Blog/Operations
OperationsJuly 5, 2026·11 min read

The order fraud prevention SOP for Shopify DTC brands

Shopify hands you a risk score, not a decision. Here's the ship-hold-cancel process that makes the call the same way, every time, in under four hours.

AY
Anand Yadav · Founder, ReccordSOP
·Last reviewed July 5, 2026

An order comes in for $340. Shopify puts a yellow diamond next to it: medium risk. The billing address matched, the security code matched, but the IP address resolves to a city 900 miles from where it's shipping, and it's a first-time customer who paid extra for overnight delivery. Ship it and you might eat a chargeback. Cancel it and you might have just insulted a real customer buying a gift on their lunch break at work. So which is it?

That call gets made hundreds of times a year at a growing DTC brand, and at most of them it gets made by feel. Whoever happens to be staring at the queue squints at the signals and guesses. The guess changes depending on who's on shift, how buried they are that day, and whether they got burned by a chargeback last week.

This is the SOP that replaces the guess. It gives you a decision tree, three roles, verification scripts you can copy and paste, a review deadline, and a way to keep the whole thing from rotting as Shopify changes its dashboard underneath you. Shopify gives you a risk score. It does not give you a decision. That part, and the liability, stays with you.

What a fraudulent order actually costs you (both directions)

Fraud runs somewhere between 0.5 and 2 percent of orders at a typical DTC brand. That sounds small until you price a single miss. When a stolen-card order slips through, you lose the product, you lose the shipping you already paid, and you still get hit with a chargeback fee of 15 to 25 dollars even if you fight the dispute and win. The item is gone. The fraudster resold it days ago.

Let those pile up and a second problem shows up. When your chargeback ratio crosses roughly 1 percent of transactions, Shopify Payments can drop you into a monitoring program or, if it keeps climbing, cut you off. Losing your payment processor is an existential problem, not a line item.

Now the side nobody writes about. Cancel a real customer's order because it looked suspicious and you've created a different kind of loss. That person wanted your product, handed you their money, and got told no. Some of them shrug. Some of them post a one-star review titled "accused me of fraud" and tell their group chat. You lose the order, the lifetime value, and a little of your reputation, and none of it shows up in a dashboard the way a chargeback does. That's the trap: the fraud loss is visible and the false-positive loss is invisible, so teams quietly optimize against the only one they can see.

This is a two-sided error problem, not a block-everything problem. Which is why the advice you'll find on every competing page, "just refund it if you're unsure," is quietly terrible. Follow it and you train yourself to bleed real revenue every time a legit order trips a sensor. Unsure is not a decision. It's the reason you need a process.

Why fraud review needs an SOP, not a gut call

Most brands have a fraud hero. One person, usually the founder or the most tenured CX lead, who has a feel for the dashboard and clears the high-risk queue every morning without being asked. It works right up until BFCM, when volume triples, fraud spikes with it, and that person is on a plane to see family. Nobody else knows the thresholds. The queue backs up, or worse, someone ships everything to keep orders moving.

The subtler failure is consistency. Hand the same flagged order to three different reviewers and you'll often get three different calls: ship, hold, cancel. Your approve line becomes a coin flip that depends on who opened the order first. A fraudster probing your store doesn't care about your good intentions. They care whether your response is predictable, and an inconsistent team is an easy mark.

An SOP doesn't remove judgment. It removes guessing. Same signals, same thresholds, same decision no matter who's on shift or how slammed they are. The reviewer still uses their head on the genuinely ambiguous 5 percent. They just stop re-deriving the obvious 95 percent from scratch every single time.

The core idea

The goal isn't heroics. It's consistent, fast decisions with a documented reason attached to each one. A junior CX rep in their second week should be able to clear 90 percent of the queue by following the tree, and know exactly which orders to escalate.

Read Shopify's risk signals (and where they fall short)

The signals Shopify actually shows you

Open any order and scroll to the Order risk section. Shopify assigns a level, low, medium, or high, and backs it with a list of fraud-analysis indicators, each marked with a colored icon: green for a good signal, red for a bad one, grey for neutral or unavailable. Click into the full analysis to see the whole list. The ones that carry the most weight:

  • Address Verification (AVS): did the billing address the customer typed match what the card issuer has on file. A red AVS is one of the strongest single signals.
  • Card security code (CVV): did the three-digit code match. A stolen card number without the physical card in hand often fails right here.
  • IP address and location: where the order was placed from, and whether it came through a proxy or VPN that hides the real location. A checkout from an anonymizing network on a high-value order is a flag.
  • Card attempts: how many different cards were tried before one went through. Several declines followed by a success is classic card-testing behavior.
  • Distance between billing, shipping, and IP location, plus whether this customer has ordered from you before.

