Stop $0 Cart Fraud and Matching-Name Scams on Shopify

Most fraud requires sophisticated detection. Some doesn't.

There are a handful of fraud patterns where the fraudster's laziness produces a signature so distinctive that simple pattern-matching catches almost all instances. The $0-cart and matching-name patterns are two of the cleanest examples.

This guide covers what these patterns are, why they exist, and the simple rules that stop them. Unlike most fraud-defense topics, this is one where the right answer is short and decisive — implement the pattern detection, and the specific problem usually goes away.

The $0 cart pattern

Straightforward: a customer reaches checkout with a cart total of $0, completes the order, and receives whatever the order included (often free shipping, sample products, promotional items) at no cost.

The cart usually reaches $0 through:

• A 100% discount code applied (sometimes legitimately, sometimes stolen)
• Free product samples added to the cart
• Free-shipping threshold cart manipulation
• Bundle configurations that promotional logic miscalculates

Once the cart total is $0, no payment is collected. The order goes to fulfillment as if paid. The merchant ships the products and absorbs the cost.

A few honest cases exist (legitimate giveaways, beta-tester programs, employee samples) but most $0-cart orders not part of an intentional program are fraud or abuse.

Why merchants miss this

Two reasons:

Standard fraud apps look at risk score, not cart total. Most fraud-scoring systems are calibrated around payment risk — stolen cards, mismatched billing, suspicious customer profiles. A $0-cart order has no payment, so it doesn't trigger most fraud signals.

Orders look legitimate in isolation. Each $0-cart order is a single order with a customer, a shipping address, a fulfillment request. Looks like any other order. The fraud pattern only becomes visible across many orders, or by looking specifically at the order total.

The result: merchants often discover the pattern only when their fulfillment team raises a flag — "we shipped 200 free orders this month, was that intentional?"

The detection rule

Simple: at checkout (or shortly after order creation), check the order subtotal. If it's $0 — excluding fees like shipping or tax — flag, hold, or block the order.

The exclusion of fees matters because some legitimate orders have $0 subtotal but non-zero total (e.g., free product with paid shipping). The fraud pattern is specifically $0 subtotal — the products themselves are free.

Implementation options

• Block at checkout (cleanest, requires Shopify Plus checkout extensions)
• Auto-cancel after creation (works on all plans)
• Tag and hold for review (most conservative starting point)

Most stores start with "tag and hold" for 2-3 weeks, then tighten to "auto-cancel" once they've identified any legitimate exceptions.

The matching-name pattern

Even more distinctive. Fraudsters often don't bother to enter realistic customer information when committing fraud — particularly when the order is $0 or low-value enough that they don't care if it gets rejected.

The result: orders with first-name and last-name fields set to the same value:

• "John John"
• "Test Test"
• "asdf asdf"
• "x x"
• "Bob Bob"
• "Jane Jane"

Why does this happen? Speed. Card-testing scripts and lazy fraudsters fill in form fields with placeholders rather than realistic data. Fraud doesn't need a real name to succeed; the script optimizes for completion speed over realism.

Detection rule

If first-name and last-name fields are identical (case-insensitive comparison after trimming whitespace), flag the order.

Additional patterns to flag:

• Identical-character names ("xx xx", "aa aa")
• Gibberish patterns (entropy below a threshold)
• Known fraud-script signatures

Action options follow the same hierarchy as the $0-cart rule.

Combining the two patterns

The two patterns often appear together. A specific high-confidence fraud signal: $0 subtotal AND matching first/last name.

This combination is almost never legitimate. A merchant who automated cancellation on this combined signal would almost certainly never see a legitimate cancellation false positive.

The combined rule:

IF subtotal == $0 AND first_name == last_name THEN cancel_order

That single rule eliminates a specific category of fraud abuse with effectively zero false-positive cost.

False positives to plan for

Both patterns have edge cases worth handling:

Legitimate $0 orders

Some merchants intentionally have $0-cart use cases:

• Free sample requests where customer pays shipping
• Influencer or PR seeding programs
• Loyalty-program reward orders
• Employee free-order programs
• Beta-tester product distribution

For these: build an exception path — customers with specific tags, orders with specific discount codes, orders flagged with metafields. Document each exception so it's clear why it exists.

