Why Shopify's Built-in Fraud Analysis Isn't Enough (And What to Do)
Shopify's fraud analysis gives you risk indicators but can't block checkouts, cancel orders, or clean email lists. Here's what's missing and how to fill the gaps.
Why Shopify’s Built-in Fraud Analysis Isn’t Enough (And What to Do)
Every Shopify store has built-in fraud analysis. It runs automatically on every order. It assigns risk levels — low, medium, high — and gives you a handful of indicators explaining why. Most merchants assume this means they are protected.
They are not.
Shopify’s fraud analysis is a risk labeling tool, not a fraud prevention system. It tells you what happened after the fact. It does not stop anything from happening in the first place. The distinction matters enormously when bots are running 3,000 card tests through your checkout at 2 AM, your Klaviyo list is filling with garbage emails, and your Visa dispute ratio is climbing toward the VAMP threshold that gets your payment processing suspended.
This article breaks down exactly what Shopify’s built-in fraud tools do, what they do not do, where the critical gaps are, and how to fill them.
What Shopify Fraud Analysis Actually Does
Shopify’s fraud analysis is available on every plan — Basic, Shopify, Advanced, and Plus. It runs automatically on each order and uses machine learning trained on data from millions of Shopify stores to produce fraud risk assessments.
Here is what it provides:
Risk Indicators
Each order gets a risk level (low, medium, high) along with specific indicators that explain the assessment. These indicators include signals like:
- Whether the billing address matches the credit card address
- Whether the IP address is associated with the shipping address
- Whether the customer has placed orders on other Shopify stores
- Whether multiple payment attempts were made
- Whether the order was placed from a high-risk country or using a proxy
These indicators are genuinely useful. They consolidate signals that would take a merchant significant time to check manually.
Fraud Recommendations
On the Shopify plan and above, fraud analysis includes recommendations: fulfill, investigate, or cancel. These are based on the combined risk indicators and Shopify’s internal risk model. On the Basic plan, you get the indicators but not the explicit recommendations.
Order Tagging
Orders flagged as medium or high risk can be surfaced in your order list for manual review. You can filter by risk level and prioritize which orders to investigate.
That is the full extent of what Shopify’s built-in fraud analysis does. For a free, always-on tool, it is a reasonable baseline. But the gaps are significant.
What Shopify Fraud Analysis Does Not Do
This is the longer list, and it is where most merchants get burned.
It Cannot Block Checkouts
Shopify’s fraud analysis runs after an order is placed. It does not intervene during checkout. A bot can initiate a checkout, fill in stolen credit card details, submit the payment, and complete the order — and only then does Shopify’s fraud analysis flag the order as high risk. By that point, the payment has been processed, the checkout record exists, and the email has been captured by your marketing tools.
This is the single most important limitation. Fraud analysis is reactive. It tells you about a problem that already happened. It does not prevent the problem.
It Cannot Auto-Cancel Fraudulent Orders
Even when Shopify flags an order as high risk with a “cancel” recommendation, it does not cancel the order for you. A human must review the order and manually click cancel. If you are asleep when 200 fraudulent orders come through, all 200 will sit in your queue until you wake up and cancel them one by one.
Some merchants learn this the hard way during weekend card testing attacks when no one is watching the dashboard.
It Has No Real-Time Detection
There is no streaming analysis as checkout events happen. Shopify’s fraud analysis processes each order as an independent event after submission. It does not detect velocity patterns in real time — 50 checkouts from the same device in 10 minutes, rapid-fire attempts from a single IP, or coordinated bot activity hitting your store simultaneously.
Velocity detection is one of the most effective signals for identifying card testing attacks. Without it, Shopify’s fraud analysis treats each fraudulent order as an isolated incident rather than recognizing the pattern.
It Has No Behavioral Analysis
Shopify’s fraud analysis examines order data: addresses, payment details, IP geolocation. It does not analyze how the customer behaved during the session. It cannot detect that a “customer” filled in checkout fields in 0.3 seconds (impossible for a human), that there were zero mouse movements before form submission, or that the session had no scrolling or page navigation before reaching checkout.
Behavioral signals are among the most reliable indicators of bot activity. Real humans move mice erratically, pause, scroll, and take time to type. Bots do none of these things.
It Has No Device Fingerprinting
The fraud analysis does not capture or analyze device fingerprints — canvas rendering, WebGL hashes, screen resolution patterns, installed fonts, or browser feature combinations that uniquely identify a device. Without fingerprinting, a bot that rotates IP addresses and uses fresh browser sessions appears as a completely new “customer” on every attempt.
Device fingerprinting is how you catch sophisticated bots that evade IP-based detection.
