๐ก๏ธ Shopify Anti-Fraud System. ๐ฌ A Specialist's Technical Guide to Fraud Detection Analysis ยท [2026]
## ๐๏ธ 1. Anti-Fraud Architecture
Shopify analyzes every order across multiple signals and assigns a risk level: ๐ข Low โ ๐ก Medium โ ๐ด High. The system operates on 5 layers:
๐ง **Layer 1 โ Technical:** AVS, CVV, BIN check, IP analysis (geolocation, proxy/VPN/TOR, blacklist)
๐ค **Layer 2 โ ML (Machine Learning):** pattern comparison against historical fraudulent transactions across all Shopify stores
๐ง **Layer 3 โ Behavioral:** browser data scoring, click depth, navigation patterns, referral analysis
๐ **Layer 4 โ Ecosystem:** Shop Pay verification, cross-store Shopify network data, Shopify Protect
๐๏ธ **Layer 5 โ Manual:** verification department sees real-time activity โ who's browsing, what they view, all user data
โ ๏ธ Shopify Payments includes two fraud filters: **AVS** (address verification with bank) and **CVV** (card code check). Issuers prohibit CVV storage โ requesting it confirms physical card possession.
## ๐ 2. Scoring System: What Triggers Risk Points
Every order goes through a scoring model that sums risk points. Final score โ ๐ข Low / ๐ก Medium / ๐ด High.
### ๐ด Factors that INCREASE risk score
โ ๐งฌ Pattern matches known fraud (ML model) โ strongest signal
โ ๐ AVS mismatch โ address doesn't match bank records
โ ๐ณ CVV mismatch / unavailable
โ ๐ฎ ZIP mismatch โ postal code doesn't match
โ ๐ IP = VPN / Proxy / TOR / Blacklisted
โ ๐ 2+ cards or 5+ payment attempts
โ ๐ Billing and Shipping in different countries
โ ๐ IP โ Shipping distance > 50 miles (80 km)
โ ๐ฐ First order immediately high-value
โ ๐ง Disposable / random email address
โ ๐ Express shipping from new buyer
โ ๐ต No phone or unresponsive number
โ ๐ฅ๏ธ Hosting / Datacenter IP (not residential)
โ โฑ๏ธ > 3 orders from same IP per hour
### ๐ข Factors that DECREASE risk score
โ โ AVS full match (Street + ZIP)
โ โ CVV correct on first attempt
โ ๐ Residential IP from home ISP
โ ๐ IP โ Shipping (< 50 miles)
โ ๐ Billing country = IP country
โ โ๏ธ 1 payment attempt, 1 card
โ ๐ Returning customer with clean history
โ ๐ Shop Pay verified payment
โ ๐ฑ๏ธ Natural browsing behavior (2+ sessions, organic mouse movements)
## ๐จ 3. Indicator Color System
Each parameter in the order card is color-coded:
๐ข **Green** โ no risk. Lowers fraud score. Attribute matches "legitimate" orders.
Examples: CVV correct, AVS match, residential IP.
๐ด **Red** โ Extreme Risk. Significantly raises fraud score. Matches fraudulent patterns.
Examples: AVS mismatch, proxy IP, multiple attempts.
โช **Gray** โ neutral. No score impact. Additional context for manual review.
Examples: IP city location, IP address number.
### ๐ก Case: Medium Risk Order
All technical checks green (โ ): CVV correct, AVS match, ZIP match, 1 attempt, 1 card, shipping 8 miles from IP, country matches, no proxy.
Two gray indicators: ๐ IP from Lake Ozark, Missouri + ๐งฌ "Some characteristics are similar to fraudulent orders observed in the past." The ML layer raised the score to Medium.
๐ก **Takeaway:** even with perfect technical data, ML can elevate the risk level.
### ๐ด Case: Order #1018 โ High Risk
Red banner โ "High risk of fraud detected." Order blocked.