Where the risk score misleads you

Two things the score gets wrong, in opposite directions.

It misses sophisticated fraud. A patient fraudster working from a full identity profile, the cardholder's real billing address included, sails through AVS and CVV clean and lands as low risk. The checks confirm the data matches. They cannot confirm the person typing it is the actual cardholder.

And it flags real customers constantly. The person on a corporate VPN. The customer shipping a birthday gift to their sister's address. The traveler buying from a hotel three states from home. The employee expensing something on a company card whose billing address is the office. Every one of them can light up medium or high risk while being completely legitimate. Treat the score as the opening input to your SOP, never as the verdict. Shopify built it to inform your decision, and it says as much on the tin.

Order Fraud Detection SOP template

The fill-in-the-blank procedure this post is the hub for, with the signal list, review workflow, and blocklist fields ready to populate.

Who owns fraud review on a DTC team

Assign three roles. At a 200-order-a-day brand one person may hold all three today, but write them separately so the seams are already drawn when you hire.

  • Monitor: watches the high-risk queue and makes sure nothing sits unreviewed. This is a checking cadence, not a judgment call, so it's the easiest role to hand off first. Name a backup by name, because an unwatched queue during a spike is how orders either ship blind or die waiting.
  • Reviewer: runs the checklist and the verification steps. Usually CX or ops, since they already live in the order history and the helpdesk.
  • Approver: makes the final ship-or-cancel call on orders above a set value, say $250 or three times your average order. Below that line, the Reviewer decides alone. Above it, a second set of eyes signs off. Fraudsters aim high, so the expensive orders earn the extra scrutiny.

Then set a review SLA: every high-risk order gets a decision within four business hours. This number isn't really about fraud. It's about not losing real customers. A held order that sits for two days is an order the customer cancels themselves and rebuys from a brand that shipped faster. The SLA keeps legit buyers from walking while you're being careful. It mirrors the Monitor, Builder, Submitter structure in the chargeback dispute SOP on purpose, so the two procedures read the same way and hand off cleanly.

The chargeback dispute SOP

The downstream sibling process for when review didn't catch it and a chargeback lands anyway.

The hold-and-verify decision tree

The risk-tier decision matrix

Here's the piece every competing page leaves out: a written tree that turns a risk level plus a red-flag count into one action.

  • Low risk: auto-capture payment and fulfill. Don't spend a human minute here. If your low-risk tier is somehow generating chargebacks, that's a signal to tighten upstream, not to start hand-reviewing green orders.
  • Medium risk: run the red-flag checklist below and count. Zero red flags, ship it. One or two, verify before shipping. Three or more, treat it as high risk and hold.
  • High risk: hold automatically. Never ship a high-risk order without completing verification first. This is the one hard rule in the whole SOP.

The red-flag signal list

  • Billing and shipping names, or countries, don't match.
  • Ships to a known freight forwarder or reshipper address.
  • Overnight or rushed shipping on a first-time order. Fraudsters want the goods before the card gets reported.
  • Email domain doesn't match the customer name, or it's a fresh throwaway address.
  • Multiple failed card attempts before one finally went through.
  • First order, unusually high value for your store.
  • Several orders from the same email or IP inside 24 hours.

Automate the holds with Shopify Flow

You don't want a human deciding which orders even reach a human. Shopify Flow handles the sorting for you. Build two workflows:

  • When an order is created with low or medium risk, capture payment and let fulfillment proceed.
  • When an order is created with high risk, place it on hold and tag it fraud-hold so it lands in the Reviewer's queue instead of at the packing station.

That single automation is the difference between a queue you work and a queue that works you. Shopify's own documentation mentions Flow only in passing. This is the use that pays for itself.

For medium-risk or high-value orders, consider triggering 3D Secure, the extra card-issuer step you know as Verified by Visa or Mastercard Identity Check. When 3DS approves a transaction, the fraud chargeback liability shifts from you to the issuing bank. It adds a small hurdle at checkout, so reserve it for the orders where that protection is worth the friction.

