How can I prevent creation of fake customer accounts on my online store?

How can I prevent creation of fake customer accounts on my online store?

Greg15
Excursionist
21 1 6

At my Shopify store there is someone who has created over 100 bogus customer accounts - each with a different fake email address.  There are no orders, just bogus accounts.   I have no idea what the purpose of this would be.  Is there a way to deny access to specific domains, such as Fakemail.com?

Replies 42 (42)

Kimi
Shopify Staff
1511 169 266

Hi, @Greg15.

For context, there are bots that disguise themselves as normal browser traffic that can create multiple customer accounts on stores. To help address this issue, we've noticed that stores on Shopify have experienced reduced fake customer accounts and spam emails by adding a Google reCaptcha to their site. Google reCaptcha helps analyse the behaviour of visitors to online stores and blocks spam from bots. So I highly recommend setting this up on your store if you haven't already done so.

Can you also elaborate what you mean in regards to blocking certain domains? Do you mean to block specific email addresses from being able to create a customer account on your store, or from accessing your storefront altogether?

Kimi | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Greg15
Excursionist
21 1 6

Blocking specific email addresses would probably be futile.  I was referring to the domain name in my post such as "Fakemail.com".  Every bogus account had an email address like [email protected], or [email protected].

I will have to look into some examples of the recaptcha.  I have encountered this on some websites and got so frustrated at the complicated process that I gave up on the order.   Thanks for the idea.

Kimi
Shopify Staff
1511 169 266

@Greg15

If your online store is open to the public without any customer login required, there wouldn't be a way to block a group of email addresses that are attached to a specific domain. Because these are also most likely bots, the best way to minimise this issue is to look into adding Google reCaptcha as noted in my earlier reply. Totally understand your concern though in the extra step and process it will add for customers on their end, so as you mentioned you can look into it further first and trial it before committing.

For future reference, if you do happen to come across specific customers from a certain location that are spam in nature and would like to block them from browsing your store, installing an IP blocker app like this one should help.

Kimi | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Anna_O
Excursionist
18 0 5

Our store is password protected. Moreover, since we sell to dental professionals only, we manually vet every new web registration. Yet every day we get 2-3 bot accounts created without any registration requests. They somehow bypass the registration form, we never see them as pending registrations, they just appear among our customers on the Shopify back-end. At first, we thought it was targeted at our store, but those accounts never do anything, they don't place orders, they just sit among the customers. We delete them anyway, but now we suspect this targets Shopify. Guys, you at Shopify, should take this seriously before it's too late.

shroomability
Tourist
4 0 1
They are joining your site by subscribing to your newsletter. Even if
you don't have that field showing it does not matter because the bots
join anyway.
Anna_O
Excursionist
18 0 5

Nope. I see them in Klaviyo (because of the integration with Shopify), but they are not subscribed to our Newsletter.

khoff
Shopify Partner
47 0 41

I am checking our Klaviyo account now as our spammy/bot sign ups in Shopify all have the subscribed box checked in their fake accounts.
Example of what I am seeing with our fake accounts.

Shopify-fake-customer-Screenshot 2023-05-05 093448.png

khoff
Shopify Partner
47 0 41

@Anna_O I agree these fake customer sign ups are definitely an attack on Shopify and Shopify store owners. I manage a few other stores on other platforms and do not have this issue. (They also do not automatically create customers which is another issue altogether.) Shopify needs to work on getting this stopped before there is a security breach. 

 

I am sure they are waiting for a partner to come up with a solution but waiting on a pay to use third party app to fix a potential security issue is not good business. 

PR1RobertC
Tourist
4 0 2

Kimi, Apologies for my callousness, but this doesn't at all help the situation and it's frustrating that you've gone quite immediately after the original poster clarified that their store is password protected. 

We are having the same exact issue on our shopify, and we deal with sensitive data so we can not have this happen. We even have Captchas enabled and they still show up under our customers. 

adfuel
Excursionist
19 0 12

We're getting crushed by these too.  Typical of shopify to marked it solved with a lame lazy answer though.

 

DivellaD
Excursionist
12 0 10

It's more complicated than that. I have reCaptcha enabled and it does nothing to prevent these @fakemail.com addresses from subscribing. Furthermore, I use Klaviyo and all these submissions are added to my customer profiles there. Speaking with your team I was told it is a Klaviyo issue and to use reCaptcha and/or double opt in (we've tested both), but both are already enabled. It is not a Klaviyo issue.

Muriel_Santos
Tourist
4 0 7

It looks like the "solution" doesn't work and still no other answers here to help us out. Any news on your side? So frustrating! I just got 42 "new subscribers" from this fakemail under the same name (Mark Mustermann) and all of them started check out and left. It's making me nervous!

DivellaD
Excursionist
12 0 10

Just got another 48 today. This is getting ridiculous! There NEEDS to be a way we can block someone from creating an account!

