How can I stop fake customer accounts from being created on my website?

Solved

How can I stop fake customer accounts from being created on my website?

GreensideGaller
Shopify Partner
9 1 20

I have fake customer accounts being created and I need to find out how they are being created so I can stop them.

 

The accounts have a random string for first and last names and what looks like genuine email addresses for the email. They have a range of domains including Gmail, Hotmail, ,MSN etc as well as provide email domains for companies.

 

I do not have customer accounts enabled. I have removed email signup forms. As far as I can tell there is no way to create an account via the website (although I may be wrong).

 

I have removed a bunch of apps with edit customer permissions including the google sales channel which I understand is known for this type of issue. Nothing I do is stopping them.

 

There are no other logins to my shopify and if I manually create an account it shows in the customer's timeline that I was the one to do it. 

 

I have granted no API access or created any access tokens.

 

I am at a complete loss and shopify's response so far has been 'enable captcha' and 'try an app'

 

Hoping someone may be able to guide me on what to check and what logical steps I can take from here

Accepted Solution (1)
GreensideGaller
Shopify Partner
9 1 20

This is an accepted solution.

I simply went to my theme and went to customize it. Under the drop-down where you can select which page you are editing, I navigated to the customer registration page. Once here, I removed the sign-up form from the template.

View solution in original post

Replies 31 (31)

wildlyfair
Tourist
3 0 2

Following, as the same thing is happening to me

 

GreensideGaller
Shopify Partner
9 1 20

Screenshot 2023-09-24 9.54.06 AM.png

 

Do yours look the same as this?

What theme are you using? 

What apps do you have that have 'edit customer information' permission?

 

Trying to see if there are any commonalities between our set ups that might point to the issue.

 

wildlyfair
Tourist
3 0 2

Yes, that's exactly what mine looks like.  But I think I fixed it just by turning on captcha in the Shopify settings. I did this yesterday and haven't gotten any new fake accounts since then.

 

I followed the instructions here under Activate or deactivate reCAPTCHA on online store:

https://help.shopify.com/en/manual/online-store/setting-up/preferences

GreensideGaller
Shopify Partner
9 1 20

Thanks, looks like our issues are not the same then as I have already enabled CAPTCHA and still have the issue

Leggingsbyc
Tourist
3 0 1

recaptcha still is not helping

Leggingsbyc
Tourist
3 0 1

mine look like that

peopleshareshop
Visitor
1 0 2

I am also seeing the same thing and am having to manually delete the accounts. No idea how these got onto our site as we do not allow anyone to set up their own account and the webcart is password protected. 

GreensideGaller
Shopify Partner
9 1 20

I may have solved the issue on my side. It's too early to say for certain but I am hopeful. I will list the process I have taken so you can follow. I will happily help you resolve this

GreensideGaller
Shopify Partner
9 1 20

Update: I believe I have solved this but will confirm in a couple of days assuming no more accounts are created.

In case anyone else is having the same issue and would like to resolve it, this is the approach I took 

 

Customer accounts can be created in 3 main ways, 1) via the admin by you or the team, 2) via the website, or 3) via an app/api that has the 'edit customer' permissions. Within these 3 routes, there are multiple ways accounts are created but categorizing them into these buckets helps with diagnosis.

 

Firstly, it is important to confirm your and any staff accounts are safe and secure. I would suggest ensuring 2-factor authentication is enabled for all logins and resetting passwords. It is unlikely this is the reason the accounts are being created but it is the most dangerous if it is as someone has access to your account. Lock it down before proceeding. N.B. if the accounts are being created inside admin, the customer timeline will show which user created them so open up one of these customers and look at who created them. If there is a user associated with  the creation it will look like this:

Screenshot 2023-09-26 7.52.12 AM.png

 

 

 

Next is to determine if the customer is being created via the website, this is the most likely scenario.

There are multiple ways a customer account can be created via the website, email newsletter sign-up forms, chat widgets, starting an order, registering an account etc.

 

Most of these routes will leave a clue on the customer account, for example, it is likely that if the account is being created via a newsletter sign-up form then the account will have the tag 'newsletter', or if it is via a pop-up sign-up form it may have a tag of the app you are using for the pop-up. Look at the tags on these accounts for clues as to where the account is coming from.

 

Also, check your abandon carts to see if there are abandon carts matching the customers you are seeing in your customer list.

 

Next, we need to consider account registration. (This is where mine were coming from). Shopify has a feature allowing customers to create an account with your store enabling them to track past orders etc. I strongly believed my customers were not coming from this route as I had customer accounts disabled. However, the account registration page still potentially exists for your store even if you have accounts disabled. Open a browser and go to 'your-url/account/registration' and you will see a sign-up page for your customers. 

