Skip to content
The 2026 Shopify operator guide

Shopify fraud protection in 2026: what's built in, what's missing, what to add.

By Adrien Bokor, Founder, RefundSentry·Last reviewed

Shopify ships four fraud tools (Fraud Analysis, Fraud Control, Shopify Flow, Shopify Protect) and another dozen sit on the App Store. This page documents what each one actually covers, where the gaps are, and which app category fills which gap. Cited from primary Shopify docs and current App Store listings.

Jump to the native-tool breakdown

Free during private beta. No credit card. Designed for the Shopify App Store.

Isometric illustration of a shopping bag passing through three stacked translucent shield-shaped gates, each at decreasing opacity, with small dotted scan lines between them

What Shopify fraud protection actually means

The phrase covers two different things that get conflated in vendor copy. The first is the set of native tools Shopify builds and ships for free: Fraud Analysis (ML scoring on credit-card orders), Fraud Control (rule-based checkout blocking), Shopify Flow (automation), and Shopify Protect (free chargeback reimbursement on a narrow slice of Shop Pay orders). The second is the App Store ecosystem of third-party fraud, returns, and chargeback apps that fill in what the native tools don't cover.

The reason this page exists: every other guide is written by a vendor selling one of those App Store apps. They tend to either oversell what the native tools cover (so you don't notice the upsell pitch) or undersell them (so the gap looks bigger than it is). The honest picture is in between, and it depends heavily on whether you're on Shop Pay, US-based, on Shopify Payments, and which plan you're on.

What Shopify ships natively

Four tools, each with its own scope, eligibility rules, and gaps. Read all four before you evaluate App Store apps.

Native tool 1 of 4

Shopify Fraud Analysis

ML-based risk scoring on credit-card orders. Returns a Low / Medium / High recommendation in the Order risk section of the admin, plus a list of indicators (AVS, CVV, IP geolocation, multiple cards, account age, network patterns). Trained on Shopify-network data only, so signals outside the Shopify graph are invisible.

What it covers

  • Stolen-card and account-takeover patterns at checkout
  • Card testing (small repeat orders from one BIN range)
  • IP and address mismatches surfaced as indicators
  • Pattern matches against the wider Shopify fraud network

What it misses

  • Auto-cancellation (it's passive; the merchant decides)
  • Return fraud, refund fraud, post-delivery friendly fraud
  • Offline orders and most non-credit-card payment methods
  • Score recommendations on Basic plans without Shopify Payments (indicators only)

Cost: Free, but recommendation tier requires Shopify Payments OR Grow+ plan.

Shopify Help: Fraud analysis

Native tool 2 of 4

Shopify Fraud Control app

Replaced the deprecated Fraud Filter app on January 31, 2025. Free, built by Shopify. Dashboard showing acceptance rate, high-risk order rate, and fraudulent chargeback rate, plus a rule-builder that blocks checkouts (not just orders) by email, address, or IP. Requires Shopify Payments.

What it covers

  • Hard-blocking checkouts by email, address, IP, or country
  • Acceptance-rate and chargeback dashboard for health monitoring
  • Pre-built rule library (block disposable email, suspicious IPs, etc.)

What it misses

  • Soft action on MEDIUM risk (only blocks HIGH per merchant reviews)
  • Domain-level blocking (specific email or IP only, no wildcard support)
  • Return-side rules (orders only)

Cost: Free with Shopify Payments.

Shopify Help: Fraud Control app

Native tool 3 of 4

Shopify Flow

Free automation engine on Basic and above (as of 2022; previously Plus-only). Triggers from order events, return events, customer tag changes, and any third-party app that registers a custom trigger. Actions include hold fulfillment, cancel + restock, tag customer or order, send email, and Send HTTP request (Grow+ only).

What it covers

  • Automatic hold + tag + email on HIGH risk orders
  • Auto-tag serial returners when a customer crosses a return threshold
  • Auto-escalate flagged returns to a review queue
  • Custom triggers from third-party fraud apps via the Flow extension API

What it misses

  • The signals themselves; Flow automates on signals you bring or that Shopify provides
  • External HTTP calls on Basic plan (gated to Grow+)
  • A bulk migration path from the old Fraud Filter (many rules don't port)

Cost: Free on every paid plan, but some actions gated to Grow+.

