Spam Customers and Fraudulent Purchases

Shopify Discussion

Topic summary

A Shopify store owner is experiencing a flood of automated bot attacks creating fake customer accounts and attempting fraudulent purchases of low-priced items (around $1). The attacks occur approximately once per minute, generating hundreds of spam accounts.

Failed Solutions:

  • Enabling hCaptcha (already active by default)
  • Switching account types
  • Blockify app: Ineffective because accounts were created without site visits, and each bot used different IP addresses
  • Helium email validation: No impact

The store owner temporarily paused the site to stop checkouts while seeking solutions.

Working Solution:
Another user shared a similar experience with a $1 Shipping Protection product being exploited. They successfully resolved it using the BeSure Checkout Rules app ($5/month), which blocks checkouts based on custom conditions—in their case, preventing checkout of the protection product without a shippable item.

Current Status:
The original poster installed BeSure Checkout Rules and created two validation rules targeting common bot characteristics in customer data. The store is back online and monitoring whether this approach stops the fraudulent activity.

Summarized with AI on October 27. AI used: claude-sonnet-4-5-20250929.
1

Within the past week or so I have been flooded with fake/spam/bot customer accounts that immediately try and purchase the cheapest item in my store. I assume this is some sort of automated process with the goal of finding valid credit card numbers, as the occasional purchase goes through.

Nothing I have tried has been able to stop this. It’s about once a minute and in the end I’m deleting hundreds of accounts.

Things I’ve tried:

  • Enabling hCaptcha (it was on by default)

  • Switching between ‘legacy’ and ‘customer accounts’

  • Blockify: Accounts were being created without any visitors to the site, so there was nothing to block. VPN blocker & bot blocker did nothing. Best I could do was block IPs from fraudulent purchases, which was useless as each ‘customer’ had a different IP address.

  • Helium: Adding email validation to sign up did nothing

To me, this seems like some backend vulnerability is being exploited. I’ve settled on putting my site in pause/build mode to at least shut off the checkout feature for now. Obviously not a good long term solution, but I’m out of ideas. Has anyone had the same issue? Found a fix?

1 Like
2

One of my clients was having a similar issue. Their store had a Shipping Protection product that cost about $1. Normally, you’re not supposed to be able to add this product to the cart without also including a shippable item. But if someone started the checkout quickly enough after adding it, they could technically bypass that restriction. Since the Shipping Protection product ‘doesn’t ship,’ the spammer didn’t have to enter a shipping address—which, along with the low price, probably made it a prime target.

The way I fixed this issue was by installing a Checkout rules app. This one:

BeSure Checkout Rules - $5/month

https://apps.shopify.com/checkout-rules

I tagged the Shipping Protection product with “shipping_protection” and made a checkout validation rule using “condition set 3” with these conditions:

DrewOswald_0-1750011076724.png
DrewOswald_0-1750011076724.png748×235 12.7 KB

This rule basically says that if the Shipping Protection product is in the cart and there isn’t a shippable product also in the cart, then block the checkout.

3

Ah, so there’s an issue, my product is also $1, and it is a digital download. I will take a look at the app though and see if there are any rules I could apply to my situation

4

Installed the app, and created 2 rules. Looks like logic can be built around any aspect of customer data, so I picked two common pieces shared between most of the bots to block checkouts. Store is back online, we’ll see how this goes.

1 Like