing (increases friction but catches fraud).

Example rule: "If order total > $1,000 AND AVS response is NOT 'Match' AND customer is not in your VIP list, then set order status to 'Payment Pending' and require manual approval."

Layer 3: Post-Order Monitoring

Fraud doesn't end at checkout. Days or weeks later, you get signals that an order is risky:

  • Customer never contacted you despite a high-value order.
  • Tracking shows delivery confirmation but customer disputes the charge (friendly fraud).
  • Multiple customers claim they didn't authorize orders from the same card (ring fraud).
  • Shipping address is different from what the customer provided at checkout.

Post-order monitoring catches ring fraud and friendly fraud that pre-purchase screening missed.

Best-in-Class Tools by Use Case

Tool Cost Best For Integration
Shopify Fraud Analysis Free Baseline protection (high false negatives) Built-in, no setup
Stripe Radar 0.5–2% fee Advanced ML, works with Stripe Payments Direct integration
Kount (Equifax) Custom Enterprise-scale, 500+ rules API or Shopify app
Sift $500–$10K/mo Chargeback prevention, ML, real-time scoring Shopify app + API
DataBox $200–$500/mo Custom dashboard, rule-building Third-party analytics

For stores under $100K/year, Shopify's built-in rules plus Stripe Radar (if using Stripe) covers 85% of risk. Stores doing $1M+ should add a third-party tool like Sift to catch sophisticated fraud patterns.

Implementing Fraud Prevention: A Practical Decision Tree

Step 1: Know Your Baseline

Pull your current chargeback data. Calculate: total chargebacks / total orders × 100. Most healthy stores sit at 0.2–0.5%. Above 1%, you're at processor risk.

Step 2: Enable Shopify's Default Rules

In your Shopify Admin: 1. Navigate to Settings → Payments. 2. Under Shopify Payments, enable Fraud Analysis (enabled by default). 3. Set risk level: Low (blocks obvious fraud, highest false negatives) or Medium (balanced).

If you're using a third-party payment processor (Stripe, PayPal), they also have built-in screening. Enable it there too.

Step 3: Add Checkout Rules (For Stores >$100K/yr)

Shopify Plus customers can build rules directly in Admin. Standard plans should install a third-party app.

Example rules to start: - Flag orders over 3x your daily average. - Reject disposable email domains. - Block orders with no phone number provided. - Require shipping address match if order exceeds $500.

Step 4: Monitor and Adjust

Set a weekly review of declined orders. Are you rejecting legitimate customers? That's a false positive. Adjust sensitivity.

Chargeback Management: Before They Happen

Chargebacks are expensive, but preventable. When a customer disputes a charge, the processor asks: "Did the merchant prove authorization?"

You need evidence: - Signed order confirmation (email receipt counts). - IP address and timestamp at checkout. - Shipping proof (tracking number, delivery confirmation). - Customer communication (did the customer contact you about the purchase?). - Card authorization (AVS, CVV verification passed).

The cost of fighting a chargeback ranges from $15 (representment) to $100+ (arbitration). You almost always lose if you lack proof.

Prevention is cheaper: A $5 email confirmation system costs less than fighting one chargeback.

Building Trust Without Blocking Sales

Fraud prevention has a trade-off: safety vs. friction. Too strict, and you lose 3–5% of legitimate sales. Too loose, and fraud compounds.

The sweet spot is transparent friction. Customers expect security checks. Make them clear:

  • Show the lock icon at checkout (HTTPS badge).
  • Explain holds: "We verify your order to protect your account. This typically takes 1–2 hours."
  • Offer verification options: Phone number, SMS confirmation, or email re-verification.
  • Trust signals: Testimonials, reviews, trust badges (McAfee, Norton).

Stores that implement these see chargeback rates drop 20–35% because customers understand why verification happens.

Red Flags vs. Legitimate Patterns

Not every unusual order is fraud. Knowing the difference saves you money and customer goodwill.

Red flags (higher confidence of fraud): - Order value is 5x customer's typical purchase history. - Billing address is in one country, shipping to a completely different region. - Customer created account minutes before purchase (no browsing history). - Multiple orders from same card to different email addresses in 12 hours. - Customer provides fake phone number (obvious verification).

Legitimate but unusual patterns: - First-time buyer from international location (expansion markets). - Large order for corporate bulk purchase (B2B). - Gift order shipped to address different from billing (intentional). - Student with parent's card (seasonal pattern).

When in doubt, use a graduated response: hold the order for manual review instead of auto-declining. An email asking "Hi [Customer Name], is this order correct?" catches fraud and customer errors without false positives.

Advanced: Implementing Rules on Shopify Plus

Shopify Plus gives you direct access to the API. Build fraud scoring rules using custom code.

// Example: Score orders on risk factors
const orderRiskScore = (order) => {
  let score = 0;

  // AVS mismatch: +30 points
  if (order.avs_response !== "match") score += 30;

  // IP geolocation mismatch: +20 points
  if (isGeoMismatch(order.ip, order.billing_zip)) score += 20;

  // High velocity (3+ orders in 24h): +25 points
  if (orderCount(order.card_token, 24) >= 3) score += 25;

  // Order value 5x average: +15 points
  if (order.total > customerAvg(order.email) * 5) score += 15;

  // Score > 60 = manual review, > 80 = auto-decline
  return score;
};

This approach lets you customize rules for your specific customer base. B2B stores might weight corporate billing addresses as low-risk, while DTC stores might flag them.

FAQ

What's the difference between fraud and a chargeback? Fraud is the crime. A chargeback is the customer's way of reporting fraud to their bank. You get charged back (lose the order value plus fees) even if the fraud wasn't technically your fault. Prevention beats recovery.

Can I refuse to issue refunds to prevent chargebacks? No. A customer can dispute a purchase with their bank regardless of your refund policy. If you refuse a refund and they chargeback, you lose both the product and the order value—plus fees. Refund legitimate disputes quickly (within 48 hours).

How many chargebacks before my processor terminates me? Most processors terminate at 1–1.5% chargeback rate or 5+ chargebacks in 90 days, whichever comes first. A $1M store hitting 1% chargebacks means $10K in disputes. You're at risk. Contact your processor immediately and implement stronger rules.

Does requiring a phone number prevent fraud? Partially. It adds friction that fraudsters dislike. But savvy fraudsters provide fake numbers that pass basic validation. Phone verification (SMS code) is stronger but increases cart abandonment by 2–4%. Use it selectively for high-risk orders.

What's the best fraud tool for a $200K store? Shopify's built-in rules plus Stripe Radar (if using Stripe) handles 80–90% of fraud. If you're losing more than 0.8% to chargebacks, add Sift or Kount. For most $200K stores, that's overkill.

References

Ready to Protect Your Store?

Fraud prevention isn't one tool—it's a system. Start with built-in Shopify rules, add processor-level screening, monitor weekly, and adjust as you scale.

If your store is facing rising chargeback rates or losing to fraud, our team has built custom fraud prevention systems for Shopify Plus merchants. Learn how Tenten can help you reduce fraud and chargebacks.

Schedule a free consultation to audit your current fraud prevention setup.