Signals v3: 13 new fraud signals for identity, network, and cashout abuse
Fraud patterns that worked on e-commerce merchants two years ago don't look like what's working today. The lone serial returner is still out there, but the growth has moved elsewhere. Coordinated address clusters, new-account velocity attacks, gift card cashout rails, and review-driven return schemes that slip past signal sets built for a simpler era.
Today we're shipping RefundSentry's biggest scoring release yet: Signals v3, 13 new return-fraud evaluators covering identity, network, and cashout patterns we kept seeing in merchant investigations but couldn't score cleanly. They run on every return inside the same pipeline as the existing 50+ signals, no configuration required.
This post walks through what's new, why each signal exists, and what kind of abuse it's designed to surface.
The gaps Signals v3 closes
The original signal set was built around one customer's return history. How many returns, how fast, how high in value, how often flagged. That framing catches opportunistic abuse well. It catches organized abuse poorly.
Three patterns kept slipping through.
Identity laundering. Fraudsters don't reuse accounts. They spin up new ones. Each looks clean in isolation.
Network coordination. Multiple accounts pointed at the same address, the same referral code, or the same payment rail, all behaving normally on their own.
Cashout mechanics. The point of the fraud isn't to keep the product. It's to convert store credit or gift cards into cash. This leaves a fingerprint that isn't about return frequency at all.
Signals v3 introduces five new categories that target exactly these gaps: Identity, Network, Product, Value, and Pattern.
Identity signals
Multi-account address
Fraudsters rotate customer accounts but rarely rotate shipping addresses. Real addresses are scarce, hard to fabricate, and tied to real delivery logistics. When we see multiple distinct customer accounts pointing at the same hashed shipping address over a short window, the account ages no longer matter.
This signal fires when a return's shipping address has been used by an unusually high number of distinct accounts relative to your store's baseline. The address itself is never stored as plaintext. Only a salted hash is kept for matching, consistent with RefundSentry's data minimization posture.
Account age vs. order value mismatch
A brand-new customer placing their first order is normal. A brand-new customer placing a first order several times your store's typical order value is a different story. Combine that with a return request in the first weeks and you have the shape of a burn-and-dump account.
This signal weighs account age against order value, scaled to your own store's median. A $400 first order is routine for a luxury shop and wildly anomalous for a low-AOV merchant. No hardcoded thresholds. The signal calibrates against your baseline.
Guest checkout returner (two-pass modifier)
Guest checkout is legitimate and common. A guest checkout by itself is not a fraud signal. But a guest checkout that also triggers several other fraud signals (multi-account address, high-value mismatch, gift card cashout) is a very different situation than a signed-in return with the same signals.
This is the first RefundSentry signal that runs as a second-pass modifier. The scoring engine evaluates every other signal first, counts how many triggered, then decides whether the guest-checkout context amplifies the risk. Guest checkout alone gets no points. Guest checkout plus three other triggered signals gets a meaningful bump.
Network signals
Shared address cluster
Multi-account address looks at accounts. This one looks at returns. When multiple returns originate from the same address in a short window (even from the same customer), the cluster is scored as a coordinated event rather than independent data points.
This signal connects individual returns back to fraud-ring behavior without waiting for the fraud ring alerter to confirm the pattern. It uses the same AddressFingerprint infrastructure that powers RefundSentry's fraud ring graph.
Referral chain returns
Discount codes leak. A single promo code shared in a Telegram channel or a coupon site turns into hundreds of first-time buyers who all place one order and return it for store credit or gift cards. The orders look independent. The cohort behind the discount code is doing the same thing in unison.
This signal tracks the return rate of each discount code cohort over time and flags returns tied to codes whose cohorts are performing far worse than your store average. Cohort state is refreshed asynchronously via a QStash job, so there's no scoring-time cost.
Product signals
Limited edition return
Drops, collabs, seasonal capsules, anything time-boxed, collectible, and likely to appreciate on the secondary market. When one of these items comes back inside a window that matches typical resale timing, the economics of the return look very different from "this didn't fit."
This signal combines product metadata (tags, collection membership) with timing to surface returns that fit the wear-and-resell pattern. It won't fire on your core catalog. It only lights up on items you've actually marked as limited.
Consumable return
Beauty samples, supplements, hygiene products, anything a customer could have used and then returned. Most merchants have a no-return policy on consumables, but abusers file anyway and hope it slips through.
Because consumable returns often route through store policy exceptions rather than getting blocked outright, they're easy to lose track of. This signal tags them automatically based on product type so they show up in the risk queue instead of silently getting refunded.
Size swap escalation
One size exchange is reasonable. Two is normal. Three or more on the same product is a pattern, and it often ends with the item being kept in a size the customer never actually bought, or returned outright for a refund instead of another exchange.
This signal looks at per-customer-per-product exchange history and escalates when the pattern exceeds what normal sizing uncertainty would produce.
Value signals
Gift card cashout
The cleanest cashout scheme we see. Buy a gift card with a stolen card, wait, file a return or dispute on the original purchase, request refund to a different payment method. The fraudster walks away with the gift card balance and the original funds.
