For every $1 of actual fraud, US merchants lose $4.61 — after factoring in chargebacks, fees, lost merchandise, and operational cost. Global chargebacks are projected to cost merchants $41.69 billion by 2028. Most of that loss is preventable with proper Shopify fraud prevention setup.
Shopify fraud prevention tools cover the majority of what SMB merchants need. The Fraud Filter app was sunset in January 2025 — its functionality now lives in Shopify Flow. Here’s how to configure what’s available without buying a third-party solution.
Key Takeaways
- Merchants lose $4.61 per $1 of fraud — the real cost is chargebacks, fees, and operations, not just the goods
- Shopify’s Fraud Filter app was discontinued January 31, 2025; Shopify Flow replaces its automation functions
- 3D Secure authentication shifts fraud liability from merchant to card issuer for authenticated transactions
- Card testing attacks — small test purchases to verify stolen cards — account for a large share of ecommerce fraud
What Shopify’s Built-In Fraud Analysis Does
Address Verification System (AVS): How It Works
AVS matches the billing address a customer enters at checkout against the billing address on file with their card issuer. A full match is a positive signal. A mismatch — different ZIP code, different street — is a fraud indicator.
AVS checks happen automatically on Shopify Payments transactions. The result appears in each order’s fraud analysis section as a color-coded indicator. A full mismatch on billing ZIP code is one of the strongest single fraud signals available.
Note: international customers legitimately provide addresses in formats that don’t match US AVS standards. For stores selling internationally, AVS mismatch should be a contributing factor, not an automatic cancellation trigger.
CVV/CVC Matching: What It Catches
CVV verification confirms the customer physically possesses the card — the CVV is not stored in magnetic strips or chip data, so it can only be read from the physical card. A CVV failure means the card number was compromised but the physical card was not.
Shopify Payments enables CVV matching by default. For stores using third-party gateways, verify CVV verification is enabled in the gateway’s merchant settings.
IP-to-Billing Address Distance Flag
Shopify’s fraud analysis checks the geolocation of the IP address used to place the order against the billing address provided. An order from an IP geolocating to Russia billing to a US address is a significant anomaly.
This indicator is visible in the order’s fraud analysis panel. It’s a risk signal, not a fraud certainty — VPN usage, corporate proxies, and international travel cause legitimate false positives.
Reading Shopify’s Fraud Indicators: High/Medium/Low Risk
Every order shows a risk level: High, Medium, or Low. The risk assessment aggregates multiple signals: AVS match, CVV match, IP location, order history patterns, email address age, and velocity signals (multiple orders in short succession).
High risk: Review before fulfilling. Don’t auto-cancel — review the specific indicators flagged, then make a judgment call. Medium risk: Worth a quick review on large orders. Most medium-risk orders from established customers are legitimate. Low risk: Generally safe to fulfill without manual review.
What Happened to the Fraud Filter App (Sunset Jan 2025)
Shopify’s Fraud Filter app — previously the primary tool for creating automated fraud rules — was discontinued on January 31, 2025. Merchants who relied on it for custom fraud automation need to migrate those rules to Shopify Flow.
Shopify Flow provides equivalent functionality with more sophisticated rule-building. Any store that had Fraud Filter rules should verify those automations are recreated in Flow — they don’t migrate automatically.
Jamie ran an online art supply store and had been using Shopify’s Fraud Filter app since 2021. When it was sunset in January 2025, she received the notification but didn’t act on it. For three months, the automated cancellation rules she’d set up for card testing patterns were no longer running. In that period, her store processed 44 card testing attacks — small $0.50–$2.00 test charges across dozens of cards. None of the goods were shipped (the orders were small), but the chargebacks and dispute fees added $310 in processing costs. Recreating the rules in Shopify Flow took 45 minutes.
High-Risk Order Management in Shopify
How to Identify High-Risk Orders in Your Dashboard
High-risk orders appear with a red warning indicator in your Orders list. You can filter by risk level: Orders > Filter > Risk Level > High.
