All things Shopify and commerce
We have a bot placing abandoned orders in batches of 5 every 9 hours, for over a week. They are adding hidden/locked products they should not have access to with out an approved account/login. They create a customer profile that uses a fake name, email, address and phone number, and it is the same each time even if I delete the customer, they make a new one.
We have tried three different blocker apps and they did not work. We also tried changing product urls, ReCaptcha is enabled--none of this has worked. Shopify support told us there was nothing they could do. We are really worried about whether our store is vulnerable, or our customers information is somehow compromised if this bot has access to the backend of our store.
Can anyone help?
I have the same issue. Might have to be a class action against Shopify for them to do something. They need to offer a captcha on the check out page.
We had the exact same problem. Spambot ordering $0.00 items that they should not have had access to as you have to be approved to order on our site. We changed all the 0 items to .01 and it seems to have stopped.
We wee very concerned that shopify said there was nothing they could do about it. Makes me wonder what other back end information is vulnerable.
Right now the issue is bots running credit cards. They are testing credit cards across shopify sites because shopify isn't doing anything to stop them. They should add a captcha to check put page. High negligence on shopifys part to allow this go occur. You can change to require customer to log in before check out but that I'd a conversion killer. We need to all get together and demand they fix it.
Yeah. I'm having the same problem right now too. Shopify doesn't seem to have a solution for this.
Hi! I found a workaround for preventing bots to actually place orders (though this doesn't solve the problem of abandoned checkouts). Note we are on the "Basic" Shopify plan, so we don't have the option to add Recaptcha to check out, which I believe would otherwise solve this issue.
Here's our workaround:
Download the Shopify Flow app (free). There's then a template within the app called "Capture payment if order is not high fraud risk". This basically leverages Shopify's Fraud analysis, which typically flags Bot activity as "High Fraud Risk". If Shopify then flags the order as High Fraud Risk, it will not automatically capture payment and instead prompts you to check the order and manually accept payment if deemed OK. See attached screenshot.
And then my workaround for abandoned checkouts is only a partial solution and doesn't work all the time (I'm not sure why!). I again use the Flow app to tag those customers that were created by Bot activity and which created the abandoned carts. This way, I can easily segment out the fake accounts and then delete those customers and just Archive / ignore the abandoned carts (not ideal but it's the best solution I've found). For me this has worked because all the bots have the same street address (street, 10 apt, 2). So I just set up a flow that recognizes that address and tags the customer as FAKE. See attached screenshot.
Thanks Immnul! This is a great option. I tried a different app that was supposed to stop the checkout with certain conditions, but I could not get it to work. However, this app seems to be doing the trick. I set up both of the flows that you put in your post, but only one of them has triggered so far. I also added an automatic deletion of the customer. Since yesterday, it has triggered 10 times and deleted all of the customers from the abandoned carts. Also, none of the carts have tested a credit card, so it seems to be stopping that before it can happen too. And none of the customers have ended up on my email automation sequences. So far so good.
Oh I'm so glad it's working for you... I've added the delete customer step on my side. However, I'm really finding the tagging based on address to be hit or miss and I'm not sure why. For example, this latest one (Kansas) Flow didn't tag the customer... but I really don't get why. Whereas for this Indiana address, it DID tag it. Do you @jtstevens have any idea why it doesn't always work? Does it always work for you? Also, are you concerned about this is affecting your tracking of conversion rate?
NOTE: I'm sharing personal information only because these are CLEARLY fake accounts
Ok. I spoke too soon. Some of mine are hit or miss now too... I think I found out why, though. If I go to an abandoned cart where it still tested a credit card and the customer was not deleted, I found that the 'customer' does not have an address, but the 'order' has a shipping address and billing address. So our trigger in Flow is on customer creation, but the customer does not have an address. I looked for other triggers that can be used, but only can see ones for order creation, which is too late.
I found another thing that I am going to try, though. On an abandoned cart, you can "Copy checkout URL", so I had a look at a few of those pages. Seems like all of my traffic is coming from locale=en-br (in the URL anyways). So I am going to try a different country blocker app.
I have the same bot... Ive spoken to Shopify 7 times. They could easily find out what this bot is and stop it but Shopify doesnt care. The only way to stop it is require log in at check out which is horrible for conversions. Ive tried Blockify to block VPNs, Block all countries except USA, Block IPs etc nothing stops it except log in before check out.
