All things Shopify and commerce
We have a bot placing abandoned orders in batches of 5 every 9 hours, for over a week. They are adding hidden/locked products they should not have access to with out an approved account/login. They create a customer profile that uses a fake name, email, address and phone number, and it is the same each time even if I delete the customer, they make a new one.
We have tried three different blocker apps and they did not work. We also tried changing product urls, ReCaptcha is enabled--none of this has worked. Shopify support told us there was nothing they could do. We are really worried about whether our store is vulnerable, or our customers information is somehow compromised if this bot has access to the backend of our store.
Can anyone help?
Yes, three different ones.
Those apps won't work. 1) because it's hard to match the IP addresses with the customer because Shopify doesn't show IP addresses. 2) they change their IP
Those don't work. Shopify doesn't show IP address of abandoned cart customers so you can't Match up the IP. 2nd they change IP addresses. If you are a Shopify site owner you are a sitting duck!
We're having almost the exact same issue, except we have a $0 item hidden in our store for which they are successfully "placing orders". IP blockers aren't working (for us anyway) because the IP is different for every single order. Here's a screenshot, in case you're seeing similar patterns or anything else that might help us identify what the heck is going on:
Do we know what end game is here? Seems like 1 attempted purchase would collect the same info as 50 attempted purchases.
Has anyone found that requiring customers to create an account has prevented this issue and/or increased abandoned checkouts?
Thank you for responding! Our situation is similar, except it’s the same name over and over. Our store does require account logins, and it does not stop the bot from adding items only available to logged in customers to their cart.
We also have 5 items that are $0 and these are the only items they’re placing in the cart. The difference in our situation is that our bot is not actually reaching checkout, they just put the orders in the cart and abandon them. They do this every 9 hours, 5 abandoned orders. We now have hundreds of them because it’s been going on for weeks and Shopify just said “sorry nothing we can do.”
I also have no idea what the end game is, but it’s really annoying.
We are having a same issue.
All email used are "@rtremail.com".
Currently we created a flow that automatically cancels order if it's "$0"; however, we do want to stop these orders going through as it will mess up our analytics.
We appreciate if Shopify can step up on this issue as it seems it has become an issue of many shop owners!
Same issue for my store. First name repeated for the order and targeting a hidden section of our shop where the product costs are $0. Same "@rtremail.com" email addresses as you mentioned.
I also am concerned about analytics being messed up.
Hopefully Shopify can resolve this soon!
Many, many stores having this same issue, yet Shopify has done nothing. Please add your voice by opening a ticket with them. See "James James" issue with bots in Community
This just started happening to me last night - same name James James. And variations all from Texas or New Mexico, every 6 hrs.
I also have similar issue up to 20 attacks a day- I have created a ticket as you have suggested
I am also having many issues like this over the past week. A few hundred customer profiles have been made by abandoning checkout. And it is causing my auto email campaigns to bounce and get shut off by Shopify. I can't find any pattern unfortunately. Shopify - please help.
We are having the same issue with James James from San Antonio and have tried many of the same tactics you have to no avail. Though no damage appears to be done by these bots apart from screwing up analytics and junking up our abandoned carts folder, it is very worrying that they are able to access our carts through a back door. What is the end game here?
Same problem. Started in January. all .00 items in abandoned check out. All the same email and name James James. Delete the customer, it pops right back the next day.
Now we have a new problem, don't know if it is related. Our entire product file has shown up on a bogus website. We know it is ours because images our designer created are there. it's the ENTIRE store. Our store has the costs hidden unless you log in but on this bogus site, there they are and they are slashed and there is a banner that says 'up to 80% off'. How did they get the file? is the problem related?
Any chance you'd be willing to share (or directly message me) the bogus site in case it can offer an6 clues on what we're dealing with? I wish we weren't all going through this headache.
Holy crap! That's wild, and terrible. I have tried to access huabo114.com to see if our products are listed there but the site won't load for me. I hope that means you were successful in having it taken down. May I ask how you discovered your products were listed there, and if that site listed only your products or those belonging to other brands as well?
They are testing credit cards on your site. They have bots that enter the information. Usually its the card info, name , city, zip code. In shopify for AVS They must only verify state, city, zip code because the street is always the same. They test the cards across alot of websites until one goes through.
Today I had one of their attempts to actually go through after months and months of them trying. What does this mean for my site?
