Shopify hands you a risk score, not a decision. Here's the ship-hold-cancel process that makes the call the same way, every time, in under four hours.
An order comes in for $340. Shopify puts a yellow diamond next to it: medium risk. The billing address matched, the security code matched, but the IP address resolves to a city 900 miles from where it's shipping, and it's a first-time customer who paid extra for overnight delivery. Ship it and you might eat a chargeback. Cancel it and you might have just insulted a real customer buying a gift on their lunch break at work. So which is it?
That call gets made hundreds of times a year at a growing DTC brand, and at most of them it gets made by feel. Whoever happens to be staring at the queue squints at the signals and guesses. The guess changes depending on who's on shift, how buried they are that day, and whether they got burned by a chargeback last week.
This is the SOP that replaces the guess. It gives you a decision tree, three roles, verification scripts you can copy and paste, a review deadline, and a way to keep the whole thing from rotting as Shopify changes its dashboard underneath you. Shopify gives you a risk score. It does not give you a decision. That part, and the liability, stays with you.
Fraud runs somewhere between 0.5 and 2 percent of orders at a typical DTC brand. That sounds small until you price a single miss. When a stolen-card order slips through, you lose the product, you lose the shipping you already paid, and you still get hit with a chargeback fee of 15 to 25 dollars even if you fight the dispute and win. The item is gone. The fraudster resold it days ago.
Let those pile up and a second problem shows up. When your chargeback ratio crosses roughly 1 percent of transactions, Shopify Payments can drop you into a monitoring program or, if it keeps climbing, cut you off. Losing your payment processor is an existential problem, not a line item.
Now the side nobody writes about. Cancel a real customer's order because it looked suspicious and you've created a different kind of loss. That person wanted your product, handed you their money, and got told no. Some of them shrug. Some of them post a one-star review titled "accused me of fraud" and tell their group chat. You lose the order, the lifetime value, and a little of your reputation, and none of it shows up in a dashboard the way a chargeback does. That's the trap: the fraud loss is visible and the false-positive loss is invisible, so teams quietly optimize against the only one they can see.
This is a two-sided error problem, not a block-everything problem. Which is why the advice you'll find on every competing page, "just refund it if you're unsure," is quietly terrible. Follow it and you train yourself to bleed real revenue every time a legit order trips a sensor. Unsure is not a decision. It's the reason you need a process.
Most brands have a fraud hero. One person, usually the founder or the most tenured CX lead, who has a feel for the dashboard and clears the high-risk queue every morning without being asked. It works right up until BFCM, when volume triples, fraud spikes with it, and that person is on a plane to see family. Nobody else knows the thresholds. The queue backs up, or worse, someone ships everything to keep orders moving.
The subtler failure is consistency. Hand the same flagged order to three different reviewers and you'll often get three different calls: ship, hold, cancel. Your approve line becomes a coin flip that depends on who opened the order first. A fraudster probing your store doesn't care about your good intentions. They care whether your response is predictable, and an inconsistent team is an easy mark.
An SOP doesn't remove judgment. It removes guessing. Same signals, same thresholds, same decision no matter who's on shift or how slammed they are. The reviewer still uses their head on the genuinely ambiguous 5 percent. They just stop re-deriving the obvious 95 percent from scratch every single time.
The goal isn't heroics. It's consistent, fast decisions with a documented reason attached to each one. A junior CX rep in their second week should be able to clear 90 percent of the queue by following the tree, and know exactly which orders to escalate.
Open any order and scroll to the Order risk section. Shopify assigns a level, low, medium, or high, and backs it with a list of fraud-analysis indicators, each marked with a colored icon: green for a good signal, red for a bad one, grey for neutral or unavailable. Click into the full analysis to see the whole list. The ones that carry the most weight:
Two things the score gets wrong, in opposite directions.
It misses sophisticated fraud. A patient fraudster working from a full identity profile, the cardholder's real billing address included, sails through AVS and CVV clean and lands as low risk. The checks confirm the data matches. They cannot confirm the person typing it is the actual cardholder.
