Re: I'm concerned about the safety of my Shopify store from bot-placed abandoned orders.

How can I stop a bot from placing abandoned orders on my ecommerce site?

elizaRAFTP
Tourist
10 0 14

We have a bot placing abandoned orders in batches of 5 every 9 hours, for over a week. They are adding hidden/locked products they should not have access to with out an approved account/login. They create a customer profile that uses a fake name, email, address and phone number, and it is the same each time even if I delete the customer, they make a new one. 

 

We have tried three different blocker apps and they did not work. We also tried changing product urls, ReCaptcha is enabled--none of this has worked. Shopify support told us there was nothing they could do. We are really worried about whether our store is vulnerable, or our customers information is somehow compromised if this bot has access to the backend of our store. 

 

Can anyone help? 

Replies 66 (66)

PatrickH
Shopify Partner
12 1 3

Hi Eliza,

 

Have you tried IP blockers?

https://apps.shopify.com/easy-block-customer-ip-country

elizaRAFTP
Tourist
10 0 14

Yes, three different ones. 

 

  • Recaptcha is enabled (doesn’t prevent it)
  • Tried to block them via IP address (Blockify) but they do not check out so we don't have their IP address.
  • Tried to block them from creating a customer profile and that did not work (Fraud filter)
  • We tried to block them from visiting the store but that did not work (they are not "visiting the store") (EasyBan)
  • We tried blocking them from the backend and that worked only to prevent them from creating a customer profile but not from placing items in their cart. (Easyban)
  • We tried changing the urls for the products they are putting in their cart (Shopify support suggestion) because they said they’re running some kind of program that is scanning product URLs and putting them in the cart (?) this did not work.
Aaron2024
Excursionist
20 0 14

Those apps won't work. 1) because it's hard to match the IP addresses with the customer because Shopify doesn't show IP addresses. 2) they change their IP

Aaron2024
Excursionist
20 0 14

Those don't work. Shopify doesn't show IP address of abandoned cart customers so you can't Match up the IP. 2nd they change IP addresses. If you are a Shopify site owner you are a sitting duck! 

ArrowsAim
Excursionist
20 0 25

We're having almost the exact same issue, except we have a $0 item hidden in our store for which they are successfully "placing orders". IP blockers aren't working (for us anyway) because the IP is different for every single order. Here's a screenshot, in case you're seeing similar patterns or anything else that might help us identify what the heck is going on:

 

Screenshot (349).png


Do we know what end game is here? Seems like 1 attempted purchase would collect the same info as 50 attempted purchases.

 

Has anyone found that requiring customers to create an account has prevented this issue and/or increased abandoned checkouts?

elizaRAFTP
Tourist
10 0 14

Thank you for responding! Our situation is similar, except it’s the same name over and over. Our store does require account logins, and it does not stop the bot from adding items only available to logged in customers to their cart.

 

We also have 5 items that are $0 and these are the only items they’re placing in the cart. The difference in our situation is that our bot is not actually reaching checkout, they just put the orders in the cart and abandon them. They do this every 9 hours, 5 abandoned orders. We now have hundreds of them because it’s been going on for weeks and Shopify just said “sorry nothing we can do.” 

I also have no idea what the end game is, but it’s really annoying. 

 

Kazu3
Visitor
1 0 2

We are having a same issue.

 

All email used are "@rtremail.com".

 

Currently we created a flow that automatically cancels order if it's "$0"; however, we do want to stop these orders going through as it will mess up our analytics. 

 

We appreciate if Shopify can step up on this issue as it seems it has become an issue of many shop owners!

Darren_61
Visitor
1 0 2

Same issue for my store. First name repeated for the order and targeting a hidden section of our shop where the product costs are $0. Same "@rtremail.com" email addresses as you mentioned.

 

I also am concerned about analytics being messed up.

 

Hopefully Shopify can resolve this soon!