Shopify Help: Managing high-risk orders with Shopify Flow

Native tool 4 of 4

Shopify Protect

Free chargeback reimbursement program for Shop Pay orders. Shopify handles the dispute and refunds the merchant the order total plus the chargeback fee on protected orders. Strict eligibility: US Shopify Payments only, Shop Pay only, fulfilled within 7 days with valid tracking via a supported carrier, in transit within 10 days, physical items only.

What it covers

  • Visa Fraudulent (10.4) and Mastercard Unrecognized (4837) reason codes only
  • Total order amount + Shopify chargeback fee on protected orders
  • Shop Pay social-channel orders (Meta, Google) since 2024

What it misses

  • Item-not-received (INR) chargebacks
  • Not-as-described, defective, damaged claims
  • Duplicate-charge, credit-not-issued, cancelled-subscription disputes
  • Friendly fraud where the cardholder claims dissatisfaction
  • Shop Pay Installments (Affirm handles those separately)
  • Digital goods, BOPIS, recurring subscription renewals
  • Any order where the shipping address changed after checkout

Cost: Free, US-only, Shop Pay-only.

Shopify Help: Protecting an order with Shopify Protect

Sunset alert: the old Fraud Filter app

Shopify sunset the legacy Fraud Filter app on January 31, 2025. Merchants were forced to migrate rules to Shopify Flow or the new Fraud Control app. Many rules don't port cleanly. One merchant reported only 1% of their 1,945 rules migrated automatically. If you haven't audited your old Fraud Filter rules, do that before relying on the native stack.

The four fraud surfaces every Shopify store has

Fraud doesn't happen at one point. It happens at four: pre-checkout, pre-ship, post-fulfillment, and cross-shop. Each surface has its own signals and its own coverage in the native stack.

Surface 1: pre-checkout / payment-time

Stolen cards, card testing, account takeover, identity inconsistency.

Native coverage: Fraud Analysis flags risk, Fraud Control blocks. Neither auto-cancels. Gap: a HIGH-risk flag still needs human or Flow-based action.

Surface 2: pre-ship / post-checkout, pre-fulfillment

Reshipper addresses, freight forwarders, BNPL on high-AOV first-orders, address-velocity patterns.

Native coverage: Flow can hold fulfillment if you trigger on Order risk analyzed. Gap: Shopify's signals don't include cross-shop history; a brand-new customer with a chargeback history at three other stores looks clean here.

Surface 3: post-fulfillment / returns and refunds

Wardrobing, bracketing, empty-box, switch fraud, INR, refund-method switch, double-dip.

Native coverage: Flow exposes Return requested and Return declined triggers. Gap: no native scoring on return requests. You bring the scoring signals (returns app or fraud-intelligence app), Flow automates on them. Full return-fraud playbook.

Surface 4: cross-shop / fraud rings

Shared addresses across customer accounts, identity reuse across merchants, coordinated low-ticket attack waves.

Native coverage: Fraud Analysis hints at Shopify-network patterns but doesn't surface them per-order. Gap: the merchant has no way to query the network. Cross-shop signals require a third-party layer with shared identity hashing. How cross-shop signals work.

The five fraud app categories on the Shopify App Store

Apps cluster into five categories, each with a specific coverage scope. Stacking two apps in the same category usually creates decision conflicts. Stacking across categories is normal.

Category 1 of 5

Payment-fraud + chargeback guarantee

Signifyd, NoFraud (Wyllo), Riskified, ClearSale, SEON, Beacon

What it catches

Stolen-card fraud, card testing, account takeover, identity inconsistency, IP and device anomalies at checkout.

What it misses

Wardrobing, bracketing, INR after delivery, double-dip, post-refund abuse.

Pricing pattern: Mostly free-to-install + percentage of approved order value. NoFraud requires $50K/mo processing for the guarantee tier. SEON publishes $699/mo. Signifyd does not publish a floor; pricing is per-vertical % of approved orders.

Category 2 of 5

Returns management with fraud rules

Loop Returns, AfterShip Returns, ReturnGo

What it catches

Policy violations (out of window, wrong reason), restocking-fee enforcement, weight-discrepancy checks at receiving, return blocklists.

What it misses

Cross-shop fraud rings, payment-time fraud, chargeback fights, network-level signals.

Pricing pattern: Loop from $155/mo Essential to $340/mo Advanced. AfterShip Returns free + $11 / $59 / $239 (fraud features gated to Premium). ReturnGo from $23/mo Starter to custom Enterprise.