Hi, If you are still looking for a soltuion to this, you can try using the Checkout Guardian App, where in you can block all the orders based on the cart value. For Example we can set a rule to block checkout if the cart value is USD 0, which means a person wont be able to checkout if his cart value is 0. Apart from it it offer various conditions to block checkout from these fake orders.
You can have a look at it here Checkout Guardian App.
Come on. This won't work. 😅 They usually just pick the lowest price point product in the store. How would this work. Come on. Shopify needs a captcha on the check out page.
In this case, if they pick products with lowest price point, you can simply create a rule to block certain customers based on the email ID they use, mostly all of these orders are from the same email id.
Plus if you want you can block checkout based on the location also. I mean specfic zip code they enter in the checkout.
What about in my case where the email differs and the address is always the same except for the state, its always a different state?
I have a similar issue. Several new abandoned checkouts each day for the last week or two. All for the exact same product. It is NOT a $0 item as most people seem to have. It is just one of the low cost items that I offer. Different names and email addresses. Most gmail. Physical address all say "street 10 apt 2", but have different cities and zip codes. Seems like they are testing credit cards.
The same issue. "tech / street, 10 apt, 2" in all addresses.
same here! Today that one showed locations was from Russia.
Yep, Street 10 apt 2.
3-4 times a day different name different address low cost item.
Yes same issue with us. Street 10 apt 2. I will say that after a week of creating abandoned checkouts, they successfully made a purchase today. Thankfully shopify flagged it as high fraud potential, and i immediately recognized the street 10, apt 2 address, so I canceled the order. Still, I’d like to understand if there is anything to do to block them; and what is their end game? It seems that they’re always looking for the lowest cost item in the store, whether it’s $0 or another small figure.
Oh @jtstevens, I just saw what you read about testing credit cards. That makes complete sense. And it also means our sites aren’t necessarily the target of the malicious activity, but a tool to help them make a greater purchase somewhere else? In any case, what are we supposed to do about this? Can you report when a credit card succeeded?
I found this thread to have some helpful solutions: https://community.shopify.com/c/shopify-discussions/fraud-scammers-running-credit-cards-what-can-we-...
I have not had any credit cards succeed yet.
This is the same bot on my store. They are testing credit cards. They target shopify stores because shopify is negligent and doesn't offer a way to stop it. You can require customer to log in before check out which does stop the bot but will kill your conversation rate. One you change it back They will start again. Seems they are testing a few transactions across alot of Shopify stores. I had one transactions go through. It is also bad for your conversation rate because it messes up all your sales data. We need to get alot of Shopify stores together and demand they fix it.
Have you found a solution yet? Mine started a few days ago too. I'm trying to avoid the "require customer to log in" method because I don't want to kill conversions, but Shopify have not replied by with a solution yet. I'm so frustrated.
Thats the exact issue we are having
10
apt
2
STreet 10 Apt 2 I am getting for weeks now... Different names, Different emails... The same $19.95 product. Some even have failed payment attempts. Most are just abandonded carts. @Shopify you need to figure out a bot filter.
This is the exact same thing happening to me and it seems to be Brazilians (based on the names, emails sometimes ending in .br and sometimes the bank that declines the card is located in Brazil). Has been happening for months beginning only this year. They choose the cheapest item and then create accounts and abandon carts. I delete all the customers but they just create more.
same! low cost products on our website and same adress but different state everytime
It's been happening in our store since earlier this year. This increases your bounce rate, which affects conversion. Every scenario given on this page has happened to us.
I have the same issue. Might have to be a class action against Shopify for them to do something. They need to offer a captcha on the check out page.
We had the exact same problem. Spambot ordering $0.00 items that they should not have had access to as you have to be approved to order on our site. We changed all the 0 items to .01 and it seems to have stopped.
We wee very concerned that shopify said there was nothing they could do about it. Makes me wonder what other back end information is vulnerable.
Right now the issue is bots running credit cards. They are testing credit cards across shopify sites because shopify isn't doing anything to stop them. They should add a captcha to check put page. High negligence on shopifys part to allow this go occur. You can change to require customer to log in before check out but that I'd a conversion killer. We need to all get together and demand they fix it.
Yeah. I'm having the same problem right now too. Shopify doesn't seem to have a solution for this.