Ok. So I have a few apps in place that seem to be limiting/reducing the bot now. I was typically getting several abandoned carts per day and most were testing a credit card. Now I only had a couple in the last few days and none of them were able to test a credit card. The last app I put in place was BeSure Checkout Rules https://apps.shopify.com/checkout-rules. I am not connected to these guys at all, but the app seems pretty good. Here is the condition that I set.
I also currently have SecurityKing enabled to block all traffic from Brazil, since my checkouts have locale=en-br in the URL. However, I am not sure if it is effective since the bot goes directly to a checkout page and I am not sure if it triggers then.
I also have Shopify Flow (see previous posts) which deleted the customers from the bot abandoned carts.
Very much a bandaid solution. Shopify should fix this!
Ok. So an update. I have been able to stop mine now. Haven't had any in 4 weeks. BSure Checkout Rules seems to be the one that fixed it. Worth the few bucks a month it cost. I also still have SecurityKing and Shopify Flow (described in previous posts), but I think it is BSure Checkout Rules that finally fixed it.
This is the exact same bot that is attacking my abandoned cart too!! Exact same information.
Ok, I think we have been able to solve this for now. We tried all the bot detector apps etc, nothing worked. Then we changed the checkout page from one page to 3 page - not sure how much will conversion take a hit but the bots seems to have gone. We plan to go back to single page checkout in a few days.
Great idea. Better than requiring log in before checkout.
This is a great tip. Thank you. We're going through the same on one of my customer's shops.
Hi! I've tried this on our store but we still get bot orders and abandoned checkouts. Is it still working on your end?
The bots were testing credit cards with a .98 cent package protection item and Shopify support did nothing for us. After testing multiple apps the only one that worked was the "Cart Block" app. I had it set to reject all orders under $1.00 so it won't even allow them to check out. Good luck!
same with my shop
They are targeting a $19.95 on my store. Different names, Different emails, but always STREET 10 APT 2 Some have failed payment attemps, some are just carts.
They are testing $7.57 and $15.95 on my store. Different names but same Street 10 Apt 2 as well.
How did you do this?
I have received many signups to my newsletter from the email domain "rtremail.com" which I suspect of being a bot and not a real email address. I've searched online for more information about rtremail and all I keep getting are links about Right to Represent documents from recruiters. Can someone please confirm that I can delete these @rtremail.com subscribers because they are not real?
I just got off of a Live Chat with @Shopify . I gave them this link as well. This is a REAL issue that shopify needs to get control of. It is not our job to pay for IP blockers. They need to beef up their security on this platform.. This is not a SALES issues, this is Shopify being used for illegal activity outside the scope of us selling things on their platform.
Glad I found this thread because this was driving me crazy. I am getting exactly the same thing here. Only in our abandoned carts, none had any credit card attempts. Talked to Shopify and like everyone else said, they don't seem to care or have any helpful suggestions.
Someone in Reddit r/shopify suggest I get adding Cloudfare. Anyone found a way to block these. No financial damage done so far but just annoying and a little worrisome.
try https://apps.shopify.com/kedra-shield-website-security the bot blocker feature
One of those many attempts on my store was actually successful today. The order went through and now I am not sure what to do. Have been able to fix the problem?
cancel the order so you don't get a chargeback
They targeted a specific item - I just got rid of it - POOF they stopped
If your being targeted you need to simply take away the bullseye. It was a random cheapo listing that I had that didn't sell really anyway.
consider using a bot filter app like Kedra Shield. It blocks bots by hiding your site’s content and preventing them from accessing your store. Or enabling vpn block also can help: https://apps.shopify.com/kedra-shield-website-security
Have you found a solution for this? Because it's killin' me.
I wonder, do you use a separate domain for accounts? Like accounts.ElizaRAFTP.com? I do.
Could that be the issue?
We recently spoke with Zopi developers @Zopi about how dropshipping businesses can enha...
By JasonH Oct 23, 2024A big shout out to all of the merchants who participated in our AMA with 2H Media: Holi...
By Jacqui Oct 21, 2024We want to take a moment to celebrate the incredible ways you all engage with the Shopi...
By JasonH Oct 15, 2024