Spam orders

Payments + Shipping & Fulfilment
,

Topic summary

A merchant reports a surge of fake checkout attempts likely used to test stolen credit cards. CAPTCHA and blocking non‑Danish IPs haven’t stopped the activity, and their payment provider is threatening account closure.

Proposed mitigations:

  • Add OTP (one‑time password) verification at checkout; the merchant is skeptical since attackers create disposable emails.
  • Switch to manual payment capture to avoid chargebacks/processing fees on fraudulent attempts; a guide link was provided.
  • Avoid relying solely on Shopify traffic‑blocking apps; they only redirect after page load and can be bypassed by basic scripts.
  • Implement Cloudflare Bot Protection in front of the store; Shopify Plus offers similar Bot Protection natively. If not on Plus or unable to implement Cloudflare, keep manual capture enabled.
  • Use Shopify Flow to passively flag or auto‑cancel suspicious orders, and ignore bot orders to limit impact to analytics rather than finances.

Rationale: Card testers buy stolen numbers or brute‑force combinations; blocking is a continual cat‑and‑mouse game.

Status: No confirmed resolution. Clear action items are to enable manual capture, consider Cloudflare/Shopify Plus Bot Protection, and automate fraud flagging/cancellation; links were shared for setup details.

Summarized with AI on December 22. AI used: gpt-5.
1

We have “fake” customers placing orders in order to apperenly test creditcards or whatever - how do we stop this?

We have added CaptCha - and closted down for all non danish IP´s. But still they make fake orders.

It’s a VERY SERIOUS problem as our payment provider are threatening to close us down due to this, so we need this to be fixed.

Best regards

Sandy from Yeschef

2

Integrate a OTP Verification.

3

I’m not, 100% sure how this will help, as they make new hotmails all the time :monkey_face:

4

Usually criminals purchase stolen credit card numbers in bulk from dark net forums, or perhaps they’re just using a script to generate credit card numbers in the hopes they can “brute force” and find a valid credit card number.

First, if you haven’t already - switch to manual payments. It just takes a few clicks and it prevents you from becoming liable for a chargeback or credit card processing fees if the bad actor in fact uses a stolen or generated credit card. Here’s a guide on how to switch to manual payment capture in Shopify.

Second, you can attempt to block the bad actor by using a firewall. There are many traffic blocking apps on Shopify to choose from. However, none of these apps can block automated scripts, because Shopify doesn’t allow apps to block traffic until after your page has been loaded. These apps simply redirect the visitor to another page, a half sophisticated programmer can defeat these apps.

The best option currently is Cloudflare’s Bot Protection feature. Shopify includes this same Bot Protection feature but only available for Plus stores.

If you’re not on a Plus store, or are not sure how to implement CloudFlare in front of your Shopify site, then your best bet is to set up manual payments and ignore these bot orders. Yes it is annoying and it’s effecting analytics, but they’re not doing financial harm if you don’t accept the payments.

Detecting and blocking bots is a cat and mouse game that is mostly a waste of your time, set up a passive system to flag or cancel these orders using Shopify Flow and move on. Your time is much more valuable than trying to actively prevent these attacks.

Hope this helps,