COD Fraud in Vietnam, Indonesia, Philippines — The Silent Margin Killer

If you sell to customers in Vietnam, Indonesia, the Philippines, Thailand, India, Mexico, or Egypt, cash on delivery isn't a payment method — it's a market entry requirement. In these markets, 60-80% of all ecommerce orders are COD. Drop COD and you don't reach the market.

But COD comes with a specific kind of fraud risk that Western fraud apps barely address.

What COD fraud actually is

In a COD order, the buyer pays the courier in cash on delivery. No card. No payment authorization. No fraud-network signal. The merchant ships first, on credit, expecting cash on arrival.

When that expectation breaks — the buyer refuses the package, isn't home, gives a fake address — the merchant pays:

• Outbound shipping
• Return shipping
• Warehouse handling on both ends
• Inventory write-off if the product comes back damaged

No money ever changes hands. No chargeback to dispute, no payment processor to involve. The loss is purely operational and shows up as elevated shipping cost — usually categorized as "logistics expense" rather than "fraud."

This invisibility is why COD fraud is so corrosive. Merchants pay attention to fraud line items they can name. They don't pay attention to a 3% increase in return-shipping cost.

The real economics

Take a typical $30 COD order in Vietnam:

That's 17% of order value lost on every refusal, with zero revenue.

In a market where COD is 70% of orders and non-acceptance runs 15% (typical for unmanaged operations), 10.5% of total order volume costs money without generating any.

For a $200K/month gross-revenue store, that's roughly $21K/month of pure loss showing up in logistics overhead.

The merchants who succeed in SEA aren't the ones with the lowest non-acceptance rate. They're the ones who built verification habits to keep it under 8%. That difference, multiplied across thousands of orders, is the gap between profitable and bleeding.

Why standard fraud apps miss COD fraud

Every major fraud framework — Stripe Radar, Shopify's native risk analysis, most standalone fraud apps — assumes a credit card is involved. They score on payment signals: AVS, CVV, IP-geolocation, cardholder history. None of those apply to COD.

A COD order with no payment friction passes every fraud check trivially. The order looks normal up to and including fulfillment. The fraud only manifests at delivery — by which point you've already paid most of the cost of fulfilling it.

The signals that actually matter for COD are completely different:

• Repeat shipping address with prior non-acceptance history
• Phone number on disposable / virtual SIM
• Address that doesn't geolocate to a real residence
• Order placed without browsing (straight from social ad to checkout)
• Velocity of COD orders from same IP, device, phone-number range
• Suspicious item-mix patterns (one of every high-margin product)

This requires a fraud layer that understands the COD workflow — not the card-payment workflow.

Why COD non-acceptance actually happens

Five drivers, each with a different control:

1. Buyer's remorse without consequence

Most non-acceptance isn't malicious. Customer placed an impulse order from a Facebook ad, didn't fully internalize they'd have to pay, refused when the courier arrived. There's no negative consequence to the buyer.

Control: Pre-shipment SMS/phone verification on first-time COD orders above threshold. The verification step itself filters out impulse-buyers.

2. Multiple-store ordering

Buyers place identical COD orders on multiple stores selling the same product, accept whichever arrives first, refuse the rest. The merchants who shipped non-accepted orders absorb the cost.

Control: Cross-merchant phone-number databases catch this — Shieldy's threat-intel feed includes shared non-acceptance signals from local couriers.

3. Coordinated competitor attacks

Real in SEA. Competitor's marketing team places COD orders on a smaller competitor's store to drain operational margin. Orders never get accepted; smaller merchant pays return shipping.

Control: Velocity rules on COD orders from same IP/phone range. Block after N orders from the same source in a defined window.

4. Logistics testing

Fraudster places COD orders to test whether a courier will actually deliver to a specific address — pre-validating drop locations for later, larger schemes.

Control: Address-history tracking. Addresses with prior non-acceptance history get auto-rejected on subsequent COD orders.

