The 12 Most Common Types of Shopify Fraud in 2026

The fraud playbook from 2020 — "set Shopify's fraud filter to high and cancel obvious ones" — stopped working around 2022. Fraud rings industrialized, AI-generated identities became cheap, and reshipping services made cross-border fraud nearly frictionless.

In 2026, the merchants who keep chargeback ratios in check aren't the ones with the strictest rules. They're the ones who can name the specific fraud pattern hitting their store and apply the right control for it.

Here are the twelve patterns most merchants will encounter, with the signals to look for and the control that works best.

1. Stolen credit card fraud

The classic. A fraudster acquires card data from a dark-web dump and orders from your store. The legitimate cardholder discovers the charge weeks later and disputes it.

Signals. Billing-shipping country mismatch. New email, no order history. Order during off-hours for the billing country. Multiple recent declined attempts on the card.

Best control. Cross-check AVS/CVV with IP geolocation and device history. Hold for review on high-value orders. Shieldy's auto-block on high-risk + AVS mismatch catches most of this with low false-positive rates.

2. Friendly fraud (first-party)

The customer received the product, then disputes anyway. Claims: "I didn't authorize this," "It never arrived," "It wasn't what I ordered."

Friendly fraud is the fastest-growing chargeback category in 2026 — banking apps made disputes one-click, and consumer awareness of the process has broadened.

Signals. Customer with long order history suddenly disputing. Order shows delivered with tracking. Email appears in shared friendly-fraud blocklists.

Best control. Delivery proof matters more than detection. Signature confirmation on orders above a threshold. Email confirmations the customer acknowledges. Detailed product photos that match what shipped. Fight at representment, not prevention.

3. Cash-on-delivery (COD) non-acceptance

Dominant in Vietnam, Indonesia, the Philippines, India, Mexico, Egypt. Buyer places a COD order with no intent to accept. Merchant pays outbound shipping + return shipping + warehouse handling. No card = no chargeback = no dispute mechanism. Pure operational loss.

Signals. Repeat shipping address with prior non-acceptance. Phone number on disposable SIM. Order placed without browsing (straight from social ad). Velocity from same IP/phone range.

Best control. Hide COD as a payment method for high-risk profiles rather than blocking outright. Pre-shipment phone verification on first-time COD orders above value threshold. Shieldy supports both via Shopify Functions + checkout rules.

4. Card testing (BIN attacks)

Fraudster runs $0.99 - $5 transactions through your checkout to validate stolen cards. Once validated, the cards get used elsewhere (or at higher value on your store later).

A modest test run = a few hundred transactions over hours. A large run = tens of thousands across days.

Signals. High volume of low-value transactions in short window. Many declines mixed with few approvals. Same IP cycling through proxy pool. Cards from same BIN (first 6 digits) being tested in sequence.

Best control. Velocity rules at checkout — block more than N attempts from same IP in 5 minutes. CAPTCHA on suspicious sessions. Block datacenter IP ranges. Shieldy's IP blocker + Auto-block via fraud orders catches most card-testing infrastructure.

5. Account takeover (ATO)

Fraudster compromises a customer's saved account (usually via credential stuffing from leaked password databases) and places orders with stored payment methods, often to a new shipping address.

Signals. Login from new device/IP/country vs. account history. Shipping address change just before order. Order placed right after password reset.

Best control. Force re-authentication on suspicious login signals. Alert when shipping address changes. Require 2FA above value threshold. Customer-account guards matter more than checkout guards here.

6. Triangulation fraud

Three-party scheme. Fraudster runs a fake storefront, takes orders from real customers, fulfils by ordering from your store with stolen cards, ships directly to the real buyer. Real buyer is happy. Your store eats the chargeback when the legitimate cardholder disputes.

Signals. Shipping address doesn't match billing. Generic email. Cart looks "too efficient" — one of each high-margin item, no browsing. Ships to address with high prior package volume from many merchants.

Best control. AVS mismatch + high-margin product velocity → manual review. Maintain a list of known reshipping addresses. Shieldy's address blocker handles both via Checkout Blocker rules.

