100s of fake accounts and abandond carts

The past several months I have been getting anywhere between 20 and 50 fake account abandoned carts per day. Some have declined credit cards on the orders. But most are just adding products. I have the capcha thing turned on, and nothing helps or reduces this. In fact I am getting more this year than last year.

ZKXIZ SZZgySq
986 Russell Parkway apt 024
Warner Robins Georgia 31088
United States
2022670566

Lots of that garbled name crap. Nothing is stopping them. I am not going to pay some fee for an app. Shopify should have prevention methods available to their subscribers for FREE! People are clearly hacking Shopify stores. There must be some backdoor these hackers are looking for if there are multitudes of shopify stores reporting this issue all over the internet.

RxAvA iQpzIYV
421 Mills Avenue suite 157
Lehigh Acres Florida 33974
United States
2022594815

Hi @Mister_Max ,

Can you confirm if the bot’s signups or abandoned carts are from a specific domain? Because if you have enabled the Captcha, it is supposed to stop the bot signup. If it didn’t, you need to change the captcha or the Signup form.

Our domain had this issue before we switched to Shopify. In fact, there was a program running on a device in Peru that had figured out how to completely automate the entire checkout process and was causing issues with our credit card processor. They had at least 6 copies of the program running outside of business hours and it generated hundreds of fake orders every day.

Anyway, when we moved to Shopify earlier this year one of the first things I enabled was the setting for Checkout that required users to sign in.

I also turned on the modern sign in option that does away with passwords entirely. Instead, customers get a onetime code emailed (or texted) to them.

image705×156 12.6 KB

These changes may go a long way for preventing this issue on your site. We notice most of these automated checkouts are using email addresses that are either not real or not being used in the automation. If an automation program can’t check an email inbox to get the code, it can’t get to the checkout screen. I should mention if this is not automated activity and there are actual people doing this, it may not stop them. The volume seems to suggest automation though.

I’m not sure if this prevents customers from being added to your store but it will stop them from trying to run a card on your site.

While making users sign in to checkout seems kind of like a bad idea in terms of supporting the lowest friction possible to check out, not having to create or remember a password to sign in has its benefits. It also makes sure that every order you get has a valid email or phone number associated with it.

I think the purpose of these automated garbage checkouts are usually just trying to test stolen credit card numbers to see if they work, although I’ve seen some that were just pointless. The one I mentioned above was one such automation. The addresses were all undeliverable US locations on the east coast. Even if our staff fell asleep entirely, there was no way the ordered product would ever show up. Furthermore, that automation was a handful of identical credit card numbers for the checkout, so they weren’t testing stolen numbers. Needless to say, we haven’t had a single order like that since we moved.

This is becoming a common problem — I’ve seen a few stores mention the same pattern with fake carts and weird addresses. Since CAPTCHA isn’t helping, you could try setting up order risk filters in Shopify Flow (if you’re on Shopify plan or higher). You can also block known bad IPs via Cloudflare if you use a custom domain. It’s frustrating that this isn’t better handled natively, but there are some free workarounds worth testing.

I don’t think a shopify subscribers should have to pay for some 3rd party app or raise their store plan to fight off hackers. This should be something shopift does and makes it free to use by its subscribers. Clearly they dont care.

I do not know how to find the domain of these fake accounts. Can you post how and I will look. I used to get hackers from Bellevue WA as their address, not just these.

I changed it to 3 pages and still getting about 10+ a day. So basically those method did not fix it

This happens to steal advertising dollars. If you can’t cut it, better turn off any Display / AI campaigns and the fake orders will stop.

i have captcha, does not stop them. I am sure they are not bots

· Abandoned checkouts ·1275×682 122 KB

Look at all these hackers with abandoned carts. most have no addresses. funny how shopify does nothing to prevent it.

Hey there @Mister_Max what’s the current update with this situation if you don’t mind me asking? Have you done analysis to see what locations the bot traffic is coming from and have you taken any measures to block orders from those areas yet?

How do I do an analysis of the abandoned carts to see where they sre coming from? Tell me and I will do it.

Thanks

I have the same issues. They usually go for the cheapest items in my store. Right now there are few with the same email Testop

Hello @Mister_Max ,

Basically, you can add the blocker to specific location. So, you need to check if they are from specific location and block the specific location. But, I would recommend you to block those countries where you don’t sell. There are various apps available which can block IP.

1.)Blocky Fraud Filter IP Blocker - Blocky: IP Blocker, Country Blocker & Analytics for Shopify | Shopify App Store
2.) BM: Country blocker IP blocker - Block Country, Block IP, Block VPN, Block bot, block visitor | Shopify App Store

Bots aren’t the same as bots even 2 years ago.

If they aren’t bots there’s no way for them for any service to ever effectively stop such things without stopping ALL humans checkouts.

The meta problem here is no real control over abandoned checkouts themselves in the admin;
nor the API besides deliveryStatus , not even an api to like set the date to 3 months ago to trigger a delete
No hard delete/tag/filtering, for data that should be the merchants data, to do with what they need.
at best there’s deleting the customer data, GDPR /shrug.

For actual feature requests or complaints ALWAYS also contact a shopify support advisor DIRECTLY.

Location Location Location.
These are the peer to peer merchant forums okay for shared experience but horrible at collective outcomes.

If you know what they go for make bait real customers wont touch, so they get even easier to identify.

Capcha is turned on. How can you determine the state or country. Some say Hong Kong. Others say nothing.

They detect using IP address + VPN (If used) + they detect the session ID or IP and block them. If you are using captcha or if you are using New customer account, this is the only way.

I would like to inform you that all the stores have some bot session but in your case the signup is random from hackers.

The bot signup is mainly from Council Bluffs Iowa where the AWS and other web service visitors get tracked. Here are the reason why bot appear from that location

1. AWS Data Centers
   Council Bluffs is home to one of the major AWS (Amazon Web Services) data centers. AWS provides cloud infrastructure, including hosting services that are often used by bots, scrapers, and other automated systems. So, the traffic you’re seeing from Council Bluffs might actually be coming from AWS servers, which host a significant amount of traffic, both legitimate and bot-driven.

• Bot Networks on AWS: Many bots use cloud services like AWS to hide their true location or to make their attacks look more like legitimate traffic. Cloud providers give dynamic IPs and geographically distributed servers, which help the bots avoid detection.
• AWS EC2 Instances: These are often used by attackers or scrapers to hide their actual IPs or launch large-scale attacks (like brute-force logins, scraping, etc.).

2. Geolocation Data
   When Shopify (or any other tracking service) looks up the IP address, it might return Council Bluffs, IA because that’s the location where AWS hosts the server. While it may look like the bot is coming from Iowa, it’s more likely that the IP address is just associated with AWS infrastructure.

• Many bots use IP address proxies or VPN services, and AWS provides a large pool of IPs that bots can cycle through. Some bots are actually botnets controlled by malicious actors that rent or use cloud-based servers to launch their attacks.

3. Increased Bot Activity and Data Centers
   A high number of bot signups or traffic from this area could also be a coincidence — attackers may have just chosen to use Amazon’s cloud network for convenience or affordability. These data centers have a massive number of IP addresses, so they become a common source for bots.

ok, but that still does not explain how to stop it or reduce it or block it

Simple workflows can automatically delete customers with certain attributes if they have no order history.

Unless you’re circumventing laws that require marketing consent and opt-in, Abandon Cart caused by bots affects absolutely nothing beyond skewed analytics.

For the checkout itself, you can either require login or block certain attributes like email domain, address, or zip. Just remember, if a bot fails a checkout, it’s not going to remove the item from the cart, and will inevitably cause an abandoned cart.