 

The first, and easiest thing to do, is to enable CAPTCHA in your online store settings. If you are using a Shopify theme this will likely fix the issue. If, however, you are using a non-Shopify theme or you have edited the code on this page, CAPTCHA may not display and therefore will not fix the issue.

 

I use a premium theme and it seems that the theme does not correctly enable CAPTCHA when the setting is set to show it. This is something I will be feeding back to the theme creators. However, as I don't use customer accounts at the moment, I simply went to my theme and went to customize. Under the drop-down where you can select which page you are editing, I navigated to the customer registration page.  Once here, I removed the sign-up form from the template.

 

Since doing this I have had no new fake accounts created (so far) leading me to believe this was the issue. I will give it a couple more days to be 100% sure and then I will work with the theme developer to fix the issue correctly by ensuring CAPTCHA works on the page.

 

My process was long but methodical. I think this is the important thing, try to determine which of the high level routes your accounts are coming from so you can then dive deeper. Before I took this approach I was randomly deleting apps and hoping for the best! 

 

I will post an update in a couple of days with confirmation that this has resolved the issue and I hope this post is useful to someone else experiencing the same or similar issue.

wildlyfair
Tourist
3 0 2

Good job sleuthing and great explanation!  Thanks for sharing, as I think this will surely help many other users. 

MAXIKASA
Visitor
1 0 0

Hi everyone,

Just to add something I realized today.
Have been experiencing the same issue from a time ago. Since we're doing several changes in the store (adding new products, changing suppliers, etc.),  we set the store with password, however the new fake accounts continue being created.
Have added the captcha and hope to stop this problem.

Good luck to all!

TZengin
Visitor
1 0 0

Hello,
We have been experiencing the same issue as well. Did this work?

GreensideGaller
Shopify Partner
9 1 20

This is an accepted solution.

I simply went to my theme and went to customize it. Under the drop-down where you can select which page you are editing, I navigated to the customer registration page. Once here, I removed the sign-up form from the template.

jay-ann
Tourist
10 0 2

I did this too - I am getting a few signups per week with fake emails?

michael-helium
Shopify Partner
367 5 180

Check to make sure you have CAPTCHA enabled. See Shopify CAPTCHA settings.

 

If you are using the Customer Fields app, see our spam protection guide with adjustable sensitivity for reCAPTCHA. You may be able to prevent these spam sign ups by increasing the sensitivity of reCAPTCHA.

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
divsew
New Member
8 0 0

Hi Micheal. Thank you for the solution.

I have been inactive for a while and I have over 4k registered fake customers. How does this influence my account and for example organic growth or marketing? And when I delete the fake accounts will everything be back to normal?

 
 
 
michael-helium
Shopify Partner
367 5 180

The fake customers might not affect you at all.

 

Your email list should only include those who have opted into marketing, but if these fake accounts have opted into marketing than you might pay more to your ESP for additional contacts. In that case, it would be best to delete the fake accounts as to not incur unnecessary charges.

Otherwise, fake accounts do very little harm to most DTC sites besides add unwanted clutter. More of an annoyance than anything.

The real harm comes to B2B or members-only sites who have restricted pages for customers only. In that case, I would recommend using an app like Customer Fields who have an account approval feature.

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
Javasusie
Visitor
2 0 0

This solution did not work for us.   The fake accounts are still being created.   

 

Do you know how to turn off the Shopify welcome email to new accounts so those emails are not repeatedly reported/marked as spam? 

divsew
New Member
8 0 0

Hi everyone. Thank you for the solutions.

I have been inactive for a while and I have over 4k registered fake customers. How does this influence my account and for example organic growth or marketing? And when I delete the fake accounts will everything be back to normal?

michael-helium
Shopify Partner
367 5 180

See Shopify CAPTCHA settings.

 

For those using Customer Fields, see our spam protection guide with adjustable sensitivity for reCAPTCHA.

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)

Lychee88
Explorer
51 1 21

I'm having the same issue. I deleted over 2k accounts last night and they keep creating them every minute in my shop. I also have no account log in options and already removed the "create account" option from my customer account page. Still doesn't work. 

michael-helium
Shopify Partner
367 5 180

Removing the "create account" option doesn't prevent people from signing up. Web developers and people with the right technical skills know how to hit Shopify's endpoints on the backend to create a customer.

 

One thing to keep an eye on his HOW the customers are getting created. If you go to the Customers page in your Shopify Admin and click into the Customer detail page for one of these spam accounts, scroll to the bottom and look at how these customers are getting created (see screenshot).