And it flags real customers constantly. The person on a corporate VPN. The customer shipping a birthday gift to their sister's address. The traveler buying from a hotel three states from home. The employee expensing something on a company card whose billing address is the office. Every one of them can light up medium or high risk while being completely legitimate. Treat the score as the opening input to your SOP, never as the verdict. Shopify built it to inform your decision, and it says as much on the tin.
The fill-in-the-blank procedure this post is the hub for, with the signal list, review workflow, and blocklist fields ready to populate.
Assign three roles. At a 200-order-a-day brand one person may hold all three today, but write them separately so the seams are already drawn when you hire.
Then set a review SLA: every high-risk order gets a decision within four business hours. This number isn't really about fraud. It's about not losing real customers. A held order that sits for two days is an order the customer cancels themselves and rebuys from a brand that shipped faster. The SLA keeps legit buyers from walking while you're being careful. It mirrors the Monitor, Builder, Submitter structure in the chargeback dispute SOP on purpose, so the two procedures read the same way and hand off cleanly.
The downstream sibling process for when review didn't catch it and a chargeback lands anyway.
Here's the piece every competing page leaves out: a written tree that turns a risk level plus a red-flag count into one action.
You don't want a human deciding which orders even reach a human. Shopify Flow handles the sorting for you. Build two workflows:
That single automation is the difference between a queue you work and a queue that works you. Shopify's own documentation mentions Flow only in passing. This is the use that pays for itself.
For medium-risk or high-value orders, consider triggering 3D Secure, the extra card-issuer step you know as Verified by Visa or Mastercard Identity Check. When 3DS approves a transaction, the fraud chargeback liability shifts from you to the issuing bank. It adds a small hurdle at checkout, so reserve it for the orders where that protection is worth the friction.
Every hour a held order waits is an hour a real customer spends deciding you're slow. Hold too long and you don't prevent fraud, you just gift the sale to a competitor and earn a support ticket. Verify fast, or you solve one loss by creating another.
We turned this into a fill-in-the-blank pack: the risk-tier decision tree, the three role assignments, the verification email and phone scripts, and the blocklist fields. Hand it to a new CX hire on day one. Grab it from the Order Fraud Detection SOP page linked above.
Every competitor tells you to "reach out and verify the customer." Not one gives you the words. Here they are. Send this from your support address, keep the tone warm, and never, under any circumstance, ask for a full card number or the security code. No legitimate business needs those to confirm an order, and asking makes you look like the fraud.
Subject: Quick check on your order #1024. Hi [Name], thanks for your order. We run a fast security check on a small number of orders to protect our customers, and yours came up. Could you confirm a couple of details for me: the billing ZIP or postal code on the card you used, the last 4 digits of that card, and one item from your order. You can also confirm instantly through this secure link: [verification link]. As soon as we hear back, your order ships. We will never ask for your full card number or security code. Thanks, [Your name], [Brand] Support
— Verification email template
For high-value orders, a phone call is faster and much harder to fake than email. Keep it to three questions and pay as much attention to how they answer as to what they say.
A real customer answers these in seconds, sometimes with a laugh about the security theater. A fraudster stalls, gets defensive, asks why you need to know, or gives an answer that doesn't line up with the order. Evasive, refuses, or wrong is your signal: cancel the order and mark it Fraudulent.
You don't need paid software to sanity-check most orders. Three free checks catch the obvious cases in about two minutes:
When the checks and the customer both come up short, cancel the order correctly. In Shopify, open the order, choose More actions, then Cancel order, and select the reason Fraudulent. That reason restocks the inventory and flags the order for reporting, which feeds both Shopify's model and your own records. A plain refund carries none of that signal.
Verification tickets and customer comms live in the helpdesk. Document that side so the thread is searchable the day an order turns into a dispute.
A decision nobody wrote down is a decision you get to relitigate every time the order resurfaces. Two habits fix that.
First, record the call and the reason on the order. Add a Shopify order note ("Held: IP on VPN plus freight-forwarder shipping, verified by phone, cleared to ship") and a tag: fraud-held, fraud-verified, or fraud-canceled. The note is for the human who reopens this order in three months. The tag is for reporting, so you can pull every fraud-canceled order from a quarter and actually see your patterns instead of guessing at them.
