We have had some fraudsters attempting different transactions on our site.
The first activity was that that bought a huge number of our lowest value gift cards, with different stolen email addresses set as the customer, and stolen paypal account details used to pay.
They are always using 1 of 3 email addresses noted as the ‘recipient’ of the gift cards however.
They then have gone on to place 1) orders with using multiples of the fraudulently bought gift cards and 2) placed orders directly with stolen paypal details.
These subsequent orders are placed with the same 1 of 3 email addresses, as the gift card recipient from prior activity.
What have we done:
Deactivated auto fulfilment of Gift Cards. Set up a flow to alert out teams to review and fulfil, or cancel. This can cause delay in genuine customers getting gift cards at short notice, during non-office hours.
Set up a flow to auto cancel and refund orders, if any of the 3 email addresses have been used.
What did we explore:
we explored blocking the 3 email addresses from checking out directly in checkout extensibility. We decided against this as we dont want it to appear like the checkout has errors. We know this is an option though.
What else would we like to do:
option 2 above doesnt mitigate the stolen paypal details being used in the first place to buy the gift cards. The only common identifier we have is the ‘gift card recipient’ but this looks to be protected data (according to Shopify support) as ‘they werent the individuals who actually visited the site’, and we cannot access this condition via flow. We’d like to stop gift card purchases to begin with, identifying on the recipient entered.
Is there a better option, or any thing further we can put in place to be watertight?
Ideally we’d like to turn auto fulfilment back on for the store, during peak periods it cannot be feasible to expect each order to be reviewed manually and these may back up. Thanks!
You can query by those that were recently created. And you can access recipientAttributes on that gift card, which includes the email address. I haven’t tested this in your exact situation, but maybe worth investigating?
I’m not sure how you accessed that and it wasn’t clickable. But if you want to use it in a condition, then add a criteria. I you want to use the data in an action, click “Add a variable”
You need to add that “Get gift card data” action, and put in the query to filter it for the gift card data you are about. After the action, you will have access to the data it returns in any condition or action. ..
With your above guidance, I have been able to retrieve the gift card recipient email and detect on a specific email address in order to determine whether to cancel the order.
What I have seen with the above logic though, is that is does require us to turn off automatic fulfilments totally on the store first, else we see the below error (as the gift card is automatically fulfilled):
Is there a way of still having automatic fulfilment of gift cards ‘on’ but implementing a wait until the recipient email address check has been run first? Thanks in advance.
You could potentially try to cancel fulfillment on that gift card before you cancel the order. But I’m not sure it makes sense to fulfill gift cards and then cancel them after the fact. If you bought a gift card in a retail store, it’s basically cash at that point and canceling it is very problematic.