I think the best thing you can do is make sure that reCaptcha is enabled. For those using Helium Customer Fields, you can adjust the sensitivity of Google's recaptcha to be more strict if you're still getting spammed by these bots.

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
Lychee88
Explorer
51 1 21

Unfortnately my reCaptcha decided to stop loading the challenge on the challenge page and only had a box which would not let me bypass it which means that customers wouldn't be able to either so I had to disable it. Apparently this is a an issue that Shopify is aware of and nothing we can do on our end is stopping it. Even when I had reCaptcha enabled for years apparently they were creating thousands of fake accounts and only recently did I start to notice because they started using obvious www type links for their name. Only when looking through all of my customers did I notice large clusters with real names that had spammy emails that didn't match the customer so they've been at it a while, even with reCaptcha enabled. They're getting in the back end like you stated and there's apparently not much we can do until they fix it. In another thread someone was told by Shopify that "they're working on it", which can mean years in Shopify time. 

Lychee88
Explorer
51 1 21

I did look to see potentially where these accounts were coming from and they all seem to have the same account creation. Just says Customer was created so it could be coming from my newsletter which has recaptcha or my contact forms which even though I disabled catpcha today due to it not loading properly and not allowing any form submissions, it still prompts it when running tests. Regardless I had captcha for years on my site turned on and over 4k accounts were made in that time.

 

I only took notice when they stopped using real names and started just posting links, over 2k of them. 

fake.jpg

michael-helium
Shopify Partner
367 5 180

Thanks for sharing. Bummer there's not more to go on there.

I shared this in another thread, but there are 3 strategies that might help you, but unfortunately each method requires an app. Our app Customer Fields is one of the solutions. That being said, here are 3 suggested methods to try:

  • Increase CAPTCHA sensitivity: Shopify's reCaptcha settings are on/off. No sensitivity setting. Therefore an app would be required.
  • Implement Email Verification: Shopify doesn't have a setting for email verification, so that also requires an app.
  • Use IP Blocking: IP blocking could work if the spam accounts are being created from the same IP. Another app.

 

Here are some recommended apps:

  1. Our app Helium Customer Fields offers both reCaptcha sensitivity settings as well as an option for email verification prior to account creation. The Lite plan includes these features and costs $12/mo.
  2. An app like https://apps.shopify.com/blockify looks like it could be helpful. Customer reviews seem to indicate that the app is successfully preventing spam accounts. The app has a free plan so could be a good option, although I have not used it.
Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
Terry_H_Clarke
Tourist
6 0 1

I have the same issue of fake accounts. I know I have around 2000 genuine customers,however looking today, after receiving a number of emails from unknown people saying that 'they didnt create an account, what is going on', and now see I have 23882 accounts in my accounts list!
The detail of the account says 'customer was created'.
One name that occurred a lot was '123 123' so started deleting these, however at 50 at a time this would take weeks! So I gave up.

One question I have is why would people/bots do this? What is their purpose, apart from annoying the store owner and flooding the addresses they signed up with 'new account confirmation' email from my site.

Javasusie
Visitor
2 0 0

I just posted in this thread too.  We've tried all the tricks with ZERO results.

 

No idea what the end game is for the account creator, however store owners run a huge risk of having their emails reported as spam to ISP's which will cause deliverability issues and (in the case of gmail/Google) can reduce search visibility. 

 

So frustrating.  

michael-helium
Shopify Partner
367 5 180

@Javasusie I hear you. This sucks. Apparently, our Helium Customer Fields app is effectively solving this issue for some merchants. This review came in over the weekend.

 

Screenshot 2024-03-11 at 10.56.18 AM.png

 

Our support team is US-based and ready to help if you want to give the free trial a go.

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
michael-helium
Shopify Partner
367 5 180

@Terry_H_Clarke as to why, this is my only answer
worldburn-top.jpg

Michael, COO @ Helium
- Customer Fields ✪✪✪✪✪ (357 reviews)
- Meteor Mega Menu ✪✪✪✪✪ (281 reviews)
PDJohnsonHT
Visitor
3 0 0

We're getting signups just like this. Very annoying. I deleted a few thousand initially and have been manually deleting them every few days but it's a headache. Have you had any luck finding a way to block the account signups?

Terry_H_Clarke
Tourist
6 0 1
I didnt work out how to stop the new accounts being created, and too many to delete every day, so tolerating them accumulating.

This is not really a problem for me as I dont do mass emails to my clients, if I were,, then all these false addresses would be a problem.