This signal triggers when a gift card purchase is followed by a refund request routed to a non-gift-card destination. Hard to fake around. If the original funds went to a gift card, any refund to a different rail is economically suspicious.
Refund method switch
A softer cousin of gift card cashout. Customer pays by credit card, requests a refund to a different card, or to store credit, or to a payment method that didn't exist on the original order. Sometimes legitimate (the original card expired). Usually a laundering step.
This signal fires on method switches without the specific gift-card dimension and is additive with the cashout signal when both apply.
Pattern signals
Reason escalation
Every merchant sees this. A customer opens a return for "changed mind" or "ordered wrong size." Then, when the refund terms aren't what they wanted, they amend the reason to "defective" or "not as described." The second reason unlocks better terms. Free return shipping, full refund, no restocking fee.
This signal tracks per-customer reason history and flags returns where the customer has a pattern of escalating from non-defective to defective reasons across multiple returns.
Holiday surge returner
Black Friday. Boxing Day. Singles' Day. The return wave that arrives 30 to 60 days after a major sale event is both real and full of abuse. Bracketing at scale, wardrobing, and serial sale-returning all look normal until you bucket returns by their originating sale window.
This signal identifies customers whose return history is concentrated disproportionately in sale-window orders. The shape of someone who only engages with your store to extract sale-margin merchandise.
Review-then-return
The sneakiest of the new signals. A customer places an order, receives it, posts a positive review (often to unlock a post-review discount or loyalty perk), and then files a return inside the window. The review stays up and earns the customer reputation on your store. The product goes back and earns them a refund.
This signal correlates review activity with subsequent return requests and flags sequences where the review clearly preceded the return with suspicious timing.
How the engine handles 13 new signals
Adding 13 signals at once changes the shape of the scoring engine in two important ways.
Two-pass evaluation
Until now every signal was independent. Evaluate, assign points, sum. Guest checkout returner breaks that rule. It needs to know how many other signals triggered before it can decide its own score.
So the engine runs in two passes. Pass one evaluates every signal except guest checkout. Pass two counts the triggered set from pass one and feeds that count into the guest checkout evaluator. The rest of the pipeline is unchanged, and the performance cost is negligible. One small function call, not a second scoring run.
Graceful degradation
Not every signal has the data it needs on every return. Limited edition return needs product tags. Referral chain returns needs a discount code cohort that's been refreshed recently. Review-then-return needs review activity from the order enrichment pipeline.
Every Signals v3 evaluator has a NOT_AVAILABLE state it returns when the required data isn't present. These signals contribute zero points when they fire NOT_AVAILABLE. They don't penalize the return, they don't error, they step aside. The engine keeps working on every store from day one, even while individual data sources are still warming up.
Confidence recalibration
With 60+ signals now in play, the confidence thresholds that classify a score as LOW / MEDIUM / HIGH confidence needed to scale. A score produced by two signals out of 15 deserves less confidence than a score produced by two signals out of 60. The confidence calculator has been rebalanced so existing merchants don't suddenly see every score drop a confidence tier.
Privacy and data posture
Every Signals v3 signal that touches customer identity does so through hashed fingerprints, not raw PII. Shipping addresses are normalized and SHA-256 hashed before comparison. Email-based matching uses the same mechanism. No raw addresses, emails, or names are stored in RefundSentry's database. They're fetched live from Shopify when needed for display and never cached beyond a short request-level window.
The same data minimization posture governs every other feature, and it's now codified in the project constitution. General-purpose tables never contain raw customer PII. Only hashed identifiers for matching and purpose-scoped models for legitimate short-lived storage (like notification queues), all with explicit TTLs and erasure hooks.
What's live today
All 13 Signals v3 evaluators are in production and running on every return that flows through RefundSentry. Twelve score at return-ingest time against the full data set: address fingerprints, discount code cohorts, order enrichment, per-customer return history, product metadata, variant options.
The thirteenth, refund method switch, evaluates in a second pass. At return-ingest the refund hasn't happened yet, so the signal starts as NOT_AVAILABLE. When the refund actually lands (minutes, hours, or days later), RefundSentry automatically re-scores just this one signal and patches the return's risk total. No merchant action needed.
If you're on RefundSentry, open the return detail page on any recent return. Triggered Signals v3 signals show up under the Identity, Network, Product, Value, or Pattern category bands, with the same merchant-facing descriptions as the rest of the signal set.
Why this matters
Fraud detection that only scores individual transactions misses the shape of modern return abuse. A multi-account attack looks fine one account at a time. A referral chain attack looks fine one order at a time. A gift card cashout looks fine one gift card at a time. The abuse only becomes visible when the scoring engine can reason across addresses, cohorts, product types, and refund mechanics simultaneously.
Signals v3 is the foundation for that kind of reasoning. The 13 signals shipping today are the first installment. The infrastructure they share (address clustering, discount cohort state, hashed identity graphs) is also what will power the upcoming Interactive Fraud Ring Graph and the next wave of network-level abuse detection.
If you're already on RefundSentry, you don't have to do anything. The new signals are running now. If you're evaluating return fraud tools, this is the fraud signal set to compare against.