Field notes
Shopify Fraud Prevention for DTC Brands: The 2026 Playbook
October 30, 2025
Fraud is a line item you can manage or a disaster that manages you
An electronics accessory brand we audited last year was running a 2.1% chargeback rate and had just received a Visa Monitoring Program warning. Annualized fraud and chargeback cost was material enough to make the founder consider shutting the store. We deployed Signifyd, rewrote the velocity rules in Shopify, and added manual review queues for high-risk flags. Chargeback rate dropped to 0.4% within 60 days. Total cost of fraud (including tool fees and fought disputes) fell dramatically, and the processor pulled the monitoring warning.
TL;DR
▸ Chargeback rate under 0.5% is the benchmark; above 1% is a processor-relationship risk ▸ Shopify's native fraud analysis handles low-risk categories; higher-risk needs third-party layers ▸ Velocity rules, manual review queues, and ATO monitoring are the three core defenses ▸ Guaranteed-fraud providers (Signifyd, NoFraud, Riskified) shift liability for a fee
The fraud taxonomy
Different fraud types need different defenses.
Stolen card fraud. Classic. Bad actor uses stolen card details to place an order. Chargeback comes when the real cardholder notices. Addressed by fraud scoring on checkout.
Card testing. Small-value orders to validate card details before larger fraud. Look for rapid small orders, unusual AOVs, and repeated declines. Addressed by velocity rules and CAPTCHAs.
Account takeover (ATO). Fraudster accesses a legitimate customer's account, changes shipping address, places orders. Addressed by MFA, device monitoring, and address-change alerts.
Friendly fraud. Real customer disputes legitimate charge. Often "I didn't receive it" or "I didn't authorize it." Addressed by evidence collection and guaranteed-fraud providers.
Promo abuse. Creating multiple accounts to abuse new-customer discounts. Addressed by device fingerprinting and loyalty program controls.
Reshipping fraud. Order to US address used as relay point before international reshipping. Often flagged by shipping address mismatch patterns.
Shopify's native fraud analysis
Every order gets a risk score (low, medium, high) based on:
▸ IP geolocation vs shipping/billing match ▸ Billing country vs shipping country ▸ Prior orders from the same customer ▸ Payment gateway signals (AVS, CVV) ▸ Velocity signals (multiple attempts on same card) ▸ Proxy detection
Low risk. Auto-approve. Most orders.
Medium risk. Manual review recommended. Typical for first-time customers.
High risk. Strong recommendation to review or cancel. Often legitimate but worth a look.
Native analysis is decent. It's not designed for sophisticated attacks. Above $3-5M revenue or in high-risk categories, augment with third-party tools.
Third-party fraud layers
| Tool | Model | Best for |
|---|---|---|
| Signifyd | Guaranteed approval (covers chargebacks) | Mid-to-large DTC, high AOV |
| NoFraud | Guaranteed approval, transaction-based pricing | Mid-market DTC, consumer goods |
| Riskified | Enterprise-level guarantee | Large retailers, complex operations |
| Kount | Scoring and rule engine, not guaranteed | Brands wanting control over decisions |
| Fraud Filter (Shopify native) | Rules-only, free | Small brands, low-risk categories |
| Stripe Radar | Built into Stripe, rule-based | Stripe-first stacks |
The SHIELD framework
When building fraud defenses, apply SHIELD.
S — Scoring. Multi-signal risk scoring at checkout. Shopify's or a third-party's.
H — Holds. Manual review queue for medium-risk orders. Someone with judgment looks at the edge cases.
I — Identity. Device fingerprinting, email reputation, address verification.
E — Evidence. Capture and retain data that helps fight chargebacks. IP, device, timestamp, delivery confirmation.
L — Limits. Velocity rules. Max orders per customer per day, per IP per hour, per card per week.
D — Detection. Ongoing monitoring. Dashboards for chargeback rate, refund rate, and anomalies by category, geography, traffic source.
Velocity rules that work
Specific rules we deploy for most DTC stores:
▸ Max 3 orders per customer per 24 hours (adjust for gift-heavy brands) ▸ Max 5 orders per IP per hour ▸ Max 10 orders per billing ZIP per day ▸ Max 3 declined attempts per card before block ▸ First-time order over $500 flagged for review ▸ Shipping to freight forwarder address flagged for review
These catch card testing and fraud rings without punishing real customers.