Set a personal workflow: review all high-risk orders before they enter fulfillment. If you have staff processing orders, ensure they know the protocol — no automatic fulfillment on high-risk orders without manager review.
Manual Review Workflow for Flagged Orders
For each high-risk order, evaluate:
- What specific indicators triggered the high-risk flag?
- Is the order value consistent with normal order behavior?
- Does the billing/shipping address match make geographic sense?
- Is the customer email from a recognizable domain?
- Is the IP geolocation consistent with the billing address?
Document your review decision in the order notes. This documentation matters for chargeback disputes — it demonstrates reasonable due diligence.
When to Cancel vs. Fulfill a Flagged Order
No rule applies universally. Some guidance:
Strong cancellation indicators: Multiple different cards used in the same session, shipping to a freight forwarder, high-value order with all indicators mismatched, order pattern matching known card testing behavior.
Review but likely fulfill: Single mismatch (IP only, or AVS only but CVV matches), regular customer with established order history, small-value order with limited fraud exposure.
Always investigate before high-value cancellation: A $500+ order with multiple risk flags warrants a direct customer contact before cancellation. Email the customer asking to confirm the order details. Legitimate customers respond; fraudsters rarely do.
Documenting Your Review Decisions (Chargeback Defense)
Every high-risk order review should be documented in the order’s internal notes. Include: date reviewed, indicators assessed, decision made, and reason. This creates an audit trail that supports chargeback disputes if a fulfilled high-risk order later generates a chargeback.
Merchants who win chargeback disputes at the 30–45% industry rate do so primarily through comprehensive documentation — shipping confirmation, customer communication records, fraud review notes.
Automating Shopify Fraud Prevention with Flow
Setting Up Fraud Prevention Flows (No Code Required)
Shopify Flow is available on all Shopify plans. Access via Shopify admin > Apps > Shopify Flow (or search in app store — it’s free and Shopify-developed).
Basic fraud prevention flows to configure:
Auto-hold high-risk orders:
- Trigger: Order risk level equals High
- Action: Add order tag “review-required” + send internal email to owner
- Result: Staff see the tag before processing
Cancel card testing attempts:
- Trigger: Order total is less than $2.00 AND order risk level equals High
- Action: Cancel order + void payment + send automated customer email (optional)
- Result: Card testing attempts are automatically cancelled without manual review
Auto-capture for low-risk orders:
- Trigger: Order risk level equals Low AND order total under $200
- Action: Capture payment immediately
- Result: Reduces friction for low-risk buyers
Auto-Cancel and Refund for High-Risk Card Testing Attempts
Card testing attacks (small test purchases to verify stolen card validity) are detectable by their pattern: $0.50–$5.00 orders, often multiple within minutes, from different email addresses but similar shipping patterns.
Configure a Flow trigger that watches for orders under $5 with a High risk score. Auto-cancel and void. The cardholder gets no goods and no data; the stolen card test fails.
Notification Flows for Manual Review Triggers
For orders requiring human judgment — large orders, partial flag matches, new customers with high order values — configure notification flows that alert store owners without taking automatic action:
- Trigger: Order total > $300 AND risk level = Medium
- Action: Send Slack/email notification with order summary and link to review
This builds an escalation tier between “auto-cancel” and “no action.”
Our Shopify store setup includes Shopify Flow fraud configurations as standard — AVS thresholds, card testing automations, and high-risk order handling are configured before launch day. See our Shopify packages for complete setup options.
3D Secure Authentication — The Chargeback Shield
How 3DS2 Shifts Fraud Liability From Merchant to Card Issuer
3D Secure 2 (3DS2) is the authentication protocol where customers complete an extra verification step during checkout — typically a one-time code from their bank app or fingerprint/Face ID authentication.
When 3DS2 authentication is completed successfully, the liability for fraudulent chargebacks shifts from the merchant to the card issuer. The merchant is no longer responsible for refunding fraud disputes on 3DS-authenticated transactions.
