Accessing customer email address with a Shopify Flow "Run Code" action?

Shopify Discussion
1

I’ve been getting a lot of customer spam where the email addresses follow a set pattern (first and last name followed by a number). It fills my store (and Klaviyo) with imaginary customers. I was trying to set up a flow triggered at customer creation that checks the customer email address for the pattern and adds a tag to the customer if the pattern matches.

But apparently, the Customer data passed into a “run code” action cannot access just the customer’s email. HUH?? It can tell me an email address is “valid” but that’s irrelevant. It does allow access to the order email address and last order email address, but that’s irrelevant because these email addresses will never purchase.

All this would be moot if the regular email address conditions supported Regex.

Any thoughts?

2

I’ve been thinking more about this as my store continues to get hammered by this problem. I don’t profess to be a web developer, but I’m no stranger to writing the occasional bit of code, both server- and client-side.

Someone school me, but couldn’t Shopify generate a unique code/hash based on the order information when a user clicks “Pay Now”? If that code/hash doesn’t match on the server side or is missing, the order is halted before a customer is even created.

Or simply check that the required fields are there before creating a customer account? On the order page it won’t let you proceed without the required fields. It should do this server-side too before creating a customer account because these spam customer account are somehow bypassing the checkout page.

It seems like a simple fix. Couldn’t that work?

3

Since Klaviyo can sync tags from Shopify, you can handle spam detection on the Shopify side and let Klaviyo respond to a spam tag.

Steps:

  1. Install Shopify Flow (Free app)
  2. Create a new Flow:
  • Trigger: Customer Created
  • Condition: Use a custom regex app or logic (Flow doesn’t natively support regex, but apps like “Shopify Flow Regex” or “Mechanic” do)
  • Action: Add a spam tag to the customer
  1. In Klaviyo:
  • Create a Segment or Flow filter that excludes contacts with the spam tag

This keeps your Klaviyo data clean and lets you suppress emails to those profiles.

Option 2: External Webhook for Email Pattern Checking

If you’re okay using middleware (like Zapier, Make, or a custom webhook script):

  1. Trigger a webhook on new customer creation (from Klaviyo or Shopify)
  2. Send the email to your webhook
  3. Run a regex check like:

regex

CopyEdit

^[a-z]+\d{2,}@.*$
  1. If it matches the spam pattern:
  • Call the Klaviyo API to apply a custom profile property or tag

This method gives you full control and can filter even the weirdest spam patterns.

Option 3: Klaviyo Segmentation Hack (Very Limited)

Since Klaviyo doesn’t allow regex in segments, your only workaround is string matching using “contains.”

You can try:

  • Email contains 1
  • Email contains 2
  • Email contains 3
  • First name exists
  • Last name exists
  • No orders placed

Then, use this segment for suppression.

Not very precise, but it can catch some patterns until a better system is in place.

4

Thanks for the ideas. I am doing something similar to the first suggestion, but without Regex. Also I could not find “Shopify Flow Regex” on the Shopify app store. Regex would be a much more elegant solution.

I wish Shopify would implement a fix, either supporting Regex natively in Flow, or do a basic server-side double-check for empty “required” addresses and stop those spam attempts.

I do not enjoy paying to let scammers test their fraudulent credit cards on my store.

5

Hey @LfGabel, I totally understand your frustration about paying for fraudulent credit card tests. Here’s what I think would be your best solution right now:

Since you mentioned you’re already doing something similar to the first suggestion given by @Growthunitdigital but without regex, I’d recommend going with Option 2 - the external webhook approach using a simple custom script. This gives you the most control and doesn’t rely on Shopify adding features they haven’t prioritized.

Here’s exactly what I’d do:

Set up a simple webhook handler (you can host this on something cheap like Vercel, Netlify Functions, or even a basic VPS for like $5/month). The script would:

  1. Receive the customer creation webhook from Shopify - Set this up in your Shopify admin under Settings > Notifications > Webhooks
  2. Check the email with your exact regex pattern - You mentioned they follow “first and last name followed by a number” so something like ^[a-zA-Z]+[a-zA-Z]+\d+@.*$ would catch those
  3. Use Shopify’s API to immediately tag the customer as spam if it matches
  4. Also call Klaviyo’s API to add a custom property or tag to suppress them there too

The beauty of this approach is that it happens instantly when the customer is created, before they can do any damage with fraudulent transactions. You catch them at the source.

If you’re not comfortable setting up the webhook yourself, Zapier or Make.com could work but they charge per operation which gets expensive. A simple custom script is honestly pretty straightforward - basically just receiving a POST request, running a regex check, and making a couple API calls back to Shopify and Klaviyo.

The other thing I’d do immediately is contact Shopify support directly about the fraudulent credit card testing issue. That’s a separate problem from the spam accounts and they should be helping you with chargeback protection or at least flagging these transactions before they hit your payment processor.

You’re absolutely right that this should be handled server-side by Shopify. The fact that accounts can be created even when registration is disabled is honestly a security vulnerability they need to fix. But until they do, the webhook approach gives you full control to stop these spammers immediately.

Let me know if you’d want the webhook code, I’d write and share it here.

Cheers!
Shubham | Untechnickle

1 Like
6

Thanks Shubham for that detailed response. Do you know if a webhook call would precede the actual customer creation within Shopify? Because if it doesn’t, that would only rectify only part of the issue. Ideally I’d want the customer account created only if the required fields were filled out.

I’ll give webhooks a look. Again, thanks,

7

Hey @LFGabel,

Ah yeah, that’s the key question right there! Unfortunately, no - Shopify’s customer creation webhooks fire AFTER the customer account is already created, not before. So you can’t intercept and block the creation itself with webhooks. I know, it’s frustrating because that would be the perfect solution.

But here’s what I’d actually recommend instead:

Immediate cleanup approach - Since you can’t prevent the creation, make the cleanup so fast it’s basically the same thing:

  1. Webhook fires within milliseconds of customer creation
  2. Your script instantly checks the email pattern and if it matches your spam criteria
  3. Immediately deletes the customer via Shopify API - we’re talking like 2-3 seconds max
  4. Also hits Klaviyo API to remove them if they somehow got synced

The spam account technically exists for a few seconds, but it’s gone before they can do any real damage or mess up your customer data.

Even better approach - Combine this with Shopify Flow:

  • Set up a Flow that triggers on “Customer created”
  • Add a condition to check if email contains your spam pattern
  • If yes → automatically delete customer AND cancel any pending orders
  • Tag any that slip through for manual review

The Flow approach is actually pretty powerful because you can set multiple conditions (like email pattern + suspicious address combinations) and it all happens automatically without needing external hosting.

I know it’s not the “prevent creation entirely” solution you’re hoping for, but honestly this cleanup method works so fast that your spam problem basically disappears. Plus you’re not paying for hosting anything external.

The real issue is Shopify allowing account creation even when registration is disabled - that’s definitely something to keep pushing support about because it’s honestly a platform bug they need to fix.

Let me know if you want me to walk you through setting up that Flow automation? It’s pretty straightforward and would solve your immediate problem.

Cheers!
Shubham | hello@untechnickle.com

1 Like
8

Hi @TheUntechnickle

Thanks for another informative reply. That’s essentially what I have done. Detect the spam email, tag it so those emails are identified in Klaviyo too, then delete. Since there is no support in Flow for Regex testing, I had to check the emails through a “Run Code” action. It works.

Since these spammers are using my store to check credit cards, the transactions are almost always declined. The unfortunate thing with a declined credit card, the information passed through a “create customer” or “abandoned checkout” trigger is very limited. Since there is no official order, only email, first, and last name are passed, even though there is a billing address.