Legitimate matching names

Rarer in legitimate orders but does occasionally happen:

• Names that are genuinely the same first/last (rare but real, especially for nicknames)
• Test orders by store staff (should be caught and excluded anyway)
• Some cultural naming conventions where a single-word name is repeated

These are edge enough that most merchants accept the small false-positive cost.

What the patterns tell you about the fraudster

A useful diagnostic exercise: when you catch $0-cart or matching-name fraud, look at the fraudster's other characteristics. The patterns correlate with:

Low-sophistication operators. Script kiddies running basic tools without bothering to customize. Fraud at this level is often easy to stop with cheap controls.

Velocity-driven attacks. Card-testing scripts that prioritize speed over realism. The same fraudster's other attempts will share the same lazy data-entry signature.

Free-product hunters. Coordinated communities (often on Discord, Telegram, specific forums) that share scripts for exploiting promotional logic. Signatures are well-known; the same scripts get reused across many merchants.

Same-pattern signature catching multiple orders in a short window = the trace of a single attacker. Block all of them, not just the first one.

Other adjacent patterns

A few related patterns share the same "low-effort fraudster" fingerprint:

Sequential email patterns. [email protected], [email protected], [email protected] in close succession. Almost always automated.

Sequential addresses. Shipping addresses with sequential numbering (Apt 1, Apt 2, Apt 3) at the same building, especially when customers don't appear connected.

Date-time clustering. Many orders within seconds of each other from the same IP or device.

Identical user-agent across many "customers." Real customers have diverse user-agents. A single user-agent across dozens of new accounts in a short window is automation.

Each of these is a single rule catching a specific pattern with low false-positive rate. They accumulate into a useful "low-effort fraud" detection layer.

Setup in Shieldy

Shieldy Fraud Filter supports these patterns out of the box:

$0-cart rule

Auto-block checkout with free products (Settings → Mitigator → toggle on):

• Detects $0 subtotal orders
• Configurable exception: orders with specific discount codes/tags
• Action: auto-cancel or hold for review

Matching-name rule

Block matching name fraud (same Mitigator section):

• Detects first_name == last_name (case-insensitive)
• Includes gibberish detection (entropy threshold)
• Includes known placeholder-name list (Test, Demo, X, etc.)

Combined rule

The combined "$0 + matching name" check fires automatically when both above are enabled. Considered Shieldy's highest-precision rule — effectively zero false-positive rate.

Beyond the basic pattern

Sophisticated free-product abusers have learned that matching names trigger detection, so some have moved to nearly-matching names ("John Johns," "Test Tester"). Harder to catch with single equality but still detectable:

• Name similarity scoring. First/last names with edit distance < 2 (one letter different) usually still placeholders
• Vowel ratio anomaly. Real names have characteristic vowel ratios; "asdf asdf" or "qwerty qwerty" have unusual ratios
• Common-placeholder lists. Maintained list of common placeholder names (test, demo, sample, x, a, etc.) catches a long tail

These are diminishing-returns improvements. The basic "first == last" rule catches the majority; additions catch the next layer.

A practical implementation

If you run any free-product promotions on Shopify and want to close these patterns:

1. Configure: "if order subtotal == $0 AND first_name == last_name THEN auto-cancel"
2. Add exception for orders with specific discount code tied to legitimate campaigns
3. Add exception for orders from your team's email domain
4. Run for two weeks. Monitor cancellations to confirm no legitimate exceptions slip through
5. Optionally tighten with similarity-scoring additions

Total setup: under an hour in Shieldy.

A practical close

The John-John scam and $0-cart fraud are unusual in being clean cases where a simple rule closes the entire abuse channel. Most fraud isn't this neat.

Use the simplicity as opportunity. The hour you spend configuring these rules can save your free-product promotions from a category of abuse that, left unaddressed, turns a marketing campaign into an inventory drain.

Shieldy bundles these checks under "Auto-block fraud orders" — one toggle to enable both patterns at once.