Fraud Prevention on Shopify: Reducing Chargebacks and Card Testing

A skincare brand in Bondi opened their Shopify admin one morning to find 412 orders sitting in the queue, almost all for the same $4.95 sample sachet, all with different names and addresses, all paid with different cards. Of those 412, about 380 were declined. The rest went through. By the end of the week, the chargebacks rolled in: card testers had used the store as a laundromat to validate stolen card details, and the real cardholders were now disputing the charges. The fees alone, at $25 a chargeback, ran into thousands. The bigger cost was the dispute response time and the eventual increase in their payment processor risk rating.

Card testing, friendly fraud and chargeback abuse are not exotic threats. They are routine, automated, and aimed at any Shopify merchant whose fraud settings are even slightly loose. This article covers what Australian Shopify merchants actually need to do to reduce both fraud and the chargebacks that follow.

The three patterns that hit Shopify stores

Most Shopify fraud falls into three buckets, and each one needs a slightly different response.

• Card testing: bots running stolen card numbers against your checkout to see which ones still work. Often small dollar amounts, often the same product, often in bursts. The damage is in chargeback fees and processor risk ratings, not in inventory.
• True fraud: a stolen card used to buy real product, usually high value and easily resold. Shipping addresses often differ from billing, often to freight forwarders.
• Friendly fraud: a real customer disputes a charge they actually made. Sometimes accidental, sometimes deliberate. The hardest to fight because the customer details all match.

Use Shopify’s built in fraud signals

Every Shopify order comes with a fraud analysis. The platform looks at AVS results, CVV match, IP location versus shipping address, device fingerprint, and a few dozen other signals. Each order gets a low, medium or high risk label.

The mistake we see often is treating these labels as informational. They are not. For high risk orders, our default recommendation is to manually review before fulfilment, not after. If your team ships fast and reviews later, you will pay for fraud you could have caught.

Where your category supports it, configure your fulfilment workflow so that high risk orders pause until a human approves them. The friction is small. The savings are large.

Shopify Protect for Shop Pay orders

Shopify Protect is the platform’s chargeback guarantee for eligible Shop Pay orders. When a covered order is disputed as fraudulent, Shopify covers the chargeback and the associated fee. The coverage applies to physical goods shipped to a verified address through Shop Pay, with some exclusions around digital goods and certain categories.

For Australian merchants, the practical move is to promote Shop Pay at the checkout. It speeds up conversion, and on covered orders you push the fraud risk back to Shopify. Check your eligibility in the admin, because it varies by country and plan.

Spotting card testing early

The Bondi story above could have been caught in the first ten minutes if anyone had been looking at the order feed. Card testing has signatures that are easy to recognise once you know them.

• A burst of orders in a short window, often outside business hours.
• The same product or two products repeatedly.
• A high decline rate.
• Email addresses that look generated: random letters, sequential numbers.
• Billing addresses that do not match the shipping address, or addresses that are obviously fake.
• IPs concentrated in a small range or from anonymising services.

Set up an alert (Shopify Flow, an email rule, or a monitoring tool) for any time you see more than a handful of orders in a minute. The faster you can pause the checkout or add a CAPTCHA, the less damage card testers can do.

Velocity limits and CAPTCHA

Shopify added a CAPTCHA at the checkout in 2023 that triggers when suspicious activity is detected. It catches a meaningful share of bot traffic, but determined attackers solve CAPTCHAs cheaply through farms or AI. The second line of defence is rate limiting.

For higher risk merchants, we put Cloudflare in front of Shopify to add real bot management and rate limiting at the edge. The order traffic never reaches Shopify if it looks like a script, which keeps your checkout clean and your fraud rate low. We covered the technical setup in our piece on running Cloudflare proxy in front of Shopify and the performance angle in Cloudflare proxy for Shopify performance.

Address verification done well

AVS (address verification) is one of the strongest fraud signals you have. When the billing address the customer enters does not match the address the card issuer has on file, the order risk rises sharply. For Australian cards, AVS coverage is more limited than in the US, but it still flags many fraudulent attempts.

Use shipping address verification as well. Apps like AfterShip and ShipStation can validate addresses against postal databases. A common card testing tell is shipping to an address that does not exist or does not match the suburb and postcode. Catch it before you ship and you save the inventory.

Fighting chargebacks: the workflow that wins

When a chargeback does come in, you typically have seven to ten days to respond. The merchants who win disputes consistently do three things.

• Respond every time: even on disputes you expect to lose. Win rates climb the more you fight. Issuers track merchants who never respond and assume future disputes are valid.
• Bundle the evidence properly: order details, IP address, device fingerprint, AVS and CVV results, tracking number, signed delivery confirmation, customer communications, and screenshots of any social media interactions where the customer acknowledges receipt.
• Write the narrative clearly: a one paragraph summary explaining the order, the delivery and why the dispute is invalid. Issuers read these. Vague responses lose.

Shopify Payments now bundles much of the evidence automatically. For larger merchants, dedicated chargeback management tools like Chargebee, Chargeflow or Justt can lift win rates further by automating responses and arguing more cases.

Friendly fraud: the awkward conversation

Friendly fraud is the hardest category because the customer is real, the order is real, and the delivery is real. They just claim they did not authorise the purchase, or that the item never arrived. Three habits reduce it.

• Make your store name on the bank statement obvious and matching the brand the customer sees at checkout. Many friendly disputes are honest confusion.
• Send shipping notifications with tracking and an “is this you?” reminder for high value orders.
• Respond to support requests fast. Customers who feel ignored sometimes go to their bank before they come back to you.

What to do this week

• Review your last 30 days of orders and tag anything that looked like card testing. Even one burst means your settings need tightening.
• Enable Shopify Protect if you are eligible and not already on it.
• Configure your fulfilment workflow to pause high risk orders for manual review.
• Set up an alert for unusual order velocity.
• If you ship internationally or run a high risk category, scope Cloudflare bot protection in front of your store.

Where Defyn fits in

Fraud prevention is a layered job. We help Australian Shopify merchants configure the platform controls, plug in edge protection, and build dispute workflows that win more chargebacks. Our team also covers related areas like Shopify app audits and Core Web Vitals work alongside security reviews. Take a look at our services page or start a project to scope a fraud and security review for your store. For ongoing protection, our audit and support retainer keeps your fraud configuration current as Shopify and the attackers both evolve.