This is not a theoretical benefit. For stores selling high-value items where chargebacks are costly, 3DS authentication on every transaction or on high-risk transactions specifically is direct fraud liability protection.
Enabling 3DS in Shopify Payments Settings
Shopify Payments supports 3DS2 for cards issued in regions where it’s required (most EU cards) and optionally for other cards. Configure in Shopify admin > Settings > Payments > Shopify Payments > Manage.
3DS is required for most EU-issued cards under PSD2 regulation — this isn’t optional if you sell to European customers.
Friction vs. Conversion Tradeoff: When 3DS Hurts Sales
3DS authentication adds a step to checkout. An additional authentication step that requires opening a banking app causes some percentage of legitimate customers to abandon. Studies show abandonment rates of 5–15% for checkout steps added by 3DS authentication, depending on the user experience quality.
The practical approach: enable 3DS for high-risk transactions and EU-required transactions. Don’t require it universally on low-risk, small-value domestic orders where the fraud risk doesn’t justify the conversion cost.
Card Testing Attacks — The Most Common Shopify Fraud Type
What Card Testing Is and How It Hits Your Store
Card testing (also called “carding”) is the process of using stolen card numbers to make small test purchases — typically $0.50–$2.00 — to verify which cards are valid before using them for larger fraudulent purchases elsewhere.
Fraudsters use automated bots to place hundreds of card tests against Shopify stores simultaneously. Your store is a verification service for their stolen card list. You don’t lose merchandise (the orders are tiny), but you accumulate processing fees, potential chargeback fees, and Shopify may flag your account for high decline rates.
Signs Your Store Is Being Card-Tested
Indicators of a card testing attack:
- Multiple orders in minutes from different email addresses
- All orders are very small ($0.50–$5.00)
- Multiple failed payment attempts preceding successful ones
- Shipping addresses that are nonsensical or clearly fake
- Order notes or customer names with unusual character patterns (often auto-generated)
CAPTCHA and Bot Protection for Checkout
Shopify’s built-in bot protection includes Google reCAPTCHA on checkout for suspicious traffic patterns. You can also add CAPTCHA to account registration and login pages.
For stores experiencing repeated card testing attacks, Shopify’s fraud analysis and Flow automations are the primary defense at the platform level. If attacks persist despite automation, contact Shopify Support — they have infrastructure-level tools for mitigating active bot attacks.
When to Use a Third-Party Fraud Solution
SMB Threshold: When Native Tools Are Enough
For stores with monthly fraud losses under $1,000 and fewer than 500 orders per month, Shopify’s native fraud analysis plus Shopify Flow automations covers the majority of risk. The additional cost of a third-party fraud tool ($100–500+/month) typically isn’t justified until fraud losses exceed those tools’ cost by a meaningful margin.
Mid-Market: Signifyd, NoFraud, and Guaranteed Chargeback Protection
At $500K+ annual revenue with growing chargeback rates, third-party solutions with guaranteed chargeback protection become worth evaluating:
Signifyd: Provides a financial guarantee on approved orders — if a guaranteed order generates a chargeback, Signifyd covers the loss. Pricing is a percentage of transactions (typically 0.5–1.0%).
NoFraud: Similar guarantee model, competitive on pricing for mid-market stores. Integrates directly with Shopify.
The calculation: if your current chargeback rate is 0.5% and your AOV is $80, Signifyd’s 0.7% fee roughly equals your current loss rate. The value is in converting variable fraud losses to a predictable fixed cost — and off-loading the manual review burden.
Enterprise: Riskified, Kount — Cost vs. Benefit at Scale
For stores above $5M annual revenue with complex fraud patterns (high-value items, high chargeback rates, international volume), enterprise fraud solutions with machine learning models become the right investment. These aren’t SMB tools — their pricing and onboarding reflect that.
Winning Chargeback Disputes
What Evidence Shopify Provides for Dispute Responses
When a chargeback arrives in your Shopify admin (Finances > Chargebacks), Shopify generates a dispute response document containing:
- Order details and timeline
- Customer IP address and geolocation
- Payment method details
- Shipping tracking information
- Shopify’s fraud analysis indicators at time of order
This evidence package is your baseline. Supplement it with any direct customer communication (email correspondence, support tickets), delivery confirmation with signature, and your internal fraud review documentation.