It Does Not Clean Your Email Lists
When fake checkouts inject disposable or stolen email addresses into your Shopify customer data, those emails flow downstream into Klaviyo, Mailchimp, Omnisend, and every other marketing tool connected to your store. Shopify’s fraud analysis does nothing about this. It does not flag fake emails. It does not remove them from your customer records. It does not notify your ESP.
The cost of email list pollution compounds over time. You pay per-contact on most email platforms. Your bounce rate climbs. Your sender reputation degrades. Eventually, emails to real customers start landing in spam. Read more about the cleanup process in our guide on cleaning fake profiles from Klaviyo.
It Does Not Protect Express Checkout
Shop Pay, Apple Pay, and Google Pay are designed to minimize friction. A customer (or bot) with tokenized payment data can complete a purchase with almost no interaction. Shopify’s fraud analysis still runs on these orders after completion, but the reduced checkout steps mean fewer signals for the risk model to evaluate — and the speed of express checkout makes it an attractive vector for automated attacks.
What About Shopify Protect?
Shopify Protect is Shopify’s chargeback guarantee program, available exclusively on Shopify Plus (at 0.6% of protected order value). It is a step up from basic fraud analysis. If Shopify Protect approves an order and it later results in a chargeback, Shopify covers the disputed amount and the chargeback fee.
That sounds good. Here are the catches.
Shop Pay only. Shopify Protect only covers orders placed through Shop Pay. Orders placed with credit cards directly, Apple Pay, Google Pay, or any other payment method are not protected. For most stores, Shop Pay represents a fraction of total transactions — industry estimates suggest 15-30% depending on your customer base.
US merchants only. As of early 2026, Shopify Protect is limited to merchants based in the United States processing through Shopify Payments.
Still reactive. Protect does not prevent fraud. It reimburses you after fraud occurs. The fraudulent order still gets created. The email still enters your system. The chargeback still hits your account — Shopify just covers the cost. Your dispute ratio with Visa and Mastercard still increases, which matters for VAMP compliance.
Not all orders qualify. Shopify Protect can decline to cover certain orders based on its own risk assessment. The guarantee is not unconditional.
Shopify Protect is a financial safety net for a narrow slice of transactions. It is not a fraud prevention strategy.
What About the Shopify Fraud Control App?
Shopify also offers a standalone Fraud Control app in the App Store. It is free to install and provides some additional capabilities beyond the built-in analysis, including the ability to automatically cancel high-risk orders.
However, the merchant reception has been poor. As of early 2026, the app carries a 2.3-star rating on the Shopify App Store. Common complaints from merchants include:
- High false positive rates. Legitimate orders flagged as fraudulent and auto-cancelled, leading to lost revenue and frustrated customers.
- Limited configurability. Merchants cannot fine-tune the rules or thresholds. The app makes decisions as a black box, and when it gets it wrong, there is no way to adjust.
- No transparency in decisions. When the app cancels an order, merchants often cannot see the specific reasons in enough detail to understand whether the decision was correct.
- Cancellation timing issues. Some merchants report that the app cancels orders after fulfillment has already begun, creating logistics headaches.
The intent behind the Fraud Control app is sound — giving merchants automated actions on fraud, not just labels. But the execution has not earned merchant confidence. A tool that auto-cancels legitimate orders is arguably worse than no tool at all, because it directly costs you revenue and customer trust.
What Merchants Actually Need
Based on conversations with hundreds of Shopify merchants dealing with fraud, the requirements fall into five categories that Shopify’s built-in tools do not cover:
1. Pre-checkout blocking. Stop fraudulent transactions before payment is submitted. Not after. Before. This is the single most requested capability that does not exist natively in Shopify.
2. Real-time velocity detection. Identify and stop card testing patterns as they happen — not one order at a time, but as a coordinated attack. When 100 checkouts come from the same device fingerprint in 5 minutes, that should be caught on attempt number 3, not reviewed manually on attempt number 100.
3. Behavioral and device intelligence. Go beyond address matching and IP geolocation. Analyze how the user interacts with the page. Fingerprint the device. Detect the signals that distinguish a human from a script.
4. Automated response. When fraud is detected, take action automatically. Cancel orders, tag customers, block devices — without requiring a human to be awake and watching the dashboard at 3 AM.
5. Email list cleanup. When fake emails do enter the system, remove them from marketing platforms before they damage sender reputation. This is not optional for stores using Klaviyo or Mailchimp at scale.
How ShieldFlow Fills Every Gap
ShieldFlow was built specifically to address the limitations described above. Every design decision started from the question: what does Shopify’s native fraud analysis fail to do, and what do merchants actually need?
