I have an application that automatically adds a product to the cart when specific conditions are met (widget with toggle button, etc). If there is nothing else in the cart this product is removed.
We’ve had a couple of customers reach out asking us about receiving orders with only this product in the cart. They’ve shown us screenshots where Shopify has marked these orders as fraud but they’ve still had to refund these orders.
These customers have told us these orders are coming in really quickly and only stop once our product has been removed from their product catalog so I don’t think this fraud is happening by hand.
We’re thinking that a fraudster is using our digital product to test stolen credit card details. Is there something we can do to prevent this kind of thing from happening?
We’ve looked at blocking these orders from going to the checkout flow in the first place but would like to know if any other options are available before making that kind of change on behalf of each merchant.
Has anyone else seen this kind of issue? If so how did you get around it?
Is the digital product always a free product? Is that what gets added as the free product? Can someone add that product manually?
Just trying to follow the details of what you’re describing.
If it’s not reasonable to just get the free product a cart validation function would prevent that, but let us know and we might be able to help with ideas anyway
Edit: - not sure you ever said free, sorry about that. Still curious about the details though.
We’re thinking that a fraudster is using our digital product to test stolen credit card details. Is there something we can do to prevent this kind of thing from happening?
Sounds like credit card testing.
Digital products are especially appealing since a shipping address isn’t required. Or potentially this could be false positives by Shopify Risk Analysis since the shipping address isn’t available to help add more context.
Unfortunately Shopify doesn’t give more tooling to non-Plus merchants for bot prevention.
You may need to hand roll out your own risk algos, like detecting the IP address / User Agent of the browser before adding the product to the cart.
The bad actors may have even scraped the product ID so they’re just adding the product to the cart programmatically, and there’s not much you can do about that.
I would advise moving your risk mitigation to post-checkout instead of trying to outright prevent this from happening. The tooling simply isn’t there.
You can use Shopify Flow to manually capture payment on low risk orders, and automatically cancel these high risk orders that only contain the digital product.
Alternatively, you can offer this functionality in-app as well.