Time Limits and Process
Chargeback response windows vary by card network: Visa and Mastercard typically allow 20–30 days to respond. Shopify sends immediate notifications — respond within 7 days to give yourself ample time to gather evidence.
Well-documented chargeback responses — with tracking, communication records, and fraud review notes — win disputes at approximately 30–45% of the time. For legitimate “fraud” chargebacks that were actually fulfilled correctly, win rates are higher. For card-not-present fraud where the card was genuinely compromised, wins are lower.
Marcus experienced a spike in chargebacks after a card testing attack that preceded a series of $200–400 orders fulfilling digital download products. He had not configured any fraud automations. Of 18 chargebacks, he won 4 because he could demonstrate delivery of the digital goods. The remaining 14 were losses totaling $3,200 plus $450 in chargeback fees. Post-incident, he configured Shopify Flow to auto-hold high-risk orders for digital products and require manual review above $150 for new customers. No similar incident in the following year.
Conclusion
Shopify fraud prevention is revenue protection. The $4.61 cost-per-dollar-of-fraud is the number to hold in your head every time you consider skipping the fraud review on a High-risk order.
Shopify’s native tools — built-in fraud analysis, AVS, CVV, 3DS, and Shopify Flow — cover the majority of SMB fraud scenarios without a third-party subscription. The Fraud Filter app is gone; set up equivalent Flow automations now if you haven’t.
For card testing attacks, configure auto-cancel Flow rules for sub-$5 High-risk orders. For large-order fraud, build manual review workflows into your fulfillment process. Document every review decision for chargeback defense.
Our Shopify store setup services configure fraud prevention tools as part of every build — AVS settings, Shopify Flow automations, and 3DS configuration are included. For existing stores needing fraud tool reconfiguration, our Shopify fraud and security configuration packages cover the full setup.
Frequently Asked Questions
How does Shopify detect fraud?
Shopify’s fraud analysis system evaluates each order against multiple signals: AVS (billing address match), CVV verification, IP geolocation vs. billing address, order velocity (multiple orders in short succession), email address characteristics, and pattern matching against known fraud profiles. The result is a risk score (High, Medium, Low) visible in each order’s detail view.
What is a chargeback and how do I dispute it?
A chargeback occurs when a cardholder disputes a transaction with their bank, and the bank initiates a reversal. The bank debits the transaction amount from the merchant. To dispute, you respond through Shopify admin (Finances > Chargebacks) with evidence: shipping proof, customer communication, fraud analysis data. The card network reviews both sides and determines the outcome. Response windows are typically 20–30 days.
Does Shopify protect merchants from chargebacks?
Shopify provides fraud analysis tools, dispute response documentation, and — for 3DS-authenticated transactions — liability shift from merchant to card issuer. Shopify does not provide a financial guarantee against all chargebacks. Third-party solutions like Signifyd or NoFraud offer guaranteed chargeback protection for an additional fee, which may be worthwhile for stores with high chargeback rates.
What is card testing fraud?
Card testing (carding) is when fraudsters use stolen card numbers to make small test purchases — typically $0.50–$5.00 — to verify which cards are valid before using them for larger fraudulent purchases. Your store becomes an unwitting verification service for stolen card lists. Signs: multiple tiny orders from different email addresses in a short time window, high payment failure rates, nonsensical shipping details.
Is 3D Secure worth enabling on Shopify?
For EU customers, 3DS is required under PSD2 regulation — it’s not optional. For other customers, 3DS creates a liability shift: if a 3DS-authenticated transaction generates a fraud chargeback, the card issuer (not you) covers the loss. The tradeoff is potential checkout abandonment from the added authentication step. Enable 3DS for high-risk transactions, international orders, and high-value orders. Evaluate universal 3DS only if your fraud rates are high enough to justify the conversion cost.