Kimi
Shopify Staff
1511 169 266

Hi @DivellaD and @Muriel_Santos.

 

At this stage, installing an app such as Shop Protector would be the best way to help protect your store. This app should help with stopping fake account creations, bogus newsletter sign-ups and checkouts created by bots. The app's also been highly rated by a lot of our merchants, so I recommend taking a closer look at it to see if it will suit your needs. Because this app has been created by a third-party developer though, you can contact the app's support team directly if you have any app-specific questions.

 

I can definitely see how important it is to be able to have a feature natively within the Shopify admin to further help with managing spams and bots, however. Because of this, I'll pass on the information and thoughts you've shared here with me to our developers. Shopify is ever-growing and we're always looking at solutions to improve our platform. We can only do so with feedback from our merchants, so it's always greatly appreciated when you share your thoughts and feedback with us.

Kimi | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Sasmari
Visitor
2 0 1

I have thousands of fake accounts that are created on my Shopify site in the last month!!! Before that I never had this issue. It is actually horrible. I have downloaded this APP you mention here and it does nothing at all. PLease advise as this is ridiculous now!!!

awilliamsonm
Visitor
1 0 3

I have the same Mark Mustermann fake accounts that appeared at my store today... about 100 accounts.  This happened about 5 or 6 months ago too (same name).  It is frustrating to have to remove these from all systems once you see them.  In Klaviyo, it shows a pattern of subscribing and adding a product to the cart and then abandoning.  I'm guessing I got one fake account for every product on my site. 

 

I'm a little confused at a solution here.

CorinnesCustom
Tourist
3 0 9

The solution is always spend more money. Buy yet another shopify app. 

rbortner
Tourist
7 0 16

I also have the same account. This Mark guy sure is prolific, lol

 

CorinnesCustom
Tourist
3 0 9

I have the same bot name! I bet it's Shopify hiring people to act as bots to inflate shop activity. As you may have heard Shopify's stock price is plummeting. I like how their only solution is a paid app that costs $3.49/month to stop this issue.

khoff
Shopify Partner
47 0 41

Paid apps are their only responses. 

adfuel
Excursionist
19 0 12

Just so you know.  "Mark Mustermann" is google reviewing your site.

khoff
Shopify Partner
47 0 41

@adfuel I have not had the pleasure of having Mark Mustermann creating accounts. (yet) all mine are either junk names like OUHBVJBd (for both first and last names). Then there are also the duplicates coming from anyone that uses the app versus the web.

adfuel
Excursionist
19 0 12

Yes, we're getting tons of those random accounts as well.  I think most of them are probably google reviewers.  Often times, when they're checking discount codes etc in the cart, they'll leave  650-253-0000 as their phone number, which is Google's Customer Support number.

adriprints
Excursionist
15 0 5

The name "Mark Mustermann" is what they use in German-speaking countries as their sample data, kind of like John or Jane Doe in English.

 

I'm getting lots of junk customers, but I don't have Klaviyo. I realized I had an option to create a customer account on my site, turned on reCaptcha, and still it's happening. It's to a lesser degree than before, but still it is worrisome to have bots crawling all over Shopify sites and the solution given is not internal. Very disappointing.

khoff
Shopify Partner
47 0 41

It is not a Klaviyo issue. We only started using Klaviyo and have had this issue since day one with Shopify. I have just been deleting them for now, but it sounds like this is going to escalate on me and I would like a working solution before that. We had to turn off the recaptcha in Shopify because it was causing too many problems for our real customers that needed to log into the site. 

pete8314
Excursionist
12 0 19

Love how Shopify marks these things as solved, when they're clearly not. 

 

Anyway, we noticed the same issue, as we ended up sending 134 postcards (via PostPilot) to "Mark Mustermann".

 

Shopify Flow still doesn't support the ability to delete accounts, so I've created a Flow to at least tag the customer (which removed them from all Klaviyo/PostPilot lists), and then open a ticket for one of the team to delete the account.

 

pete8314_0-1663084948695.png

 

Anyone actually called Mark Mustermann is going to be disappointed. Sorry actual Mark.

pete8314
Excursionist
12 0 19

I felt bad for Mark. Added a condition to see if he spends money before deleting, so far none of the 134 Mark Mustermann's have.

 

pete8314_1-1663085473155.png

 

rbortner
Tourist
7 0 16

Wow, that's quite the procedure (and time spent) for one spammer! But I understand given that you spent real money to mail him something. 

pete8314
Excursionist
12 0 19

134 versions of the same spammer, so add up the costs of PostPilot, Klaviyo etc, it's something. 

 

pete8314_0-1663097395060.png

 

Tony47
Excursionist
15 0 12
It is absolutely Google Bot - or one of a myriad of their (essential) bots. DO NOT block the traffic or IP addresses, just segment out of your marketing flows (email domain including 'fakemail' email name including 'fake' etc.. add customer name 'Mark Mustermann' if you like though there must be a legit person somewhere) and delete.

