Re: How to stop bot from placing fake orders?

@emmak18 can you check the fake customers and see if they all have the same domain in their email address? Ours all use the same email domain.

All same domain rtremail .com. It was registered a little over a week ago. They are using a catch all for their mail server so the emails dont bounce.

Yes they are all coming from the rtremail like Steve mentioned. We just received more as of a few minutes ago. Trying to change all items at $0 to a cent. But they are still getting into our password protected pages. 

Hello Emma, you can use the Cart Lock app to block all online orders if the cart total amount is less than 1. Or if it's the same bot every time, tag that bot account with a customer tag and block that bot account from placing the order. Follow these steps below:

1. Open the app and click on the "Add a new rule" button.
2. Click "Add a new condition" and select the "Customer tags" option.
3. Select "Block if found" and add the "Bot" in the "Customer tags" field.
4. Save the rule.

Now the bot cannot place any order in your store.

This sounds great! I just installed it and set my rule. Would you know what the second check box means: "block orders if any error occurs or app fails"? because I am trying to block the orders of $0.00 which is not even clear HOW these bots are getting the items to the checkout. Thanks.

Hi @Elizabeth007 , actually you cannot tag a bot since they don't have a single customer account in your store. So it's better to use the "Block if less than" feature of the Cart Lock app. Please watch the video below to understand what I mean.

Can you add Recaptcha v3 to the settings > customer accounts > URL link?

How did you do the server side verification?

@shamsulhuda There is no option to add reCAPTCHA v3 to the Customer Account URL (direct link) which is how the bot is creating new accounts on our client's store.

How can you add captcha to check out if you aren't on plus. I have bots testing credit cards but no way to stop them on Shopify.  Contacted Shopify 4 times for assistance they don't really care. Their app is just a flow to cancel high risk orders.  What a joke. Shopify is highly negligent and seems to be affecting many stores. On Magento we had invisible Google captchas and never had issues. I don't understand why shopify just doesn't fix this. 

No fix yet. This is a server side issue. I dont think we can fix it. This is the 2nd part of their attack. The next phase is going to be the real problem. I can see many paths forward where they can cause major damage.

More waves keep coming. 109 orders so far and noticed over 5,300 abandoned shopping carts since 1/26.

Were you able to move the orders out of unfulfilled? I hate to cancel but still have them sitting as unfulfilled orders 

Shopify Partner Support said their dev team asked to keep the fake accounts and orders in our store while they investigate. I would really like to delete them but have not heard anything from them in two days.

I filed a complaint here with NameCheap.com where the rtremail.com domain is registered. I know they can always register another domain but I figured it was worth the 3 minutes it took to report the abuse.

Please contact Shopify support and ask them to disable the Customer Account URL — that is how the bot is able to create accounts on our client's private store.

HI there, I having the same issue with the bots creating fake customers in every min. Does shopify help you to disable this link and does it work for you? I am still discussing with shopify advisor to see how to solve this, but this is crazy issue! 

@studioz Shopify does not have a way to disable this link. When you talk to customer support, please request this feature.

is this solution working ? have you tried it ?

@Moutasim1 This and the other two steps we tool are working but still require monitoring since they will work as long as the bot doesn't create a new account or uses a new domain name.

Here is what we did, one of these steps or all together have been working for us:

1. Implemented the Flow app option described in my comment above
2. Tagged fake accounts and added code to block customers from logging in as described in this post
3. Set up an alias Domain without SSL to show a warning for the Customer Account URL form—Click "learn more" for instructions

Hope this helps.

Thanks @cna_az ill try these 

That is just a band-aid. If they start doing the same thing with another domain, you play whack a mole. If they start doing it with a gmail or other big provider, we are screwed.

@Steve82  Which is why we need the ability to deactivate this link from the Shop Admin AND Shopify needs to add ReCaptcha to the form. Please ask Shopify support to pass this request urgently to the Shopify Dev tem.

We have been having fake orders coming in at 0.00 for product codes not in our store (UPC). They are coming from Gmail emails. Any idea how to prevent this? 

Can anyone share a screenshot of this workflow? Having trouble with the syntax to call the customer account for deletion.

I  am having the same issue.  I added an app to try and Block the IP address but that has not worked.  The app came back to suggest the below - which I've not tried yet - but I'm about to:-

After a through investigation we suspect that these accounts are being created from outside of the online store scope, and that is why Blocky is not blocking them.
However, there is a simple solution to that that our other users have toggled, that only requires minor settings change:

Go to the Settings and turn on Shopify's new customers account features from here: https://admin.shopify.com/store/ardmoor.myshopify.com/settings/customer_accounts Click on the blue ""Edit"" button and then choose the ""New Customers Accounts"" option, then click Save.

Then, please go to https://admin.shopify.com/store/ardmoor.myshopify.com/settings/checkout and tick the ""Require the customer to log in to their account before checkout"".
These 2 settings will terminate the attack, and you can switch back the settings afterwards. :$"

This does work but will kill conversions. It won't be worth staying on Shopify because your conversions will be so low because customers will abandoned check out.

Or to pay more money to "fix" it. This should not be a fix that costs money, shopify should fix it. Looking at @Ankit_Thakur posts, they are just promoting/spamming that plugin and another one via copy and paste. I'll pass on even looking at that.

This app caused new issues. 1 being blocking countries from seeing my website. 

Hi Elizabeth007

Thank you for sharing your problem and solution! I have had around 30+ $0 in the past 2 months. Somehow the bots access a private library with $0 products reserved for subscribers only. Can you share your workflow (from Flow) with us? I created one but I am not sure if I am using the right parameters.  Thank you in advance, 

Flavia 

Obviously so they make more money like so many other very basic features that should be included by default in the most basic plan on any decent service.