Fraudulant purchases

wjdmdad · ‎12-02-2024

I think that someone has somehow hacked into the locked portion of my shop. I use Locksmith (Have already reached out but haven't heard back from them yet). With Locksmith I have a members only side to my shop. When customers purchase a membership they are given access to that side of the shop and can download any of my digital products for free.

Today alone I have had 8 "purchases" from the members only side of my store that are fruad. These are new customers who have never purchased a membership and shouldn't be able to access the members products and yet somehow they are.

I moved everything on my Member side to drafts until I can figure out what is happening because I put too much work into my designs to have them all stolen. Anyone have any ideas as to how to fix this other then moving every item to manual fulfillment? I did set up the fraud filter but it isn't working...it isn't specific enough to do what I need it to do. I get a lot of orders and do not want to have to manually fulfill them all but I am not sure of another option.

JoesIdeas · ‎12-04-2024

If the member products require a password to access, then Locksmith will probably be your only solution on that.

If there isn't a password required, just secret urls, then they could be accessed by search engines, making them findable. If that's the case you can edit your theme code for those pages to be uncrawlable.

Fraud is super frustrating (I used to own a store and dealt with this too), but unfortunately law enforcement allows it to happen to easily, so I think the best thing you can do is know that it's going to happen and try to mitigate as much as possible.

If it were me, I'd switch to manual to start, analyze each order, then try to find a pattern with the fraudulent orders. Reach out to the fraudulent orders even, try to gather some intel. If they are "high risk", then that's an easy solution. If not, you can create some kind of system for accepting or rejecting orders.

If you want to automate the solution, you can do that with Order Automator. In your case, there are a couple options that come to mind:
- Set your fulfillment to manual, then create a rule(s) in Order Automator to auto fulfill only the type of orders you want to

- Turn on the Fraud Guard (a feature in the app) to automatically cancel high risk orders (or prevent them from being fulfilled)

This solution should work great, the only problem I see is that if the scammers are able to make the purchase, then you will still lose a bit on the transaction fees from the credit card companies, because those don't get refunded.

Good luck with this, I hope Locksmith can help you find a good solution. I hate seeing honest businesses get hit with fraud.

• Creator of Order Automator [auto tag, fulfill, connect FBA, daily jobs]
• Co-Creator of Product Automator [suite of features for products / collections]
• Shopify developer for 10+ years, store owner for 7 years
• Blog: Shopify Tips, Guides, and Automation Tactics

mt686 · ‎12-05-2024

It sounds like something may have gone wrong with the permissions or access rules in your Locksmith setup. Here are a few things to consider that could help you fix this without needing to manually fulfill everything:

Option 1: Double-Check Locksmith Settings

Since you're using Locksmith, it’s important to review the access rules you've set up. Even small changes can sometimes unintentionally affect who has access to your members-only content.

Review the Access Control Settings:
- Check the rules you’ve created for granting access to your membership content. If you have a specific URL or page rule, ensure that it's correctly locked behind the membership and isn't being bypassed.
Set Membership Restrictions on Products:
- In addition to locking pages, double-check that you're also applying lock settings to digital products or download links that are part of your members-only offerings. Make sure only authorized members can access them.
Audit Your Members List:
- Make sure that only active, legitimate members are being granted access and there’s no way for fraudulent accounts to bypass the system. You could even consider adding an email verification step to double-check that your users are real.

Option 2: Use Latch for Streamlined Membership Management

If you're looking for an easier way to handle this issue and prevent unauthorized access, I recommend considering Latch as a backup solution. Latch allows you to:

Lock Products In Checkout: Lock products to only members that have tags. Importantly, it will also lock them in checkout. That way, if anyone 'hacks' through to a a members only page, they'll ultimately be stopped at checkout.
Manage Tags: You can have tags auto-applied after a membership purchase, allowing customers access to products.

Friendly Disclaimer: I’m the developer behind Latch, so if you need a hand setting it up or troubleshooting, feel free to reach out!

For now, I’d keep checking Locksmith’s logs and settings, but using something like Latch could simplify the process and add extra layers of security for you. Hope that helps, and let me know if you have any more questions!

Fraudulant purchases