5. Address farming at scale

Automated tools generate plausible-looking addresses and phone numbers, place COD orders, observe which get fulfillment-confirmed. Fraudster never intended to receive anything — they're harvesting which address formats pass merchant validation.

Control: Address-quality validation. Real addresses in Vietnam, Indonesia, Philippines follow specific structural rules. Addresses that don't parse correctly are often deliberately invalid.

The four-layer COD defense

Effective COD-fraud prevention requires four layers:

Layer 1: Address quality scoring

• Block addresses with prior non-acceptance on your store
• Detect repeat-pattern variations ("123 Main St" / "123 Main Street" / "123 Main")
• Validate against postal databases
• Flag districts with sustained >30% non-acceptance rates

Layer 2: Phone-number quality

• Detect disposable / VOIP SIMs vs. real consumer mobile numbers
• Flag sequential phone numbers (ending in 1234, 1235, 1236)
• Block phone numbers associated with prior non-acceptance
• Pre-shipment verification (SMS or automated call) on high-risk profiles

Layer 3: Customer-history tiering

• New customer + high-value COD = scrutiny
• Customer with prepaid history = lower risk
• Customer with COD-success history = lower risk
• New customer + high non-acceptance district = strongest scrutiny

Layer 4: Conditional COD hiding (via Shopify Functions)

The most effective single control. Don't block the customer entirely — hide COD as a payment method for high-risk profiles, route them to prepaid.

Rules that work:

• Hide COD for customers with prior non-acceptance
• Hide COD for orders shipping to known-bad addresses
• Hide COD for orders above $80 in higher-risk districts
• Hide COD for orders placed within 30 seconds of a social-ad click (impulse pattern)

The customer can still buy — just on prepaid. Legitimate impulse-buyers convert at lower rate (acceptable). Fraudsters who needed COD specifically don't proceed.

What this looks like in Shieldy

Shieldy Fraud Filter is built with COD markets in mind. Specifically:

1. Address history blocking — automatic for any address with prior non-acceptance
2. Phone validity check — disposable-SIM detection on supported markets
3. District-level filtering — block or hide COD by city/district within a country
4. Hide COD payment method — Shopify Functions rule by customer history, order value, address
5. Auto-cancel by phone/address blocklist — fires before fulfillment commits

Set it up in 15 minutes. Within 30 days, expect non-acceptance to drop from 15% baseline to 7-9%.

Working with your courier

A non-obvious tip that doesn't apply in card markets: your relationship with your courier is part of your fraud-prevention stack.

The major couriers in Vietnam (GHTK, GHN, J&T, Ninja Van), Indonesia (JNE, J&T, SiCepat), and the Philippines (LBC, J&T) have proprietary delivery-outcome data per address and phone number. They know which addresses refuse packages, which phone numbers don't answer, which delivery zones have high non-acceptance.

This data is rarely shared back to merchants by default — but most will negotiate access for high-volume customers (typically 500+ COD orders/month). Some integrate it via webhook or API.

For serious COD operations, this is the single highest-ROI conversation to have with your courier partner.

A practical first-week investment

If you're a SEA merchant who's never specifically tracked COD non-acceptance:

1. Count COD orders attempted, delivered, returned, by week, for the last 90 days
2. Calculate your non-acceptance rate — anything above 12% is a meaningful margin drain
3. Group non-acceptances by city/postal code — almost always concentrates in 5-8 specific districts
4. Pull repeat non-acceptance addresses — count distinct refused orders each. These are the highest-leverage blocklist additions

Once you have those numbers, the case for COD-specific controls writes itself.

A 14% non-acceptance rate on a $300K/month store = ~$25K/month of margin walking out the warehouse door. The investment math becomes easy.

The takeaway

COD fraud is invisible by default. Western fraud apps were built for card markets and miss it. The signals that matter are address quality, phone validity, customer history, and conditional payment-method hiding.

For SEA Shopify merchants, Shieldy handles these specifically. Combined with a working relationship with your local courier, you can cut COD non-acceptance from 15% to under 8% within a quarter.

Measure first. Then deploy. The margin recovery is real.