Every Shopify merchant eventually meets fraud: an order that looks fine, ships, and then turns into a chargeback weeks later. By then the product is gone, the money is clawed back, and a dispute fee is added on top. The only reliable defence is to catch risky orders before you fulfil them. This guide covers how to do that in practice.
Why Shopify's built-in fraud analysis isn't enough
Shopify shows a fraud recommendation on the order page, but it only flags the small number of orders it considers high risk. The orders that actually catch most merchants out are the medium-risk ones — the order that's a little off but not obviously fraudulent. Shopify says little about those, and it doesn't explain why an order is risky in terms you can act on. You're left guessing.
The signals that predict fraud
Fraud rarely hides behind a single tell. It shows up as a combination of smaller signals. The ones worth watching on every order:
- Mismatched billing and shipping countries. Legitimate gift orders exist, but a billing country that differs from the shipping country is one of the strongest fraud indicators.
- A high-value first order. A brand-new customer spending a lot on their very first order — especially with expedited shipping — is worth a second look.
- Velocity. Several orders from the same IP address in a few minutes, or the same shipping address used by different customers in a day, points to card-testing or a fraud ring.
- Forwarding and reshipping addresses. Freight forwarders are a common way to move fraudulently bought goods abroad.
- Missing contact details. No phone number, or a disposable free email, makes it harder to reach a real customer — and easier for a fraudster to stay anonymous.
None of these is proof on its own. The point is to weigh them together into a single risk picture, which is exactly what an order-scoring tool does automatically.
A practical workflow
You don't need to inspect every order by hand. A workable routine looks like this:
- Score every order automatically. Let a tool assign a risk level so you only spend attention on the orders that need it.
- Verify the borderline ones. For a high-risk order, email the customer a one-click confirmation link before you ship. Real customers confirm; fraudsters don't.
- Hold or cancel the clear cases. If an order is high risk and the customer never verifies, cancel it rather than gambling on a chargeback.
- Block repeat offenders. When a domain or address burns you once, block it so the next attempt is flagged instantly.
Prepare for the chargebacks you can't avoid
Some fraud always gets through. When it does, the merchants who win disputes are the ones with evidence: the risk assessment at order time, the signals detected, timestamps, and customer data assembled in one place. Keeping that record turns a coin-flip dispute into a defensible one.
Where FraudFlag fits
FraudFlag automates this whole workflow. It scores every Shopify order against the signals above — including velocity checks Shopify doesn't offer — explains the risk in three plain-English bullets, and recommends an action. On the Pro plan it can email customers to verify high-risk orders and generate a chargeback-evidence document for disputes. It runs automatically from the moment you install it.
Frequently asked questions
What is the most common type of Shopify fraud?
Card-testing and stolen-card orders are the most common. A fraudster uses stolen card details to place an order, the real cardholder later disputes it, and the merchant loses both the product and the payment to a chargeback. Card-testing — many small rapid orders to check which stolen cards still work — often precedes it.
Who pays for a fraudulent chargeback on Shopify?
The merchant almost always does. When a cardholder disputes a charge as fraud, the funds are pulled back from the merchant, usually along with a dispute fee — even if the product already shipped. That is why catching risky orders before you fulfil them matters so much.
Can I prevent all Shopify fraud?
No tool catches everything, and any fraud score is a probability, not a certainty. The realistic goal is to catch the clearly risky orders before shipping, verify the borderline ones, and keep evidence for the disputes you do get. That combination stops the large majority of avoidable losses.