The manual review queue
High-risk orders need human judgment. The queue process:
Timing. Review within 2 hours during business hours, next morning on weekends. Don't let the queue age.
Evidence. Reviewer sees order details, customer history, IP geolocation, device info, AVS/CVV match, and prior chargebacks if any.
Decision. Approve, reject, or request verification (call customer, ask for ID).
Documentation. Reason for decision logged. Pattern tracking over time.
Training. Reviewers need ongoing training. Fraud patterns evolve; reviewers must too.
Our customer experience service structures the manual review workflow for clients with meaningful volume.
Chargeback fighting
When a chargeback comes in, the question is whether to fight it.
Fight if. You have strong evidence (delivery confirmation, IP match, prior legitimate orders from same customer, loyalty history, digital product download confirmation).
Don't fight if. Evidence is weak. AVS mismatch. First-time customer. Signals look like legitimate stolen-card fraud.
Fight rate. Most brands should fight 40-60% of chargebacks. Above 80% means you're wasting time on losers. Below 30% means you're giving up too early.
Win rate. 25-45% win rate on fought chargebacks is realistic. Higher with guaranteed-fraud providers who do the disputing.
Account takeover defenses
MFA offered. Even optional MFA deters some ATO. Shopify Plus supports this more robustly than standard plans.
Login velocity. Alert on many login attempts from different IPs for the same account.
Shipping address changes. When a customer changes shipping address, email them a confirmation. Make the change reversible from the email.
Password breach monitoring. Services like HaveIBeenPwned flag accounts whose emails appear in breaches. Force password reset.
Session anomalies. New device + high-value order = flag for review. Shopify Plus has more tools here.
Promo abuse controls
Limit one-time-use codes. Single redemption per customer (email + device).
Device fingerprinting. Services like FingerprintJS detect multiple accounts from same device.
Minimum order. New-customer discount requires minimum AOV to deter test orders.
Loyalty integration. Use loyalty app controls to limit new-account discount eligibility.
High-risk categories
Some categories attract more fraud:
▸ Electronics and accessories (resale value) ▸ Luxury and designer goods (resale value) ▸ Gift cards (universal liquidity) ▸ Nutraceuticals (controlled substance proximity) ▸ Firearms accessories (regulatory overlay)
For these, a guaranteed-fraud provider is usually worth the fee. The math almost always works.
International fraud patterns
Different countries have different fraud profiles. Some markets (Nigeria, Venezuela, Russia) show high fraud rates that don't reflect the broader population; they reflect where fraud actors currently route.
Geoblocking. Legitimate tool for countries where you don't have market presence and see high fraud.
Require 3D Secure. For certain high-risk countries, force 3DS authentication before processing.
Shipping restrictions. Don't ship to freight forwarders unless the category economics support it.
Our international expansion service balances fraud control against legitimate international customer access.
Common traps
Over-blocking. Some brands block 5%+ of orders and celebrate the low chargeback rate. They're leaving revenue on the table.
Under-reviewing. Auto-approving everything saves CS time but opens the door to fraud waves.
Not fighting. Eating every chargeback is leaving money and signals on the table.
No monitoring. Chargeback rates creep up gradually. Without dashboards, you notice when the processor calls.
Related reading
The Shopify B2B setup post covers wholesale-specific fraud controls (POs, credit limits). The compliance audit service handles the broader risk picture. The returns policy post addresses returns abuse, which overlaps with friendly fraud. For the tracking side, our AI support post covers how CS handles fraud-adjacent tickets.
What to do this week
▸ Pull your chargeback rate by month for the last 12 months and identify the trajectory ▸ Review Shopify's risk-flagged orders for the last 90 days and calculate what % turned out to be legit ▸ Define velocity rules and implement in Shopify or a fraud filter ▸ Evaluate whether your category and volume justifies a third-party fraud layer ▸ Document the manual review workflow: who reviews, when, what evidence, what action
Fraud is a tax you pay whether you manage it or not. The question is whether the tax is 0.3% or 3%.
One-page resource
Get the Vendor Recovery Checklist.
The 12 steps every displaced maker should take in the next 30 days. Delivered in your inbox.