For the first hundred orders a month, fraud is something you read about. Past a few hundred, the picture changes. Orders arrive in tight bursts minutes after you switch on an ad. Some of the ones you ship come back as chargebacks weeks later. The ones you hold sit there with inventory committed, while real customers see "sold out" and leave.
That pattern is an industrial operation, and it treats your store as equipment. The operator does not want your products. They want what your store does when a card is submitted: confirm the card is live, lock inventory, and — if fulfillment proceeds — ship goods to an address they control. Cancelling afterwards undoes none of it.
The three bills
Inventory — seconds. Units are committed in Shopify the moment the order lands. Held or shipped, they are unavailable either way. The visitor who arrived from the ad you paid for sees a sold-out screen and leaves. You never learn who they were.
Operations — hours. Manual review collapses past a few hundred suspicious orders. False positives climb, real customers get cancelled, and hours that belonged to the rest of the business go into deciding which orders to trust.
Chargeback — weeks. Two to eight weeks after fulfillment the notice arrives: lost product, lost shipping, the fee, and a hit to your ratio. Shopify itself warns that fulfilling high-risk orders can lead to chargebacks and disabled payment processing. Past Visa's monitoring thresholds, your processor reacts — higher reserves, deeper review, eventually restriction.
$4.61 — what every $1 of fraud face value actually costs a US merchant, up 32% since 2022. Source: LexisNexis True Cost of Fraud Study, 2025
Why the usual playbook fails
Each defense a merchant reaches for first has an industrialized counter.
Manual review is where most merchants land after these layers fail, and at volume the fraudulent and the real look the same. The third card at the same checkout authorizes. The name geocodes. The email looks normal. You start cancelling on instinct, and your false-positive rate against real buyers climbs.
53% of all web traffic in 2025 was automated — bots overtook humans online, and AI-driven bot attacks grew 12.5x in a single year. Source: Thales 2026 Bad Bot Report
What to fix today — free, in under two hours
Native settings (~30 minutes).
- Settings → Payments → Shopify Payments: enable Decline charges that fail CVV verification and Decline charges that fail AVS postal code verification. This clears the low-effort floor.
- Settings → Payments → Manage: restrict accepted billing countries to where you actually sell. Billing, not shipping — a US shipping address on a Mumbai-billed card is the standard cross-border pattern.
- On Shopify Plus: ask Plus Support to activate bot protection before drops. It targets auto-checkout bots, not card testing.
Shopify Flow (~1 hour). Build on the Order risk analyzed trigger, not Order created — fraud analysis populates after order creation, and Shopify's own guidance says workflows on the wrong trigger fire before the data is ready.
- Billing country ≠ shipping country → hold and tag for review.
- Risk = high → auto-cancel and refund. Never ship a flagged order; it is the single most expensive decision in your dashboard.
- More than 3 orders in 24h from one customer → hold. Tune the cap to your business.
Discipline, ongoing. Every instinct-cancel either becomes a written rule or it was a guess. Audit the chargeback ratio weekly — two consecutive weeks of upward movement is the first warning, not Shopify's letter.
What these rules cannot reach
Every rule above defends a signal the attacker can see: country, velocity, CVV, risk score. A serious operator tunes around the visible rule set within a campaign or two, because their behavior changes and yours does not.
The signals they cannot cheaply fake live elsewhere. Typing cadence and field-focus order. Mouse and scroll entropy. The TLS fingerprint under the request, which residential proxies do not change. The browser's real fingerprint. And above all, the correlation between weak signals moving together — no single one separates a careful operator from a customer, but several in combination do. That layer has to decide before cart and order creation. Once the order exists, the inventory is committed and the clock is running.
Are you affected? A five-minute check
Open your Shopify admin, filter to the last 30 days:
- Orders in tight bursts, often overnight in your time zone
- Two or three cards attempted at one checkout until one authorizes
- Billing / shipping country mismatches
- Spikes aligned with ad launches or product drops
- Fraud analysis flagging more than 5% of orders
- Support tickets about in-stock items showing sold out
- Chargeback ratio rising week over week
Two or more matches: your store is currently the front end of a card-and-inventory pipeline.
Frequently asked questions
Why am I getting bot orders on Shopify?
Shopify is uniform and scaled, and most stores run near-default configuration, so one piece of automation works against thousands of targets at once. Your store matched a profile.
Can Shopify Flow stop bot orders?
It stops the obvious cases — country mismatch, velocity, high-risk flags — when built on the Order risk analyzed trigger. It cannot stop operations that shape behavior around any rule visible from the outside.
Should I cancel high-risk Shopify orders?
Yes, and refund before the chargeback is filed. Shipping a flagged order costs you the product, the shipping, the fee, and a piece of your ratio.
Does Shopify bot protection stop card testing?
No. Shopify positions it as defense against auto-checkout bots during drops, available on Plus via support activation. Treating it as a card-testing defense leaves exactly the gap operators rely on.
Get a free Shopify attack exposure report
If you recognise the pattern, we will review the signals visible around your storefront, checkout, cart, and order flow, and send back a short report: where automated abuse is most likely entering, which native controls you are underusing, and what should be blocked before inventory commit or authorization. No Shopify credentials required for the initial review. Request it here.