Ben12341
Excursionist
15 0 9

Many, many stores having this same issue, yet Shopify has done nothing.  Please add your voice by opening a ticket with them.  See "James James" issue with bots in Community

Sarahbrim
Visitor
1 0 0

This just started happening to me last night - same name James James. And variations all from Texas or New Mexico, every 6 hrs. 

mark012
Visitor
2 0 3

I also have similar issue up to 20 attacks a day- I have created a ticket as you have suggested

golferlane22
Visitor
2 0 0

I am also having many issues like this over the past week. A few hundred customer profiles have been made by abandoning checkout. And it is causing my auto email campaigns to bounce and get shut off by Shopify. I can't find any pattern unfortunately. Shopify - please help. 

RealTreat
Tourist
7 0 7

We are having the same issue with James James from San Antonio and have tried many of the same tactics you have to no avail. Though no damage appears to be done by these bots apart from screwing up analytics and junking up our abandoned carts folder, it is very worrying that they are able to access our carts through a back door. What is the end game here? 

HeyChrisA
Tourist
3 0 3

Same problem.  Started in January.  all .00 items in abandoned check out.  All the same email and name James James.  Delete the customer, it pops right back the next day.

Now we have a new problem, don't know if it is related.  Our entire product file has shown up on a bogus website.  We know it is ours because images our designer created are there.  it's the ENTIRE store.  Our store has the costs hidden unless you log in but on this bogus site, there they are and they are slashed and there is a banner that says 'up to 80% off'.  How did they get the file?  is the problem related?

ArrowsAim
Excursionist
20 0 25

Any chance you'd be willing to share (or directly message me) the bogus site in case it can offer an6 clues on what we're dealing with? I wish we weren't all going through this headache. 

HeyChrisA
Tourist
3 0 3
Yeah, the spoof website is huabo114.com

They stole 5,200 items in our database PLUS they are impersonating us with our name in their tagline. The pricing is hidden on our site, you have to login to see it. I don’t know how they could possible have gotten the pricing. It’s not retail pricing. We are running into walls trying to get this bogus site taken down.
RealTreat
Tourist
7 0 7

Holy crap! That's wild, and terrible. I have tried to access huabo114.com to see if our products are listed there but the site won't load for me. I hope that means you were successful in having it taken down. May I ask how you discovered your products were listed there, and if that site listed only your products or those belonging to other brands as well?

Aaron2024
Excursionist
20 0 14

They are testing credit cards on your site. They have bots that enter the information. Usually its the card info, name , city, zip code. In shopify for AVS They must only verify state, city, zip code because the street is always the same. They test the cards across alot of websites until one goes through.

Lbxs
Tourist
4 0 0

Today I had one of their attempts to actually go through after months and months of them trying. What does this mean for my site?

 

Ankit_Thakur
Shopify Partner
85 1 8

Hi,  If you are still looking for a soltuion to this, you can try using the Checkout Guardian App, where in you can block all the orders based on the cart value. For Example we can set a rule to block checkout if the cart value is USD 0, which means a person wont be able to checkout if his cart value is 0. Apart from it it offer various conditions to block checkout from these fake orders. 

You can have a look at it here Checkout Guardian App.

Shopify Developer/Consultant
If my suggestions are useful, please let me know by giving it a like or marking it as a solution.
And if you want to customize or develop new feature on Theme or App.
Skype:-ankit.thakur_5
Aaron2024
Excursionist
20 0 14

Come on. This won't work. 😅 They usually just pick the lowest price point product in the store. How would this work. Come on. Shopify needs a captcha on the check out page. 

Ankit_Thakur
Shopify Partner
85 1 8

In this case, if they pick products with lowest price point, you can simply create a rule to block certain customers based on the email ID they use, mostly all of these orders are from the same email id. 

Plus if you want you can block checkout based on the location also. I mean specfic zip code they enter in the checkout. 

Shopify Developer/Consultant
If my suggestions are useful, please let me know by giving it a like or marking it as a solution.
And if you want to customize or develop new feature on Theme or App.
Skype:-ankit.thakur_5
Lbxs
Tourist
4 0 0

What about in my case where the email differs and the address is always the same except for the state, its always a different state?

jtstevens
Tourist
6 0 7

I have a similar issue. Several new abandoned checkouts each day for the last week or two. All for the exact same product. It is NOT a $0 item as most people seem to have. It is just one of the low cost items that I offer. Different names and email addresses. Most gmail. Physical address all say "street 10 apt 2", but have different cities and zip codes. Seems like they are testing credit cards.

