I had a high-risk transaction for digital goods go through this morning, where the currency used was Nepalese Rupees but the registered address of the card was a rural town in the US state of Georgia (I’m in NJ and I sell a book that is rarely purchased by customers outside of the northeastern U.S.). A few minutes before this one went through, an attempt to purchase a $25 digital gift card was made, but I cancelled it as soon as I saw it.
What recourse do I have as a seller against this? My margins are incredibly tight (about 12%), and as an extremely small business, I cannot afford to lose even a little bit to fraud.
You’re still at risk for a chargeback even if you immediately cancel and refund orders, this is because your checkout has automatically processed the payment through the gateway.
I assume you’re using the Digital Downloads app for handling digital orders? Or are you using another app to deliver your items digitally after purchase?
Just want to know that detail so I can advise on a way to hold the order’s fulfillment until you’ve captured payment.
I have just enabled Manual Capture. In 3 years of selling on digital platforms (here and on Wix before that) I have never had a single bad transaction, but now two in one day (from the same person). I am using the Fileflare Digital Downloads app for digital file fulfillment.
They might just be testing credit cards, not actually caring about the product itself. Credit card testing is when a bad actor either has a sample of stolen credit cards or wrote a bot that generates fake credit card numbers in an attempt to randomly find one.
Since it’s a low volume, it might just be manual stolen credit card testing, where they want to sample some stolen credit card numbers before attempting larger purchase somewhere else.
If it’s an e-book purchase, then I suspect that’s most likely the case.
You could review that app’s documentation to find a way to disable the fulfillment until payment is captured, but I suspect that won’t help much.
You’ll most likely just need to manually capture good actors payments and ignore this bad actors purchases until they move onto the next store that doesn’t have manual capture enabled so they can test cards there.
Ah good, at least that simplifies the problem. If you were selling gift cards or something that was closer to liquid cash then it would be a bigger problem.
What you can do is download Shopify Flow which is a free app that builds workflows.
Then you can build a workflow that will manually capture payments on all low risk orders, that will automate that process of ignoring these bad actors with high risk orders.
Until this morning I did have the option of a gift card for my store. I’ve never sold one so I just deleted the product after this. It was nothing redeemable for cash, as far as I know. I think I had it set up to give a copy of my book (physical book or digital) to someone.
I have the Shopify Flow app already, and I did manage to get a few workflows set up last year; they’ve been working great so far. Any idea where I can find out how to test this new workflow?
Shopify Flow is a fantastic app, there’s a great team behind it too. One of the most underrated parts of Shopify in my opinion.
I’ve attached a basic Flow that will capture payment automatically on low risk orders.
You can download it, and import into Shopify Flow using the Import button at the very top of the Shopify Flow app home page:
The best way to test is to create a draft order in Shopify, which will trigger your workflows just the same.
However, testing for high risk orders is a bit tricky, the only way I’ve found to manually create a test order with high fraud risk is by using the Shopify GraphQL API to manually update the order as high risk.
But if you only need to test low risk orders, which are most orders, then creating a draft order should work just fine.
I didn’t see anything to download, however I went ahead and created one myself that I hope works. It did work on a low-risk transaction early this morning, but obviously I had no way to try a high-risk transaction. This is what I created. Do you see any issues with it? I do get a number of “medium” risk hits every year from customers who use a VPN so the transaction’s IP address or location doesn’t match the billing address, and in those cases a phone call or an email to the customer invariably results in a good order going out.
Should I be using the Cancel Order action off the bat for high-risk, or something else?
I’ve also added instructions on how to import it and activate it.
But your flow is attempting to handle all 3 different types of risk levels, my sample one is only for addressing low risk. Your high risk flow branch has two steps that seem a bit out of order. The flow will cancel the order and then attempt to hold it, which will result in errors.
I suggest simplifying the workflow so that all non-low risk orders are simply held for fulfillment. The other suggestion I have is to add a small delay (1 or 2 minutes) before applying the hold.
There are some issues with trying to hold fulfillments immediately, since Shopify itself is changing order fulfillments under the hood so they might overwrite your hold if it’s too quick.
I do get a number of “medium” risk hits every year from customers who use a VPN so the transaction’s IP address or location doesn’t match the billing address, and in those cases a phone call or an email to the customer invariably results in a good order going out.
Very smart, that’s exactly how you can save these sales that might be incorrectly flagged.
We offer a Shopify Flow action to create ID checks to automate that KYC (know your customer) step. It probably is overkill for your use case, but for others that need to verify large ticket orders it’s a much better option.
So how about this modified version? If low then capture; if medium or high wait 2 minutes then hold fulfillment. I assume that just puts the order in limbo and gives me the opportunity to contact the purchaser. Is there any way to have seller protection against chargebacks if he tells me the order is legitimate, but then cancels, or it turns out to have been fraudulent after all?
Looks good! Thanks for the screenshot. Yes, the flow shows that all medium/high risk orders will be held.
Is there any way to have seller protection against chargebacks if he tells me the order is legitimate, but then cancels, or it turns out to have been fraudulent after all?
