What should I do with High/Medium Risk orders? Why are they even flagged?

Shopify Discussion
,

Topic summary

Approximately 5% of monthly orders get flagged as high or medium risk, but roughly 51% of these are false positives—legitimate customers who may be lost if merchants cancel too quickly.

Key verification methods suggested:

  • Compare IP location with shipping address
  • Check AVS (Address Verification System) for card issuance vs. shipping location mismatches
  • Verify email legitimacy (real domain vs. disposable)
  • Validate shipping address (residential vs. forwarding/PO box)
  • Cross-reference customer name with location via search
  • Monitor payment attempt frequency (multiple failed attempts signal fraud)

Recommended approach:
When uncertain, contact customers directly for verification—request utility bills, ID, or card’s last 4 digits. For Shopify Payments/Stripe users, implement a simple 2FA by asking customers to confirm the 4-digit code on their bank statement.

The core challenge:
Manual investigation is time-consuming, leading many merchants to cancel risky orders automatically and inadvertently reject legitimate customers. The post author developed FraudGuard to automate this process after experiencing losses from both fraud and false cancellations.

The discussion seeks community input on current practices: do merchants typically cancel, manually investigate, or approve flagged orders?

Summarized with AI on October 24. AI used: claude-sonnet-4-5-20250929.
1

This is one of the most common questions I see from merchants. I get it – I’ve been there too. Statistically, about 5% of your monthly orders will be flagged as risky. Some of them really are fraud attempts that could turn into chargebacks and lost money. But here’s the problem: around 51% of flagged orders are actually false positives – real customers you might be losing if you cancel too quickly.

So the question is: how do you know which ones are fraud, and which are safe?

Here are a few practical checks you can do:

  • IP vs. Shipping Address → Is the IP close to the shipping location, or from a completely different country?

  • AVS (Address Verification) → Where was the card issued vs. where is the order shipping? Mismatch doesn’t always mean fraud – sometimes people order gifts, or buy while traveling.

  • Email check → Is it a real domain or a suspicious-looking disposable email?

  • Address check → Real residential address, or a forwarding/PO box?

  • Quick Google check → Does the customer’s name match the city/address they gave?

  • Payment attempts → Fraudsters usually try multiple cards until one works. Too many attempts is a red flag.

:backhand_index_pointing_right: When in doubt, contact the customer. Ask for confirmation like a utility bill, ID, or even just the last 4 digits of their card (something only the real cardholder can provide).

A great option for Shopify Payments or Stripe users is creating a simple 2FA-style code: ask the customer to confirm the 4 digits shown on their bank statement. If they can provide that, you know it’s legit.

The challenge? All this takes time – and most business owners don’t have the bandwidth. That’s why many merchants just cancel risky orders outright… and lose real customers in the process.

Curious to hear – how are you all handling this today? Do you usually cancel, investigate manually, or let them go through?

For myself, after losing both money and good customers, I ended up building a tool called FraudGuard that helps me automate this process and reduce false positives. But I’d really like to hear what’s been working (or not working) for you.