After initially freaking out my store was being attacked over and over again for months - this is what I've now learnt:

Aside from the name, email and domain, other giveaways it's not just any malicious bot (100% bounce rate, average session time 0 seconds, browser: headless chrome/ Linux etc) is the geolocation: Ashburn VA, (or Chicago).
You can confirm your Mark Mustermann's by exporting any one of them from your Shopify customers list and looking at the User Agent. It will include the bot name (for example "/Storebot-Google/") and then cross-check that against Google's official crawler list: 
https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers

(in my case and prob most storeholders, it's the Storebot)

70% of the world’s internet traffic flows Ashburn, VA (Google and AWS data centers). Trillions and trillions of daily searches. Generally, Google is pretty good at filtering their bots from your site. Every now and again my ecomm store gets a spike in these bots (primarily via checkout, adding every product I have to cart as a separate fake user, including Google LLC phone number, and then removing from cart).
This can negatively affect your rep with email service providers if you then send out email automations, ie abandon cart sequences (or add them to campaigns), to these fake emails that then bounce (hence, segment them out).

Also, it skews your analytics (ironically, Google Analytics) for the day/week/month, and then your CPC, etc. Filtering out of analytics is harder imo (probably why I haven't done it yet)

https://www.envano.com/2020/01/what-is-bot-traffic-and-how-to-avoid-it/

https://organicdigital.co/blog/how-to-block-google-analytics-spam-from-ashburn-and-chicago/

https://erudite.agency/insights/exclude-bot-traffic-google-analytics/

https://kwsmdigital.com/why-do-i-have-so-much-website-traffic-from-ashburn-2/

CorinnesCustom
Tourist
3 0 9

Omg finally a real solution. No thanks to Shopify. Thank you Tony you are a genius. 

GlobalWaves
Visitor
2 0 1

Thank you Tony!

Global Waves - helping protect marine ecosystems one bag of coffee at a time
shroomability
Tourist
4 0 1

You are THE MAN TONY! 

Thank you!

sanagar
Tourist
5 0 4

I am experiencing the same issue on a daily basis where the account usually has the same first and last name. Unfortunately, I cannot easily delete them as a batch either because Shopify doesn't have the function to sort customers by where "first name equals last name."

sophie_markdavi
Shopify Partner
2 0 1

Did you ever find a solution to this? We have been struggling with the exact same problem and haven't been able to easily get rid of them since it appears that they are creating accounts through an action URL. But there have been a bunch of accounts showing up with names such as Micheal Micheal, Candice Candice, etc. I wonder if we are facing the same spammer.

Greg15
Excursionist
21 1 6
I never found a solution that you could use.  But for me, my solution was to close my stores and leave Shopify due to poor customer service.
adriprints
Excursionist
15 0 5
Nope. I just go in monthly and delete all the fake accounts. Just deleted a
bunch this week. I did make the pop-up form have captcha, but I know the
entries are not coming from there because then they'd be subscribed to my
newsletter. These are not subscribed. They are just fake emails and
real-sounding names. It's super strange.
sophie_markdavi
Shopify Partner
2 0 1

Yeah we have had some with real sounding names pop up as well. It makes it a lot more tedious since I have to click into each one and check that the email is fake.

baitcagekit
Tourist
5 1 6

In our case, we found the gateway to fake Shopify customer account generation was through our Customer Login portal. There is an option to "Create account" as indicated by the arrow:

baitcagekit_1-1691015354897.png

Since our customer accounts are only created when a customer places an order, we removed this link by simply deleting a line of code in the customers/login.liquid template:

baitcagekit_2-1691015456069.png

First, we created a duplicate copy of our Online store theme. Then we removed the line of code circled below and saved the file:

baitcagekit_6-1691016809513.png

Resulting in removal of the "Create account" link and no more fake customer accounts.

baitcagekit_4-1691015614127.png

 

 

 

Anna_O
Excursionist
18 0 5

Interesting. In our case, the problem was solved accidentally when we switched to a new theme. All bots stopped appearing at all in one day. I guess there was a loophole somewhere in our old theme that allowed bots to bypass our registration process.

Anyway, long story short, those weren't legitimate Google crawlers but just usual malicious bots. Glad we got rid of them, even by accident.

CE71
Tourist
7 0 2

This is what I did, and it didn't work you can hit inspect and even if you disable right click keyboard shortcuts can still open it, and they can change the code to create account option. I even went as far as deleting all coding for create account, and they still can add it back in under inspect. 

Anna_O
Excursionist
18 0 5

Oh, finally, after so many months of struggle, I found that gateway the bots were coming through. So, for login/create an account on our website we use an app, not the native theme login page. However, that native login page, although not available through our navigation, was still somewhere live and crawlable. All those bots were coming through that native login form they could find. As soon as we redirected that native login page to our custom login page, the bot accounts stop coming through.