Orcun
Visitor
1 0 4

The same issue. "tech / street, 10 apt, 2" in all addresses.

lazy3leather
Visitor
2 0 2

same here! Today that one showed locations was from Russia.

Shawn_Quigley
Tourist
4 0 3

Yep,  Street 10 apt 2.

3-4 times a day different name different address low cost item.

 

immnul
Tourist
10 0 5

Yes same issue with us. Street 10 apt 2. I will say that after a week of creating abandoned checkouts, they successfully made a purchase today. Thankfully shopify flagged it as high fraud potential, and i immediately recognized the street 10, apt 2 address, so I canceled the order. Still, I’d like to understand if there is anything to do to block them; and what is their end game? It seems that they’re always looking for the lowest cost item in the store, whether it’s $0 or another small figure. 

immnul
Tourist
10 0 5

Oh @jtstevens, I just saw what you read about testing credit cards. That makes complete sense. And it also means our sites aren’t necessarily the target of the malicious activity, but a tool to help them make a greater purchase somewhere else? In any case, what are we supposed to do about this? Can you report when a credit card succeeded?

immnul
Tourist
10 0 5
jtstevens
Tourist
6 0 7

I have not had any credit cards succeed yet.

Aaron2024
Excursionist
20 0 14

This is the same bot on my store. They are testing credit cards. They target shopify stores because shopify is negligent and doesn't offer a way to stop it. You can require customer to log in before check out which does stop the bot but will kill your conversation rate. One you change it back They will start again.  Seems they are testing a few transactions across alot of Shopify stores. I had one transactions go through.  It is also bad for your conversation rate because it messes up all your sales data. We need to get alot of Shopify stores together and demand they fix it. 

CandyQueen
Tourist
7 0 3

Have you found a solution yet? Mine started a few days ago too. I'm trying to avoid the "require customer to log in" method because I don't want to kill conversions, but Shopify have not replied by with a solution yet. I'm so frustrated. 

khalo
Visitor
2 0 1

Thats the exact issue we are having  
10
apt
2

404
Excursionist
11 0 14

STreet 10 Apt 2 I am getting for weeks now...   Different names, Different emails... The same $19.95 product.  Some even have failed payment attempts. Most are just abandonded carts.  @Shopify  you need to figure out a bot filter. 

Lbxs
Tourist
4 0 0

This is the exact same thing happening to me and it seems to be Brazilians (based on the names, emails sometimes ending in .br and sometimes the bank that declines the card is located in Brazil). Has been happening for months beginning only this year.  They choose the cheapest item and then create accounts and abandon carts. I delete all the customers but they just create more.

 

lotusboutique
Visitor
1 0 0

same! low cost products on our website and same adress but different state everytime 

Aaron2024
Excursionist
20 0 14

I have the same issue. Might have to be a class action against Shopify for them to do something.  They need to offer a captcha on the check out page.

HeyChrisA
Tourist
3 0 3

We had the exact same problem.  Spambot ordering $0.00 items that they should not have had access to as you have to be approved to order on our site.  We changed all the 0 items to .01 and it seems to have stopped.

We wee very concerned that shopify said there was nothing they could do about it.  Makes me wonder what other back end information is vulnerable.

Aaron2024
Excursionist
20 0 14

Right now the issue is bots running credit cards. They are testing credit cards across shopify sites because shopify isn't doing anything to stop them. They should add a captcha to check put page. High negligence on shopifys part to allow this go occur. You can change to require customer to log in before check out but that I'd a conversion killer. We need to all get together and demand they fix it. 

CandyQueen
Tourist
7 0 3

Yeah. I'm having the same problem right now too. Shopify doesn't seem to have a solution for this. 

immnul
Tourist
10 0 5

Hi! I found a workaround for preventing bots to actually place orders (though this doesn't solve the problem of abandoned checkouts). Note we are on the "Basic" Shopify plan, so we don't have the option to add Recaptcha to check out, which I believe would otherwise solve this issue.

 

Here's our workaround:

Download the Shopify Flow app (free). There's then a template within the app called "Capture payment if order is not high fraud risk". This basically leverages Shopify's Fraud analysis, which typically flags Bot activity as "High Fraud Risk". If Shopify then flags the order as High Fraud Risk, it will not automatically capture payment and instead prompts you to check the order and manually accept payment if deemed OK. See attached screenshot.