โ ๐ง abihawthorn@outlook.com โ free email provider
โ ๐ 1 order โ first order, no history
โ ๐ฐ $298 on first purchase
โ ๐ฆ Economy shipping 8-12 days
๐ค **Paradox:** all tech checks (AVS, CVV, IP, 1 card, 1 attempt) are green. IP is 10 miles from shipping. But the metadata combination (๐ first order + ๐ง Outlook + ๐ต no phone + ๐ฐ high amount) outweighed the positive signals.
## ๐ป 5. How to Stay Invisible to Anti-Fraud
๐ **IP address** โ residential ISP only, same state/city. VPN/Proxy/TOR/Datacenter = โ
๐ **IP โ Shipping distance** โ < 50 miles โ | > 50 miles = ๐ก | Different countries = ๐ด
๐ **AVS** โ full Street + ZIP match required โ
๐ณ **CVV** โ correct on first attempt โ
๐ **Payment attempts** โ 1 attempt, 1 card โ | 2+ cards = โ
๐ **Billing = Shipping** โ same address or โค 50 miles โ
๐ง **Email** โ real, established account 1+ years โ | Tempmail / random = โ
๐ฑ **Phone** โ working US number linked to name โ | No number / VOIP = โ
๐ฑ๏ธ **Behavior** โ 2+ sessions over days, product browsing โ | 1 session + instant checkout = โ
โฑ๏ธ **Velocity** โ < 3 orders from IP per hour โ
๐ฐ **Amount** โ average for store โ | High on first order = โ
๐ฆ **Shipping** โ Standard / Economy โ | Express from new buyer = โ
๐ป **Device** โ stable browser โ | Switching mid-session / VM = โ
โ ๐บ๏ธ **Maxmind GeoIP** โ precise distance between IP and addresses
โ ๐ **SOCKS detection** โ datacenter vs residential proxy
โ ๐ฅ๏ธ **Browser fingerprinting** โ Canvas, WebGL, fonts, plugins
โ ๐ **Referral analysis** โ traffic source, browse depth, click count
โ ๐ **411.com / TruePeopleSearch** โ phone linked to billing address
โ ๐บ๏ธ **Google Maps** โ manual billing โ shipping distance check
โ ๐ **HaveIBeenPwned** โ email in breaches (paradoxically confirms "realness")
## ๐ง 6. Behavioral Analysis: Hidden Layer
โ ๐ **Traffic source** โ organic, ads, direct URL. Direct from new visitor = โ
โ ๐ **Browse depth** โ 1 page โ purchase = ๐ฉ
โ ๐ฑ๏ธ **Click count** โ minimal interaction before checkout raises score
โ โฑ๏ธ **Time on site** โ < 30 sec to purchase = ๐ฉ
โ ๐ฑ๏ธ **Mouse movements** โ mechanical vs. natural with pauses
โ ๐ **Session count** โ ideally 2+ over several days
โ ๐ **Conversion details** โ Shopify shows: "1st session was direct, 1 session over 1 day" โ ๐ก marker
โ Normal buyer pattern: multiple sessions over 2-3 days โ browse โ cart โ return โ purchase. Google/Instagram referral. Natural mouse movements.
## ๐ 7. IP Analysis: Details
โ ๐ **Geolocation** โ city/state/country vs billing and shipping (Maxmind, ipinfo.io)
โ ๐ **Connection type** โ Residential / Mobile / Datacenter / Hosting (ipqualityscore.com)
โ ๐ **Proxy/VPN/TOR** โ Shopify built-in detection
โ โ **Blacklist** โ known fraudulent IPs (abuseipdb.com)
โ ๐ **Ports** โ open ports = server IP
โ ๐ข **ISP / ASN** โ home ISP vs hosting (ipinfo.io, bgpview.io)
๐ IP always visible: "This order was placed from IP address X.X.X.X." Merchants check via whatismyip.com, ip2location.com, infosniper.net.
