Fraud Prevention & Protection for Shopify & Shopify Plus

Fraud prevention is not the most glamorous topic for eCommerce teams and, for that reason, it often goes under the radar when discussing requirements and functionality when planning a migration to, or a build generally with, Shopify Plus. But for all the plans of how Shopify can help your business grow, this age-old problem could still be draining a lot of money or causing unnecessary operational overheads in the background, when it doesn’t need to.

By fraud in this context, we are mainly talking about any orders resulting in you incurring chargebacks - which is based on a user’s bank reclaiming the value of an order after it has already been processed. This can include ‘true fraud’ in cases like stolen credit cards/details being used to place an order, and ‘friendly fraud’ where the legitimate card owner reports the transaction to their bank after the event in order to get reimbursed. If migrating from another platform, you might well be familiar with solutions like Third Man (a commonly used solution provided alongside Sagepay) or Kount (Braintree’s equivalent), but Shopify Payments doesn’t really (I’ll come onto this more later) have this. Shopify Payments does support 3D Secure (3DS), which is where, during the checkout journey, the customer will be redirected to their debit/credit card provider's page and asked for additional verification. This greatly reduces the risk of transaction fraud by putting additional verification in place for the user - using 3d secure also means that the transaction risk / liability is passed to the card issuer.

When looking to find a solution, the logical place to start is with what Shopify can offer natively. Shopify, by default, will do a risk analysis on each order which can be seen on an Order page within the admin down the right-hand side (as per the image below) - and is graded at:

• High risk

• Medium risk

• Low risk

This is a good starting point, although it is based on a relatively simple set of criteria. The main things considered are card details, billing and shipping address information, transaction value and previous history of this user across Shopify stores (which will eventually become much more powerful with Shopify's push for world domination).

The problem with such a rudimentary traffic light grading system, is that a high-risk order could well be just someone purchasing whilst on holiday or traveling for work - which in some cases, could be an important segment of orders. So ideally, this analysis should help inform a decision on next steps, rather than make the decision. Shopify Flow can then be harnessed perfectly here. In theory, it can be set up to automatically cancel each High Risk order - but as above, this isn’t a great idea and it is best instead to automatically tag each instance of these orders as `Risk: High`. The workflow can be set up to look like this:

This will trigger an email to notify the relevant person of a high-risk order, and also tag the order within Shopify. A filter can then be applied within the Admin panel to view these quickly and make an informed decision before fulfilling. Another node may be added below the ‘No’ check, for a Medium risk order. Often this is overkill, but for a brand with particularly high-value orders or struggling with chargebacks, it’s worth considering.

Also worth a mention, is a piece of native functionality for US Merchants called Shopify Fraud Protect. This takes a small fee per order, but then covers the cost of each chargeback occurred.

At completely the other end of the scale is the option of using a solution like Riskified or Signifyd. These SaaS platforms have been around for a while, and have proven track records of delivering to enterprise-level companies and span cross-platform. They use a range of technologies to combine web proxy detection, machine learning, behavioural analysis, and order linking (matching up in real-time against a huge history of orders across multiple platforms & services) - all meaning an end result of being able to guarantee 100% freedom from chargebacks. This guarantee costs ~$3,000 per month/1% of order totals, but if the maths works out, then it’s a very strong selection.

Finally, somewhere between these two bookends at either end of the scale, lies several options worth looking at. Directly from the Shopify App store, there are several apps listed, with ‘NoFraud’ and ‘Fraud Scanner’ having a good reputation and a decent offering. But in this mid-market space, it is NS8 that sits above the others. NS8 is not strictly bound to Shopify either, and also has Magento/BigCommerce integrations - however, (at the time of writing) it is the only one of the Shopify Apps that integrates directly into your Shopify Flow account to utilise automation - including flagging or cancelling orders based on a much deeper (and configurable) set of rules. It offers some of the functionality of the Riskified/Signifyd options in terms of behavioural analysis and order linking to a certain degree, and scores every user to the site from 0-1,000 based on a set of 70+ criteria. Priced much more the mid-market at ~£100-£300 per month, it is well worth consideration.

There is no single solution that fits the whole market, and these options should be reviewed alongside monitoring the specific number & cost of chargebacks to see which adds up as best fit. But, as an absolute minimum after moving to Shopify Plus - you should be configuring Flow to flag the High Risk orders so that you can deal with them on a case-by-case basis and have visibility as they occur around how big the issue is for you.