The SLA is the whole game

Every hour a held order waits is an hour a real customer spends deciding you're slow. Hold too long and you don't prevent fraud, you just gift the sale to a competitor and earn a support ticket. Verify fast, or you solve one loss by creating another.

Free template

We turned this into a fill-in-the-blank pack: the risk-tier decision tree, the three role assignments, the verification email and phone scripts, and the blocklist fields. Hand it to a new CX hire on day one. Grab it from the Order Fraud Detection SOP page linked above.

The verification scripts (email and phone)

The verification email script

Every competitor tells you to "reach out and verify the customer." Not one gives you the words. Here they are. Send this from your support address, keep the tone warm, and never, under any circumstance, ask for a full card number or the security code. No legitimate business needs those to confirm an order, and asking makes you look like the fraud.

Subject: Quick check on your order #1024. Hi [Name], thanks for your order. We run a fast security check on a small number of orders to protect our customers, and yours came up. Could you confirm a couple of details for me: the billing ZIP or postal code on the card you used, the last 4 digits of that card, and one item from your order. You can also confirm instantly through this secure link: [verification link]. As soon as we hear back, your order ships. We will never ask for your full card number or security code. Thanks, [Your name], [Brand] Support

Verification email template

The verification phone script

For high-value orders, a phone call is faster and much harder to fake than email. Keep it to three questions and pay as much attention to how they answer as to what they say.

  1. "Hi, this is [Name] from [Brand], just confirming a recent order. Can you tell me what you ordered?"
  2. "Great, and what city is it shipping to?"
  3. "Perfect. Last thing, the billing ZIP on the card?"

A real customer answers these in seconds, sometimes with a laugh about the security theater. A fraudster stalls, gets defensive, asks why you need to know, or gives an answer that doesn't line up with the order. Evasive, refuses, or wrong is your signal: cancel the order and mark it Fraudulent.

Free tools that confirm a customer in 2 minutes

You don't need paid software to sanity-check most orders. Three free checks catch the obvious cases in about two minutes:

  • Reverse phone lookup: drop the number into a 411-style lookup or even a search engine. A real customer's number ties to a real name and region. A VoIP number registered last week does not.
  • Google Maps the addresses: paste the billing and shipping addresses into Maps. A "home address" that turns out to be a parking lot, a freight-forwarding warehouse, or an empty field tells you plenty.
  • IP and proxy check: run the order's IP through a free proxy or VPN checker. An anonymized connection on a high-value first order is a meaningful flag on its own.

When the checks and the customer both come up short, cancel the order correctly. In Shopify, open the order, choose More actions, then Cancel order, and select the reason Fraudulent. That reason restocks the inventory and flags the order for reporting, which feeds both Shopify's model and your own records. A plain refund carries none of that signal.

Gorgias SOPs

Verification tickets and customer comms live in the helpdesk. Document that side so the thread is searchable the day an order turns into a dispute.

Document every decision (and feed it straight to chargebacks)

A decision nobody wrote down is a decision you get to relitigate every time the order resurfaces. Two habits fix that.

First, record the call and the reason on the order. Add a Shopify order note ("Held: IP on VPN plus freight-forwarder shipping, verified by phone, cleared to ship") and a tag: fraud-held, fraud-verified, or fraud-canceled. The note is for the human who reopens this order in three months. The tag is for reporting, so you can pull every fraud-canceled order from a quarter and actually see your patterns instead of guessing at them.

Second, understand what that evidence is worth downstream. The AVS and CVV results, the IP, the device, the customer emails, your verification notes, all of it, is the exact evidence package you'll submit if this order later comes back as a chargeback. Fraud review and chargeback defense run on one shared dataset. Collect it once, at review, and dispute defense becomes a copy-paste job instead of an archaeology dig.

And keep a blocklist. When you confirm fraud, don't just cancel, record the identity: email, shipping address, and phone, all three. Fraudsters rotate email addresses like socks, so an email-only blocklist catches almost nobody. The shipping address and the phone number are stickier. Match on any of the three and you stop the repeat attempt before it ships.

chargeback dispute SOP template

The reason-code-to-evidence template that reuses the exact data you already collected during fraud review.

Friendly fraud and refund abuse: the other 60 to 80 percent

Everything so far targets third-party fraud: a stranger using a stolen card. But that's the minority of what actually hits your account. Somewhere between 60 and 80 percent of chargeback losses come from first-party fraud, better known as friendly fraud, where a real customer buys something legitimately and then disputes the charge anyway. Sometimes it's honest confusion ("I don't recognize this"). Sometimes it's buyer's remorse dressed up as a dispute. Sometimes it's a flat lie ("never arrived" while the box sits in their hallway).