Second, understand what that evidence is worth downstream. The AVS and CVV results, the IP, the device, the customer emails, your verification notes, all of it, is the exact evidence package you'll submit if this order later comes back as a chargeback. Fraud review and chargeback defense run on one shared dataset. Collect it once, at review, and dispute defense becomes a copy-paste job instead of an archaeology dig.
And keep a blocklist. When you confirm fraud, don't just cancel, record the identity: email, shipping address, and phone, all three. Fraudsters rotate email addresses like socks, so an email-only blocklist catches almost nobody. The shipping address and the phone number are stickier. Match on any of the three and you stop the repeat attempt before it ships.
The reason-code-to-evidence template that reuses the exact data you already collected during fraud review.
Everything so far targets third-party fraud: a stranger using a stolen card. But that's the minority of what actually hits your account. Somewhere between 60 and 80 percent of chargeback losses come from first-party fraud, better known as friendly fraud, where a real customer buys something legitimately and then disputes the charge anyway. Sometimes it's honest confusion ("I don't recognize this"). Sometimes it's buyer's remorse dressed up as a dispute. Sometimes it's a flat lie ("never arrived" while the box sits in their hallway).
AVS and CVV can't touch any of it. The card matched because it was the real cardholder. Prevention lives somewhere else entirely:
Refund and return abuse is the same problem wearing a different hat. Serial returners, customers running an 80-percent return rate, and "damaged on arrival" claims on items that arrived perfectly fine all bleed margin the way stolen-card fraud does. The defenses are procedural: return velocity limits, a return-to-purchase ratio that flags the worst offenders, photo proof on high-value returns, and a refund policy you actually enforce the same way for everyone.
Consistent refund decisions close the friendly-fraud and return-abuse gap covered above.
Velocity limits, blocklists, and manual-review triggers that stop return abuse without punishing real customers.
How to handle DOA claims consistently, so genuine breakage gets fixed fast and claim fraud gets caught.
Here's the 2026 wrinkle almost nobody's guide accounts for. Shopify Protect covers qualifying fraud chargebacks on eligible Shop Pay orders at no cost to you. If a covered order gets disputed as fraud, Shopify absorbs the loss and the fee, not you. For an order that clearly qualifies, the minutes you'd spend on manual review may not be worth it, because the downside the review protects against is already handled.
Read the caveat twice, though. Coverage is narrow. As of mid-2026 it applies to eligible orders paid through Shop Pay, largely in the US, and only to qualifying fraud disputes, not to friendly-fraud or item-not-received claims across the board. The terms and eligibility have changed before and will change again. So most of your orders still run the full SOP, and you should never wave one through on the assumption that Protect has it covered. Check the actual eligibility status on the order. Don't guess at it.
You can't manage what you refuse to count, and fraud review fails in two opposite directions, so you have to measure both.
Once a month, sit with the losses. Every chargeback that got through is a pattern your tree didn't catch yet. Add the signal, adjust the threshold, and the SOP gets smarter each cycle. The two failure modes to steer between: too aggressive, where you block real buyers and never see the lost revenue, and too loose, where chargebacks stack up and your processor starts sending you emails you don't want.
A fraud SOP is the fastest-rotting document in your whole operation, because three separate clocks work against it at once. Fraud patterns shift with the season; the tricks that hit you during BFCM aren't the ones you saw in March. Shopify changes the risk dashboard and relabels indicators without asking you. And your signals move the day you switch fraud tools or payment processors, because the data you were keying on now comes from somewhere else, or stops coming at all.
Here's why that's dangerous rather than just annoying. A stale rule doesn't announce itself. An auto-cancel rule you wrote last year for a pattern that's now perfectly legitimate keeps canceling real orders, silently, and everyone keeps trusting the doc because it's written down. Documented and wrong is worse than undocumented, because it carries authority nobody thinks to question. This is SOP drift, and a fraud SOP is where it does the most damage.
The pillar post behind the drift concept this fraud SOP inherits: documented and wrong is worse than undocumented.
Review the procedure every quarter, and immediately after any change to your payment stack or fraud tooling, and after any fraud spike that taught you something new. Then slot the SOP into a maintained library instead of a folder nobody opens.