## ๐ 8. Phone, Email, Identity
โ ๐ Merchant may call with basic order questions
โ ๐ Number checked via 411.com, TruePeopleSearch.com
โ โ Verified against name and billing address
โ โ ๏ธ VOIP (Google Voice, Skype) = risk factor
โ ๐ Account age checked via Google
โ ๐ haveibeenpwned.com โ breach presence paradoxically confirms realness
โ ๐ฉ Random characters (xk47jf92@gmail.com) = red flag
โ โ Disposable services (tempmail) = blocked
๐ **Cross-verification:** all data must be coherent โ ๐ค card name = shipping name, ๐ฑ phone linked to same person, ๐ง email not anonymous, ๐ IP from same city.
๐ต US chargeback fee: $15 (refunded on win).
โ ๐ **Duplicate / technical** โ ~90% win โ โ proof of refund/error
โ ๐ณ **Credit not processed** โ ~80% win โ โ return policy, docs
โ ๐ฆ **Product not received** โ ~70% win โ โ tracking, POD
โ ๐ **Not as described** โ ~60% win ๐ก โ description, shipping photos
โ ๐ค **Quality dispute** โ ~50% win ๐ก โ correspondence, policies
โ ๐ญ **Friendly fraud** โ ~40% win ๐ด โ delivery signature, IP data
โ ๐ **Pure fraud** โ ~20% win ๐ด โ very difficult without AVS/receipt
๐ Process: buyer โ bank โ credit company โ evidence request โ 65-75 day review โ decision. Files PDF/A, no audio/video.
## ๐ 10. Billing Descriptor Strategy (2FA)
โ๏ธ **Setup:** Settings โ Payments โ Shopify Payments โ Manage โ Customer Statement Descriptor โ enter: `SP * StoreName 8426`. ๐ Change code every 2-3 months.
๐ **How it works:** on ๐ก/๐ด risk, order goes on hold. Ask buyer for 4-digit code from banking app. โ Real cardholder sees it, โ fraudster without account access cannot.
๐ **Applied to:** Medium/High risk, multiple attempts, billing โ shipping, high-value orders, mismatched names.
## ๐ก๏ธ 11. Shopify Protect
๐ Chargeback protection for Shop Pay orders. Shopify covers ๐ฐ full amount + shipping.
๐ **Requirements:** Shop Pay payment, fulfilled within 7 days, carrier handoff within 10 days, reason = fraud or "unrecognized."
โ ๐ก **Shopify Protect** = potentially protected (pending)
โ ๐ข **Protected by Shopify Protect** = fully covered
โ ๐ด **Not protected** = conditions violated
โ ๏ธ Risk may change within 24โ72 hours. Wait for final โ "Protected" before shipping.
โ ๐ท๏ธ Tag orders with billing/shipping mismatch
โ ๐ท๏ธ Tag orders with multiple failed payment attempts
โ ๐ Push notification on High Risk
โ ๐ Daily (10:00 AM) chargeback data + customer tagging
โ ๐ Repeat offender pattern detection
๐ก Principle: the sooner on hold โ the more time to verify before shipping.
## ๐ 13. Dashboard: Real Store Analysis
๐ 30-day data (MarโApr 2025): 1,548 sessions (+54%), $3,480 revenue (+515%), 17 orders (+467%), 0.78% conversion.
๐ฉ **What anti-fraud sees:**
โ ๐ 467% order growth vs 54% session growth = disproportionate spike
โ ๐ Low 0.78% conversion with order spikes = mass testing marker
โ โฑ๏ธ Sharp mid-March peaks โ decline = carding attack pattern
## ๐งฉ 14. External Anti-Fraud Services
๐ Merchants can install additional apps:
โ ๐ก๏ธ **NoFraud** โ additional ML layer on top of Shopify
โ ๐ **SEON** โ digital footprint, email social lookup
โ ๐ซ **Fraud Filter** โ BIN, IP, geolocation rules, blacklists
โ ๐ผ **Signifyd** โ guarantee + chargeback insurance
โ ๐ค **Kount** โ AI scoring + device fingerprinting
๐ External filters cannot be detected from outside.
## ๐ฑ Shopify Account Farming
Shopify's anti-fraud system analyzes not just the order, but the **buyer's account history** across the ecosystem. A "new" account with no organic activity is itself a scoring signal.