AVS and CVV can't touch any of it. The card matched because it was the real cardholder. Prevention lives somewhere else entirely:

  • A clear billing descriptor. A large share of "I don't recognize this charge" disputes are genuine confusion. Make sure the line on the customer's statement reads as your brand name, not a parent LLC nobody has ever heard of.
  • Transparent, published policies. Return windows, shipping timelines, and subscription terms that are easy to find give the issuing bank nothing to side with the customer over.
  • Delivery confirmation, with a signature on high-value orders. A carrier scan showing delivered to the billing ZIP kills most "never arrived" claims before they start.

Refund and return abuse is the same problem wearing a different hat. Serial returners, customers running an 80-percent return rate, and "damaged on arrival" claims on items that arrived perfectly fine all bleed margin the way stolen-card fraud does. The defenses are procedural: return velocity limits, a return-to-purchase ratio that flags the worst offenders, photo proof on high-value returns, and a refund policy you actually enforce the same way for everyone.

Refund policy enforcement SOP

Consistent refund decisions close the friendly-fraud and return-abuse gap covered above.

Loop Returns fraud rules SOP

Velocity limits, blocklists, and manual-review triggers that stop return abuse without punishing real customers.

damaged-on-arrival claim SOP

How to handle DOA claims consistently, so genuine breakage gets fixed fast and claim fraud gets caught.

Shopify Protect and when NOT to spend time reviewing

Here's the 2026 wrinkle almost nobody's guide accounts for. Shopify Protect covers qualifying fraud chargebacks on eligible Shop Pay orders at no cost to you. If a covered order gets disputed as fraud, Shopify absorbs the loss and the fee, not you. For an order that clearly qualifies, the minutes you'd spend on manual review may not be worth it, because the downside the review protects against is already handled.

Read the caveat twice, though. Coverage is narrow. As of mid-2026 it applies to eligible orders paid through Shop Pay, largely in the US, and only to qualifying fraud disputes, not to friendly-fraud or item-not-received claims across the board. The terms and eligibility have changed before and will change again. So most of your orders still run the full SOP, and you should never wave one through on the assumption that Protect has it covered. Check the actual eligibility status on the order. Don't guess at it.

Measure the two error rates

You can't manage what you refuse to count, and fraud review fails in two opposite directions, so you have to measure both.

  • Fraud rate: fraud losses as a percent of orders. Aim for the 0.5 to 2 percent band. Sitting well below it can mean you're over-blocking; sitting well above it means fraud is getting through.
  • False-positive rate: the one nobody tracks. Pull a sample of the orders you held or canceled and check how many were actually legit. Every real customer you turned away is revenue and reputation you threw out, invisibly. Keep this low on purpose.
  • SLA adherence: what percent of high-risk orders got a decision inside four hours. When this slips, real customers start canceling on you before you even reach them.
  • Chargeback rate trend: the lagging scoreboard. It moves months after your decisions, so watch the direction, not the daily number.

Once a month, sit with the losses. Every chargeback that got through is a pattern your tree didn't catch yet. Add the signal, adjust the threshold, and the SOP gets smarter each cycle. The two failure modes to steer between: too aggressive, where you block real buyers and never see the lost revenue, and too loose, where chargebacks stack up and your processor starts sending you emails you don't want.

Keep the SOP from going stale

A fraud SOP is the fastest-rotting document in your whole operation, because three separate clocks work against it at once. Fraud patterns shift with the season; the tricks that hit you during BFCM aren't the ones you saw in March. Shopify changes the risk dashboard and relabels indicators without asking you. And your signals move the day you switch fraud tools or payment processors, because the data you were keying on now comes from somewhere else, or stops coming at all.

Here's why that's dangerous rather than just annoying. A stale rule doesn't announce itself. An auto-cancel rule you wrote last year for a pattern that's now perfectly legitimate keeps canceling real orders, silently, and everyone keeps trusting the doc because it's written down. Documented and wrong is worse than undocumented, because it carries authority nobody thinks to question. This is SOP drift, and a fraud SOP is where it does the most damage.

SOP drift: why your documentation is lying to you

The pillar post behind the drift concept this fraud SOP inherits: documented and wrong is worse than undocumented.