 

And then my workaround for abandoned checkouts is only a partial solution and doesn't work all the time (I'm not sure why!). I again use the Flow app to tag those customers that were created by Bot activity and which created the abandoned carts. This way, I can easily segment out the fake accounts and then delete those customers and just Archive / ignore the abandoned carts (not ideal but it's the best solution I've found). For me this has worked because all the bots have the same street address (street, 10 apt, 2). So I just set up a flow that recognizes that address and tags the customer as FAKE.  See attached screenshot. 

immnul_1-1717506218785.png

 

immnul_0-1717506186583.png

 

jtstevens
Tourist
6 0 7

Thanks Immnul! This is a great option. I tried a different app that was supposed to stop the checkout with certain conditions, but I could not get it to work. However, this app seems to be doing the trick. I set up both of the flows that you put in your post, but only one of them has triggered so far. I also added an automatic deletion of the customer. Since yesterday, it has triggered 10 times and deleted all of the customers from the abandoned carts. Also, none of the carts have tested a credit card, so it seems to be stopping that before it can happen too. And none of the customers have ended up on my email automation sequences. So far so good.

jtstevens_0-1717594729674.png

 

immnul
Tourist
10 0 5

Oh I'm so glad it's working for you...  I've added the delete customer step on my side.  However, I'm really finding the tagging based on address to be hit or miss and I'm not sure why. For example, this latest one (Kansas)  Flow didn't tag the customer...  but I really don't get why. Whereas for this Indiana address, it DID tag it. Do you @jtstevens have any idea why it doesn't always work? Does it always work for you? Also, are you concerned about this is affecting your tracking of conversion rate?

immnul_0-1717613884607.png

immnul_1-1717614004947.png

NOTE: I'm sharing personal information only because these are CLEARLY fake accounts

jtstevens
Tourist
6 0 7

Ok. I spoke too soon. Some of mine are hit or miss now too... I think I found out why, though. If I go to an abandoned cart where it still tested a credit card and the customer was not deleted, I found that the 'customer' does not have an address, but the 'order' has a shipping address and billing address. So our trigger in Flow is on customer creation, but the customer does not have an address. I looked for other triggers that can be used, but only can see ones for order creation, which is too late.

I found another thing that I am going to try, though. On an abandoned cart, you can "Copy checkout URL", so I had a look at a few of those pages. Seems like all of my traffic is coming from locale=en-br (in the URL anyways). So I am going to try a different country blocker app.

Aaron2024
Excursionist
20 0 14

I have the same bot... Ive spoken to Shopify 7 times. They could easily find out what this bot is and stop it but Shopify doesnt care. The only way to stop it is require log in at check out which is horrible for conversions. Ive tried Blockify to block VPNs, Block all countries except USA, Block IPs etc nothing stops it except log in before check out. 

 

jtstevens
Tourist
6 0 7

Ok. So I have a few apps in place that seem to be limiting/reducing the bot now. I was typically getting several abandoned carts per day and most were testing a credit card. Now I only had a couple in the last few days and none of them were able to test a credit card. The last app I put in place was BeSure Checkout Rules https://apps.shopify.com/checkout-rules. I am not connected to these guys at all, but the app seems pretty good. Here is the condition that I set. 

jtstevens_0-1718627669316.png

 

I also currently have SecurityKing enabled to block all traffic from Brazil, since my checkouts have locale=en-br in the URL. However, I am not sure if it is effective since the bot goes directly to a checkout page and I am not sure if it triggers then.

 

I also have Shopify Flow (see previous posts) which deleted the customers from the bot abandoned carts. 

 

Very much a bandaid solution. Shopify should fix this!

 

jtstevens
Tourist
6 0 7

Ok. So an update. I have been able to stop mine now. Haven't had any in 4 weeks. BSure Checkout Rules seems to be the one that fixed it. Worth the few bucks a month it cost. I also still have SecurityKing and Shopify Flow (described in previous posts), but I think it is BSure Checkout Rules that finally fixed it.

DRIVEAUTO
Visitor
2 0 0

This is the exact same bot that is attacking my abandoned cart too!! Exact same information.