๐งฌ Shopify's ML model considers data across **all stores in the network**. An account that has existed for a long time, has purchase history, confirmed email and phone โ its trust score is significantly higher. Fresh account with zero history + large order = ๐ด.
โ ๐ Account aged 6+ months (ideally 1+ year)
โ ๐ค Name in profile matches billing data
โ ๐ฌ Active mailbox โ newsletter subscriptions, Google footprint (not an empty inbox)
โ ๐ Email should appear in HaveIBeenPwned databases โ paradoxically confirms account "life"
โ โ Avoid: tempmail, protonmail (anonymity association), random characters
โ ๐ Real US number (not VOIP), linked to name through carrier
โ ๐ Number must pass checks via 411.com / TruePeopleSearch
โ ๐ Linked to same state/city as billing address
โ โ Avoid: Google Voice, TextNow, Skype numbers
โ ๐ Billing address = real, matches card data at the bank
โ ๐ฎ Exact ZIP code (AVS full match)
โ ๐ค Cardholder name = account name = shipping name
โ ๐ Residential IP from same state as billing + shipping
โ ๐ Distance IP โ billing โ shipping < 50 miles
โ โ One IP address = one account. Don't mix
### ๐ Account Farming Stages
1๏ธโฃ **Foundation (Day 1)**
โ ๐ง Register email (or use an aged one)
โ ๐ค Fill out profile (name, address, photo)
โ ๐ Subscribe to newsletters from several Shopify stores
2๏ธโฃ **Warm-Up (Days 2-7)**
โ ๐ Create accounts at 3-5 Shopify stores
โ ๐ Browse products, add to wishlists
โ ๐ฑ๏ธ Natural behavior โ multiple sessions, different times of day
โ ๐ฑ Install Shop App (if available) โ boosts ecosystem trust
3๏ธโฃ **First Test Order (Days 8-14)**
โ ๐ฐ Small amount ($15-30) at a different store
โ โ Let the order complete full cycle (payment โ delivery โ receipt)
โ โญ Leave a review โ creates a positive trail
4๏ธโฃ **Building History (Days 14-30)**
โ ๐ 2-3 additional small orders at different stores
โ ๐ Gradually increase amounts
โ ๐ All orders to one address, from one IP
โ โ Every order = clean cycle with no chargebacks
5๏ธโฃ **Target Purchase (Day 30+)**
โ ๐ฏ Account has history, trust score is built up
โ ๐ก Order amount within normal range for a buyer with history
โ โ Empty account + immediate large order = ๐ด instant flag
โ โ One email for multiple orders at different stores simultaneously
โ โ Different names in email / billing / shipping
โ โ Changing IP between farming sessions
โ โ All orders in one day โ doesn't look organic
## ๐ฎ Session Farming for Successful Purchase
Shopify tracks **in-store behavior** before purchase. Conversion details in the order card show: session count, days, traffic source. Direct visit โ instant purchase = suspicious.
### ๐ง What Anti-Fraud Sees in Sessions
โ ๐ **Traffic source** โ Google, Instagram, direct, referral link
โ ๐ **Session count** โ ideally 2-5 over 2-3 days
โ โฑ๏ธ **Session duration** โ 3-10 minutes = normal
โ ๐ **Pages viewed** โ 5-15 pages per visit
โ ๐ฑ๏ธ **Interaction depth** โ clicks, scroll, hover, photo zoom
โ ๐ **Cart** โ adding/removing items across different visits
โ ๐ฑ **Device consistency** โ same browser/device throughout
โ ๏ธ In Conversion summary anti-fraud sees: "This is their 1st order", "1st session was direct to your store", "1 session over 1 day" โ all ๐ก Medium risk markers (visible in Fig. 1).