Pre-Checkout Blocking
ShieldFlow uses Shopify’s block_progress API to intercept checkout attempts before payment is processed. When the fraud engine returns a BLOCK verdict, the customer cannot advance past the checkout step. No payment is submitted. No order is created. No email is captured. The attack is stopped at the earliest possible point.
This is fundamentally different from every reactive approach. Instead of labeling a fraudulent order after the damage is done, ShieldFlow prevents the damage from occurring.
Real-Time Velocity Detection
ShieldFlow’s fraud engine tracks checkout velocity across multiple dimensions in real time using Redis. It monitors attempts per IP address, attempts per device fingerprint, attempts per email pattern, and attempts per geographic cluster. When velocity exceeds configurable thresholds, subsequent attempts from that source are automatically blocked.
A card testing attack that fires 500 checkout attempts in 10 minutes gets stopped within the first few attempts. The remaining 490+ attempts are blocked at checkout before they touch your payment processor.
Behavioral Fingerprinting
ShieldFlow deploys a lightweight fingerprinting script through a Shopify Theme App Extension. This script runs on your storefront and collects signals that are impossible to capture at the checkout level due to Shopify’s sandbox restrictions:
- Canvas and WebGL rendering hashes
- Screen resolution and color depth
- Typing cadence and mouse movement patterns
- Time-on-page and scroll behavior
- Browser feature detection
These signals are hashed (SHA-256) and passed through the checkout flow via cart attributes. The fraud engine uses them to identify devices across sessions — even when IPs rotate — and to distinguish human behavior from automated scripts.
Automated Actions
When ShieldFlow detects fraud, it acts without waiting for human intervention:
- Checkout blocking via
block_progressfor pre-payment fraud - Automatic order cancellation via Shopify Admin API for express checkout fraud caught by webhooks
- Customer tagging so flagged entities are tracked across future orders
- Device blocking so the same fingerprint cannot retry on your store
The system operates 24/7. Weekend attacks and 3 AM bot runs get the same response as fraud detected during business hours.
Email List Cleanup
ShieldFlow integrates with Klaviyo, Mailchimp, and Omnisend to identify and remove email addresses injected by fake checkouts. When the fraud engine flags a checkout as fraudulent, it checks whether the associated email was added to your marketing platforms and removes it.
This is a capability no other Shopify fraud app offers. It directly protects your sender reputation and prevents the downstream costs of email list pollution.
Fail-Open Architecture
If ShieldFlow’s backend or Redis cache becomes unavailable, the system fails open — all checkouts proceed normally. Legitimate customers are never blocked due to an infrastructure issue. This is a deliberate design choice: it is better to let a few fraudulent checkouts through during a brief outage than to block real customers from purchasing.
Comparison: Shopify Native vs. ShieldFlow
| Capability | Shopify Fraud Analysis | Shopify Protect | Fraud Control App | ShieldFlow |
|---|---|---|---|---|
| Pre-checkout blocking | No | No | No | Yes (block_progress) |
| Real-time velocity detection | No | No | No | Yes (Redis-backed) |
| Device fingerprinting | No | No | No | Yes (canvas, WebGL, behavioral) |
| Behavioral analysis | No | No | No | Yes (mouse, typing, scroll) |
| Auto-cancel orders | No | No | Yes (unreliable) | Yes (webhook-based) |
| Email list cleanup | No | No | No | Yes (Klaviyo, Mailchimp, Omnisend) |
| Express checkout coverage | Partial (post-order) | Shop Pay only | Partial | Yes (webhook safety net) |
| Chargeback guarantee | No | Yes (Shop Pay only) | No | No |
| Custom rules | No | No | No | Yes (per-rule config) |
| Fail-open safety | N/A | N/A | No | Yes |
| Works on all Shopify plans | Yes | Plus only | Yes | Yes |
| Pricing | Free | 0.6% of order value | Free | Free / $19/mo+ |
The takeaway: Shopify’s native tools and ShieldFlow are not competitors — they are complementary layers. ShieldFlow handles the proactive prevention that Shopify cannot, while Shopify’s fraud analysis provides a secondary signal layer on orders that make it through.
The Right Stack for Most Merchants
For the majority of Shopify stores dealing with fraud, the optimal setup is a layered approach:
Layer 1: Shopify fraud analysis (free, already running). Keep this enabled. Use the risk indicators as a secondary signal for manual review of borderline orders. It costs nothing and provides useful context.
Layer 2: ShieldFlow for proactive prevention. Block card testing and fake checkouts at the source. Catch bots before they touch your payment processor. Clean up email lists automatically. This is the layer that Shopify does not provide.