Review the procedure every quarter, and immediately after any change to your payment stack or fraud tooling, and after any fraud spike that taught you something new. Then slot the SOP into a maintained library instead of a folder nobody opens.

Build a DTC SOP library that doesn't go stale

How this fraud SOP fits inside a living system of procedures instead of rotting quietly in a shared drive.

Where to start this week

Don't build the whole system in one sitting. Start with an audit. Pull your last 20 high-risk orders and, for each one, answer two questions: what did you decide, and is the reason written down anywhere? Most teams find a graveyard of orders canceled or shipped on vibes, with no note explaining either. That gap is your baseline.

Then write three numbers and three names. The thresholds: low ships, medium gets the checklist, high holds. The roles: Monitor, Reviewer, Approver, even if all three are you this week. And the SLA: four business hours to a decision. That single page beats any fraud-scoring subscription, because it works the same whether you review 5 orders a week or 50.

The hard part isn't writing the SOP. It's capturing what your best reviewer actually does, the small checks they run without thinking, and keeping the doc honest as Shopify shifts underneath it. That's the exact problem we built ReccordSOP to solve. Record your most senior reviewer working one real high-risk order end to end, from the flag to the verification call to the ship-or-cancel decision, and ReccordSOP turns it into a screenshot-by-screenshot SOP the rest of the team can follow. When Shopify relabels the dashboard or you swap fraud tools, drift detection flags the steps that no longer match reality, so the doc stops lying before it costs you an order.

Record your fraud reviewer once and generate the SOP free at reccordsop.com.

Frequently asked questions

How do I review a high-risk order on Shopify?

Open the order, read the Order risk section (AVS, CVV, IP location, and card attempts), then run a red-flag count: billing-shipping mismatch, freight forwarder, rushed shipping on a first order, throwaway email, failed card attempts. Zero flags, ship. One or two, verify. Three or more, or a high-risk label, hold and verify before you ship anything.

Should I cancel or fulfill a high-risk Shopify order?

Never ship a high-risk order on the score alone. Hold it, verify the customer by email or phone, and let the answer decide. A customer who confirms the billing ZIP, last four digits, and an order detail ships. One who stalls, refuses, or gets the details wrong gets canceled with the reason marked Fraudulent.

How do I verify a customer without being invasive or asking for their full card number?

Ask only for things a real cardholder knows and a fraudster usually doesn't: the billing ZIP, the last four digits of the card, and one item from the order. Never request the full card number or the security code. No legitimate business needs those to confirm an order, and asking makes you look like the scam.

What is a normal fraud rate for a DTC brand?

Roughly 0.5 to 2 percent of orders. Sitting well below that band can mean you're over-blocking real customers; sitting well above it means fraud is getting through. Track it alongside your false-positive rate so you catch both failure directions, not just the one that shows up as a chargeback.

Will I get a chargeback if I fulfill a high-risk order, and does Shopify Protect cover it?

A high-risk order carries a higher chance of a fraud chargeback, which is why you verify before shipping. Shopify Protect can absorb qualifying fraud chargebacks on eligible Shop Pay orders, but coverage is narrow and the terms change, so confirm each order's eligibility rather than assuming. Most orders still need the full review.

What is the difference between fraud and friendly fraud?

Third-party fraud is a stranger using a stolen card, which AVS and CVV can help catch. Friendly (first-party) fraud is a real customer who buys legitimately and then disputes the charge anyway, and it accounts for 60 to 80 percent of chargeback losses. You fight that one with a clear billing descriptor, published policies, and delivery proof, not card checks.

How fast do I need to review a flagged order?

Four business hours, start to finish. That deadline exists less for fraud prevention and more for customer retention: real buyers don't wait around wondering why their order is stuck, they cancel and buy from whoever ships faster. Track SLA adherence alongside your fraud rate so a slow review process doesn't quietly cost you the customers your checks were supposed to protect.

How often should I update my fraud rules?

Review the SOP every quarter, and immediately after any fraud spike, seasonal event like BFCM, or change to your payment processor or fraud tooling. A stale auto-cancel rule keeps blocking now-legitimate orders silently while everyone still trusts the doc, which is exactly how a fraud SOP quietly costs you revenue.

AY
Anand YadavFounder, ReccordSOP

I built ReccordSOP after watching too many DTC ops teams lose months to undocumented workflows. These SOPs are battle-tested with Shopify operators running $1M to $50M brands.

Last reviewed July 5, 2026

Related reading