### ๐๏ธ Ideal Session Farming Scenario
**๐ Day 1 โ First Visit (Session 1)**
โ ๐ Enter via Google (search for product keyword or brand)
โ โฑ๏ธ 3-5 minutes on site
โ ๐ Browse homepage โ catalog โ 2-3 products
โ ๐ฑ๏ธ Scroll descriptions, zoom photos, read reviews
โ ๐ช Leave without buying โ normal new buyer behavior
โ ๐ก **Don't touch the cart** on first visit
**๐ Day 1-2 โ Return (Session 2)**
โ ๐ Enter via bookmark or direct URL (return visit)
โ ๐ Browse other products + return to favorites
โ ๐ Add 1-2 items to cart
โ ๐ช Leave without buying โ "thinking about it"
**๐ Day 2-3 โ Preparation (Session 3)**
โ ๐ Enter via Google / direct
โ ๐ View pages: Shipping Policy, Return Policy, About Us, FAQ
โ ๐ Check cart โ remove one item, keep target
โ ๐ Check sizing chart, colors, variants
โ ๐ช Can leave or proceed to purchase
**๐ Day 3-4 โ Purchase (Session 4)**
โ ๐ Direct entry or from bookmarks
โ ๐ Open cart โ Checkout
โ โ๏ธ Fill forms without copy-paste (or slow paste with pauses)
โ ๐ฆ Select Standard / Economy shipping
โ ๐ณ Payment โ one attempt, one card
โ ๐ฑ๏ธ **Page transitions:** 15-45 seconds (no instant switching)
โ ๐ **Time on product page:** 1-3 minutes (scroll, zoom, read)
โ ๐ **Checkout time:** 2-4 minutes (fill forms, choose shipping)
โ ๐ฑ๏ธ **Mouse movements:** non-linear, with pauses, "human" pattern
โ โจ๏ธ **Typing:** varying speed, pauses between fields
โ โ **Direct โ checkout in < 2 minutes** โ machine behavior
โ โ **Copy-paste all fields** instantly โ autofill without pauses
โ โ **1 session over 1 day** โ no "thinking" before first purchase
โ โ **Straight-line mouse movements** โ robot-like pattern
โ โ **Jump directly to product page** without browsing catalog
โ โ **No scrolling / interaction** with page content
โ โ **Instant page switches** (< 2 sec between clicks)
โ โ **Different device** across sessions (fingerprint mismatch)
### โ Final Pre-Purchase Checklist
โ โ 2+ sessions over 2+ days โ๏ธ
โ โ First entry from Google (not direct) โ๏ธ
โ โ Cart used in a previous session โ๏ธ
โ โ Residential IP = billing = shipping city โ๏ธ
โ โ Aged email, real phone โ๏ธ
โ โ Standard shipping โ๏ธ
โ โ 1 payment attempt, 1 card โ๏ธ
โ โ AVS / CVV full match โ๏ธ
โ โ Device fingerprint stable โ๏ธ
1. ๐๏ธ **Multi-layered** โ tech checks + ML + behavioral + manual. No single layer is sufficient.
2. ๐ฏ **Contextual** โ same signals interpreted differently based on combination.
3. โฑ๏ธ **Temporal** โ risk can change over 24โ72 hours as new data arrives.
4. ๐ค **Automation limits** โ ML captures patterns, not causes โ false positives.
5. ๐ **Ecosystem** โ effectiveness depends on payment method and merchant plan.
6. ๐ป **Hidden layer** โ behavioral analysis + fingerprinting can't be controlled technically alone.
7. ๐ **Coherence** โ all data must be logically connected and non-contradictory.