How this fraud SOP fits inside a living system of procedures instead of rotting quietly in a shared drive.
Don't build the whole system in one sitting. Start with an audit. Pull your last 20 high-risk orders and, for each one, answer two questions: what did you decide, and is the reason written down anywhere? Most teams find a graveyard of orders canceled or shipped on vibes, with no note explaining either. That gap is your baseline.
Then write three numbers and three names. The thresholds: low ships, medium gets the checklist, high holds. The roles: Monitor, Reviewer, Approver, even if all three are you this week. And the SLA: four business hours to a decision. That single page beats any fraud-scoring subscription, because it works the same whether you review 5 orders a week or 50.
The hard part isn't writing the SOP. It's capturing what your best reviewer actually does, the small checks they run without thinking, and keeping the doc honest as Shopify shifts underneath it. That's the exact problem we built ReccordSOP to solve. Record your most senior reviewer working one real high-risk order end to end, from the flag to the verification call to the ship-or-cancel decision, and ReccordSOP turns it into a screenshot-by-screenshot SOP the rest of the team can follow. When Shopify relabels the dashboard or you swap fraud tools, drift detection flags the steps that no longer match reality, so the doc stops lying before it costs you an order.
Record your fraud reviewer once and generate the SOP free at reccordsop.com.
Open the order, read the Order risk section (AVS, CVV, IP location, and card attempts), then run a red-flag count: billing-shipping mismatch, freight forwarder, rushed shipping on a first order, throwaway email, failed card attempts. Zero flags, ship. One or two, verify. Three or more, or a high-risk label, hold and verify before you ship anything.
Never ship a high-risk order on the score alone. Hold it, verify the customer by email or phone, and let the answer decide. A customer who confirms the billing ZIP, last four digits, and an order detail ships. One who stalls, refuses, or gets the details wrong gets canceled with the reason marked Fraudulent.
Ask only for things a real cardholder knows and a fraudster usually doesn't: the billing ZIP, the last four digits of the card, and one item from the order. Never request the full card number or the security code. No legitimate business needs those to confirm an order, and asking makes you look like the scam.
Roughly 0.5 to 2 percent of orders. Sitting well below that band can mean you're over-blocking real customers; sitting well above it means fraud is getting through. Track it alongside your false-positive rate so you catch both failure directions, not just the one that shows up as a chargeback.
A high-risk order carries a higher chance of a fraud chargeback, which is why you verify before shipping. Shopify Protect can absorb qualifying fraud chargebacks on eligible Shop Pay orders, but coverage is narrow and the terms change, so confirm each order's eligibility rather than assuming. Most orders still need the full review.
Third-party fraud is a stranger using a stolen card, which AVS and CVV can help catch. Friendly (first-party) fraud is a real customer who buys legitimately and then disputes the charge anyway, and it accounts for 60 to 80 percent of chargeback losses. You fight that one with a clear billing descriptor, published policies, and delivery proof, not card checks.
Four business hours, start to finish. That deadline exists less for fraud prevention and more for customer retention: real buyers don't wait around wondering why their order is stuck, they cancel and buy from whoever ships faster. Track SLA adherence alongside your fraud rate so a slow review process doesn't quietly cost you the customers your checks were supposed to protect.
Review the SOP every quarter, and immediately after any fraud spike, seasonal event like BFCM, or change to your payment processor or fraud tooling. A stale auto-cancel rule keeps blocking now-legitimate orders silently while everyone still trusts the doc, which is exactly how a fraud SOP quietly costs you revenue.
I built ReccordSOP after watching too many DTC ops teams lose months to undocumented workflows. These SOPs are battle-tested with Shopify operators running $1M to $50M brands.
Last reviewed July 5, 2026
Manual responses win under 20 percent of the time. A repeatable process is how you flip that.
Most SOPs are wrong within 90 days of publishing. Here's how to detect it before it costs you a customer.
Most SOP projects don't fail because the docs are bad. They fail because nobody follows them and nobody updates them.
We use essential cookies for sign-in and a small amount of analytics to improve the product. Privacy policy.