7. Reshipping and freight-forwarder fraud

Variation of triangulation. Fraudster ships to a US or EU "freight forwarder" address, then has the package re-shipped internationally. Reshipping operations cluster geographically — often near international airports.

Signals. Address matches known reshipping clusters. ZIP code historically associated with reshipping. Package volume from multiple unrelated merchants to same address.

Best control. Subscribe to (or maintain) a freight-forwarder address database. For flagged addresses, require signature confirmation. Hide international expedited shipping methods to reshipping ZIPs.

8. Refund and return fraud

Customer requests refund for an item they received. Returns nothing, a different item, or the same item damaged. Organized communities share scripts for which return reasons get refunded without inspection.

Signals. Customer with refund-request history across unrelated merchants. Refund requested before reasonable use time. Return tracking weight/dimensions inconsistent with original.

Best control. Photograph returns at receipt. Track refund-frequency per customer; flag outliers. For high-value items, inspect before refunding. This is mostly a returns-process problem, not a fraud-app problem.

9. Promotion and discount-code abuse

A 30%-off campaign meant for 200 conversions gets redeemed 4,000 times by coordinated accounts within 48 hours. Campaign budget gone; most redemptions to fraudulent accounts.

Signals. Velocity spike on a single code. Coordinated redemption (same shipping country, same product mix, same time-of-day cluster). Many new-account redemptions on a code targeted at returning customers.

Best control. Per-customer redemption caps. Email-domain restrictions for segment-specific codes. Time-windowed velocity limits ("no more than N redemptions per hour"). Real-time alerts when redemption velocity exceeds threshold.

10. Affiliate and referral fraud

If you run an affiliate program, fraudsters will gamify it. Two patterns: self-referrals (fake customer accounts that "refer" back to fraudster's affiliate ID) and cookie stuffing (forcing affiliate cookies onto unrelated visitors).

Signals. Affiliate with abnormally high conversion rate vs. traffic. Referred customers with no engagement before order. Affiliate-driven orders disproportionately using same payment method or IP range.

Best control. Cooling-off period before paying out affiliate commissions. Manual review for affiliates above velocity threshold. Device-fingerprint check on referred customers.

11. Inventory and bot scalping

Limited-edition drops, sneakers, collectibles. Bots monitor your store, hit "buy" the instant inventory becomes available, resell at markup. The order itself isn't fraudulent — payment clears, product ships — but real customers can't buy.

Signals. Cart-to-checkout latency below human capability. Identical user-agent across many accounts. Order placed seconds after product publish. Volume from single IP or proxy pool.

Best control. Edge-level bot filtering (Shieldy's bot blocker). Cart hold times that punish bot speed. CAPTCHA at checkout for new accounts on flagged product types.

12. Synthetic identity fraud

Fraudster combines real and fabricated info — real address, fake name, partly real social profile — to create an identity that passes most checks but doesn't correspond to a real person. Increasingly used because synthetic identities don't trigger the "cardholder calls the bank" feedback loop.

Signals. Email/phone not in any public dataset. Address-name mismatch by region/ethnicity pattern. New identity placing high-value orders without history. Multiple "synthetic" customers sharing device characteristics.

Best control. Hardest category to detect from order data alone. Cross-merchant networks and device-fingerprint clustering — recognising 10 "different" customers from the same device — are the only reliable signals. Shieldy's device-cluster detection addresses this.

Which patterns should you worry about first?

Use this matrix to identify which 2-3 patterns are eating your margin right now:

A merchant losing $5K/month to COD non-acceptance has a completely different problem than one losing $5K/month to chargebacks on premium watches. Same dollar amount; different controls.

Practical next step

Pick the single category from the table that matches your loss profile. In the next two weeks, instrument a way to count it. Once you have a number, the right control becomes obvious.

Shieldy Fraud Filter handles ten of these twelve categories in a single app — IP/country/state/city/ISP blocking, VPN/proxy/TOR/bot detection, payment-method hiding, auto-cancel by score, Shopify Flow triggers, and device-cluster fraud-ring detection.

The two categories Shieldy doesn't directly address — friendly fraud disputes and refund-return fraud — are operational, not detection problems. They live in your delivery documentation and returns process.

For everything else, the right layered defense cuts these patterns 60-80% within 30 days.