I’m not sure which payment gateway you’re using, but Shopify Payments offers Shopify Protect which is essentially chargeback insurance on qualified orders. However, Shopify Protect won’t cover all orders, only ones where Shopify determines they can cover the loss if a chargeback is filed.
Additionally, they won’t cover if the customer reports the package as “never received”, Shopify Protect will only cover “unauthorized charge” chargebacks. Additionally, they will only insure physical goods shipped within the U.S.
There are other chargeback insurance options, but from what I understand they’ll charge you a percentage of all revenue, which ends up being very expensive. They may not cover digital goods either.
It really depends on how risky your industry is, if your chargeback % is low, then insurance is most likely overkill and you’re bottom line is better off verifying customer email/phone numbers and intent to purchase.
I use Shopify Payments and PayPal only. My business is very small (under $50,000 in gross sales annually) and is something I do in semi-retirement. I publish a reference book in both physical and digital format that I update every year, and which has a somewhat limited audience. I make very little per copy at the end of the day, just enough for a few boxes of cigars and a bottle of Scotch or two. I do it for the enjoyment and the appreciation of the community more than the money, so any fraud really kicks me square in the sensitive bits, for sure. I agree with you that insurance in my situation would be overkill.
Yes, I looked up your site, very cool. It would be a much smaller book but if you end up making a Cleveland street car/subway map, count me as interested.
Got it, then if you have the extra time it’s worth it to just manually review these high risk orders. If you suspect they’re just mis-flagged, then a quick email or phone call to the customer will probably clear that up.
It might even be possible to automatically send the customer an email for medium risk orders on Shopify Flow, so at least you can save some time with the outreach part.
Then you can save that extra cash for an extra peaty bottle of scotch.
As an Ardbeg man, I appreciate the peat . Corryvrecken for the win.
Not sure about Cleveland, but I am considering Chicago. Alas that would entail actually going to Chicago. NJ is bad enough . Last time I rode the Cleveland system was about 30 years ago.
As for contacting customers, I am usually at my desk all day so I have no issue calling or emailing customers with queries. I do it when my shipping software says the address is incomplete or wrong, etc, or they request an inscription that needs clarification. I think they appreciate that the author is reaching out to them personally. It’s just the bad actors that I’m worried about.
Right, the good acting customers will respond whereas bad actors are usually juggling many disposable email accounts. If it becomes that tedious, it might be a good idea to require a phone number at checkout, so that way you can easily tell if a bad actor is checking out because they tend to use VOIP numbers.
Just another signal that’s helpful since gmail/hotmail email addresses are disposable yet common.
I’ll look into this–thanks! As of now, with the workflow that Dylan suggested earlier, I think the immediate issue has been solved. This is my slow time so I won’t know if it’s working properly for the next couple of weeks; then the order books open up and it’ll get a good workout.
yes these patterns definitely look suspicious. What is the shopify risk level of those:
Some other typical fraud patterns are:
Shipping/billing address mismatches
Currency/location mismatches (like in your case)
IP location different from shipping address
Gift card attempts (fraudsters love to test with these)
With digital goods that are fulfilled automatically it is even a bit harder.
Many people doing frauds like that end up initiating chargebacks, which results in fees from Shopify + your lost revenue.
You can try out (like Dylan already suggested) to build these flows in Shopify Flow. Thats definitely possible.
We’ve built FraudFalcon exactly for cases like this - to auto-cancel fraudulent orders based on rules like currency mismatches or suspicious locations. Happy to help if you want to check it out!
I’m sorry to hear about this. To ease your work, you can set up rules with a free fraud prevention tool to automatically flag or reject risky transactions.
For example:
Flag orders placed outside the US for review. (for your case above)
Reject orders if the customer’s IP location doesn’t match the shipping address.
Reject orders if the credit card issuer country differs from the customer’s country.
In addition to these rules, adding email or SMS verification can help verify your customers’ identities and prevent fraud.
Hey, Digital products with thin margins are prime targets for card testing and fraud, especially when there’s no physical adress
Here’s what I’d recommend:
Set Shopify Payments to Manual Capture
This gives you time to review suspicious orders before funds settle. If you void the payment while it’s still “Authorized,” you won’t even get hit with processing fees.
Watch for currency/address mismatches like this one
Nepalese rupees + a U.S. billing address (especially in a rural zip) is a huge red flag, and I’d immediately block any further orders from non-USD currencies or outside your core region if 99 % of your customers are local.
Block digital delivery until you’ve approved the payment
Whether you use Shopify’s built-in Digital Downloads, SendOwl, or another app, make sure download access only triggers after the order is captured, not just created.
Longer-term fix:
We built a Shopify app called FraudGuard that solves this exact issue—especially for small merchants like you:
It auto-captures safe orders
Stops payment capture for suspicious ones (like yours this morning)
Sends the buyer a quick verification check
Helps you avoid both chargebacks and unnecessary processing fees
If you’re interested in trying it out, we’re opening early access to a small group right now: https://fraudguard.carrd.co/
. Corryvrecken for the win.