Layer 3 (optional): Chargeback guarantee. If you are in a high-risk vertical and want financial coverage on approved orders, consider adding NoFraud or Signifyd alongside ShieldFlow. ShieldFlow reduces the volume of fraud that reaches these tools, which lowers your cost. See our full comparison of fraud prevention apps for detailed analysis of each option.
Frequently Asked Questions
Is Shopify’s built-in fraud analysis completely useless?
No. It is a useful baseline that provides risk signals at no additional cost. The problem is that many merchants treat it as their entire fraud strategy when it only covers one narrow piece — post-order risk labeling. It cannot block, cannot auto-cancel reliably, cannot detect bots, and cannot clean up the collateral damage from attacks. Use it as one input alongside proactive tools, not as your only defense.
Does Shopify Protect replace the need for a fraud prevention app?
No. Shopify Protect is a financial reimbursement program, not a prevention tool. It only covers Shop Pay orders on Shopify Plus. It does not stop fraud from happening — it compensates you afterward for a subset of transactions. Your chargeback ratio still increases, your email lists still get polluted, and non-Shop Pay transactions are not covered. Most stores need prevention (stopping fraud before it happens) rather than insurance on a single payment method.
Why does the Shopify Fraud Control app have such low ratings?
The most common complaints are false positives (cancelling legitimate orders), lack of configurability (merchants cannot adjust thresholds), and opaque decision-making (unclear why specific orders were flagged). Auto-cancelling orders is a powerful capability, but only if the underlying detection is accurate and the merchant has control over sensitivity. When the tool cancels real orders, it directly costs revenue and erodes customer trust — which merchants understandably rate poorly.
Can I use ShieldFlow alongside Shopify’s built-in fraud analysis?
Yes. They operate at different layers and complement each other. ShieldFlow blocks fraud proactively at the checkout level. Shopify’s fraud analysis provides post-order risk indicators on any transactions that make it through. There is no conflict between them. Many merchants use both — ShieldFlow for prevention and Shopify’s indicators for manual review of edge cases.
Does ShieldFlow work with express checkout methods like Shop Pay and Apple Pay?
Yes. Express checkout methods bypass the traditional checkout flow, which means the block_progress mechanism does not apply to them. ShieldFlow handles this through webhook-based detection on checkouts/create and orders/create events. When a fraudulent express checkout is detected, ShieldFlow auto-cancels the order and flags the associated email for cleanup. This is a secondary safety net — less ideal than pre-checkout blocking, but necessary because express checkout is a known bypass vector.
What happens if ShieldFlow’s servers go down during a sale?
Nothing bad. ShieldFlow uses a fail-open architecture, meaning that if the backend or Redis cache is unreachable, all checkouts proceed normally. The checkout extension has a built-in timeout (4-5 seconds), and if no response is received, the customer is allowed through. You temporarily lose fraud protection, but you never lose sales. This is a deliberate design principle: blocking legitimate customers is worse than letting some fraud through during a brief outage.
How does ShieldFlow handle false positives?
ShieldFlow uses a three-tier verdict system: ALLOW, WARN, and BLOCK. The WARN tier shows a non-blocking banner to the customer without preventing checkout, which is used for borderline cases. Only high-confidence fraud triggers a BLOCK verdict. Merchants can configure sensitivity thresholds for each fraud rule independently. If a specific rule is generating false positives for your store’s traffic patterns, you can adjust its weight or disable it without affecting other rules.
Does ShieldFlow store my customers’ personal data?
ShieldFlow follows a privacy-first design. Device fingerprints are hashed (SHA-256) before storage — raw fingerprint data is not retained. Email addresses are masked in logs. IP addresses are hashed in analytics. ShieldFlow does not build customer profiles or sell data. The system stores only what is necessary for fraud detection and deletes aged data according to configurable retention policies.
Bottom Line
Shopify gives every merchant a basic fraud analysis tool. It is free, it is automatic, and it provides useful risk signals. But it operates after the damage is done. It cannot block a checkout. It cannot stop a card testing attack in real time. It cannot clean the fake emails out of your Klaviyo account. It cannot fingerprint a bot that rotates IP addresses.
If your store has never experienced a fraud attack, Shopify’s built-in tools might feel sufficient. But card testing and fake checkout attacks are accelerating across the platform. When an attack hits your store — and for most merchants, it is a matter of when, not if — you need tools that prevent fraud before it happens, not tools that label it after the fact.
ShieldFlow was built for exactly this scenario. Pre-checkout blocking, real-time velocity detection, behavioral fingerprinting, automated cleanup. The protection that Shopify’s native tools were never designed to provide.