Hi! I found a workaround for preventing bots to actually place orders (though this doesn't solve the problem of abandoned checkouts). Note we are on the "Basic" Shopify plan, so we don't have the option to add Recaptcha to check out, which I believe would otherwise solve this issue.
Here's our workaround:
Download the Shopify Flow app (free). There's then a template within the app called "Capture payment if order is not high fraud risk". This basically leverages Shopify's Fraud analysis, which typically flags Bot activity as "High Fraud Risk". If Shopify then flags the order as High Fraud Risk, it will not automatically capture payment and instead prompts you to check the order and manually accept payment if deemed OK. See attached screenshot.
And then my workaround for abandoned checkouts is only a partial solution and doesn't work all the time (I'm not sure why!). I again use the Flow app to tag those customers that were created by Bot activity and which created the abandoned carts. This way, I can easily segment out the fake accounts and then delete those customers and just Archive / ignore the abandoned carts (not ideal but it's the best solution I've found). For me this has worked because all the bots have the same street address (street, 10 apt, 2). So I just set up a flow that recognizes that address and tags the customer as FAKE. See attached screenshot.
Thanks Immnul! This is a great option. I tried a different app that was supposed to stop the checkout with certain conditions, but I could not get it to work. However, this app seems to be doing the trick. I set up both of the flows that you put in your post, but only one of them has triggered so far. I also added an automatic deletion of the customer. Since yesterday, it has triggered 10 times and deleted all of the customers from the abandoned carts. Also, none of the carts have tested a credit card, so it seems to be stopping that before it can happen too. And none of the customers have ended up on my email automation sequences. So far so good.
Oh I'm so glad it's working for you... I've added the delete customer step on my side. However, I'm really finding the tagging based on address to be hit or miss and I'm not sure why. For example, this latest one (Kansas) Flow didn't tag the customer... but I really don't get why. Whereas for this Indiana address, it DID tag it. Do you @jtstevens have any idea why it doesn't always work? Does it always work for you? Also, are you concerned about this is affecting your tracking of conversion rate?
NOTE: I'm sharing personal information only because these are CLEARLY fake accounts
Ok. I spoke too soon. Some of mine are hit or miss now too... I think I found out why, though. If I go to an abandoned cart where it still tested a credit card and the customer was not deleted, I found that the 'customer' does not have an address, but the 'order' has a shipping address and billing address. So our trigger in Flow is on customer creation, but the customer does not have an address. I looked for other triggers that can be used, but only can see ones for order creation, which is too late.
I found another thing that I am going to try, though. On an abandoned cart, you can "Copy checkout URL", so I had a look at a few of those pages. Seems like all of my traffic is coming from locale=en-br (in the URL anyways). So I am going to try a different country blocker app.
I have the same bot... Ive spoken to Shopify 7 times. They could easily find out what this bot is and stop it but Shopify doesnt care. The only way to stop it is require log in at check out which is horrible for conversions. Ive tried Blockify to block VPNs, Block all countries except USA, Block IPs etc nothing stops it except log in before check out.
Ok. So I have a few apps in place that seem to be limiting/reducing the bot now. I was typically getting several abandoned carts per day and most were testing a credit card. Now I only had a couple in the last few days and none of them were able to test a credit card. The last app I put in place was BeSure Checkout Rules https://apps.shopify.com/checkout-rules. I am not connected to these guys at all, but the app seems pretty good. Here is the condition that I set.
I also currently have SecurityKing enabled to block all traffic from Brazil, since my checkouts have locale=en-br in the URL. However, I am not sure if it is effective since the bot goes directly to a checkout page and I am not sure if it triggers then.
I also have Shopify Flow (see previous posts) which deleted the customers from the bot abandoned carts.
Very much a bandaid solution. Shopify should fix this!
Ok. So an update. I have been able to stop mine now. Haven't had any in 4 weeks. BSure Checkout Rules seems to be the one that fixed it. Worth the few bucks a month it cost. I also still have SecurityKing and Shopify Flow (described in previous posts), but I think it is BSure Checkout Rules that finally fixed it.
By investing 30 minutes of your time, you can unlock the potential for increased sales,...
By Jacqui Sep 11, 2024We appreciate the diverse ways you participate in and engage with the Shopify Communi...
By JasonH Sep 9, 2024Thanks to everyone who participated in our AMA with 2H Media: Marketing Your Shopify St...
By Jacqui Sep 6, 2024