Category 3 of 5

Return-fraud intelligence

RefundSentry, Beacon (returns module)

What it catches

Wardrobing, bracketing abuse, serial returners, refund-method switches, double-dip, cross-shop fraud rings, identity-network signals.

What it misses

Card-not-present payment fraud at checkout (covered by Layer 1), policy decisions on the customer-facing return flow (Layer 2 owns that).

Pricing pattern: RefundSentry: free during private beta. See pricing for general availability tiers.

Category 4 of 5

Chargeback recovery

Chargeflow, Justt, Chargebacks911

What it catches

Representment evidence assembly, deadline management, deflection via Verifi and Ethoca, Visa CE3.0 submission for reason code 10.4.

What it misses

Preventing fraud at checkout. Recovery is post-loss and does not stop the dispute rate climbing into VAMP or Shopify Payments thresholds.

Pricing pattern: Chargeflow: 25% of recovered chargebacks, $0.20/order on Prevent after 1,000 free. Justt: success-based. Mixed reputation in App Store reviews; verify win-rate claims before committing.

Category 5 of 5

Identity verification

Veratad, Persona, SEON (identity module)

What it catches

Fake account creation, disposable email, VoIP phone numbers, proxy and VPN detection, multi-account abuse.

What it misses

Sophisticated fraud rings that pass identity checks, returns abuse, chargeback fights.

Pricing pattern: Per-verification micro-fee plus monthly minimum. Usually only worth it on high-AOV verticals or stores with specific compliance pressure.

Stacking rule of thumb: never run two guarantee apps in parallel (decision conflicts on the same order). Two scoring apps are OK if they target distinct surfaces (e.g., one on payment-time, one on returns). The most common stack for a $1M-$50M Shopify DTC store: native tools + one returns-management app + one return-fraud intelligence layer + (if dispute rate justifies) one chargeback recovery app. Full app comparison

The Shopify Flow fraud-automation playbook

Shopify Flow is the automation layer. The signals are yours to bring. Three concrete recipes most stores benefit from.

The trigger pitfall most merchants hit

Use Order risk analyzed, not Order created. The risk-level field is empty for 1-2 minutes after order creation while Shopify's ML model runs. A workflow triggered on Order created with a risk-level condition will silently evaluate to null on every order and never fire the action.

Shopify Flow editor with the trigger picker open on RefundSentry's custom triggers including Blocklisted Customer Order, High-Risk Return Detected, Order Scored, Fraud Ring Detected, Chargeback Risk Alert, Customer Risk Tier Changed, Return Spike Detected, and Order Held by RefundSentry, with a workflow being built that wires High-Risk Return Detected into a Condition checking Risk zone is equal to HIGH
Eleven RefundSentry custom triggers register inside Shopify Flow. Each one carries the full scoring payload, so the merchant builds workflows entirely in the Flow editor without leaving the admin.

Recipe 1

Auto-hold HIGH risk orders for manual review

Trigger
Order risk analyzed (NOT Order created, risk data is empty at that point)
Condition
order.risk.level == HIGH
Actions
Hold fulfillment + tag order 'review:fraud' + send team email

Recipe 2

Auto-tag serial returners across orders

Trigger
Custom trigger from a returns app, or Customer tags updated
Condition
customer.returnCount > 5 in last 30 days
Actions
Add customer tag 'serial-returner' + send admin notification

Recipe 3

Auto-escalate a flagged return

Trigger
Return requested
Condition
customer has 'risk:high' tag OR return reason matches a watchlist regex
Actions
Add return tag 'manual-review' + post to a Slack webhook (Grow+)

Note one plan dependency: the Send HTTP request action (used for posting to Slack, escalating to an external review queue, or calling a fraud-API for a second opinion) requires Grow, Advanced, or Plus. Basic stores can still use the email and tag actions. More Flow templates for fraud

Why native Shopify Admin integration matters

A fraud app that lives in a separate dashboard breaks the CS workflow. Apps that write into Shopify's native Order risk section keep the team in one tab.

The mutation that matters: orderRiskAssessmentCreate

As of Shopify API version 2024-04, the legacy Order Risk API is deprecated. Third-party fraud apps push risk assessments via the GraphQL mutation orderRiskAssessmentCreate, which accepts a risk level (LOW / MEDIUM / HIGH / PENDING) and an array of human-readable facts with sentiment (positive / neutral / negative). The merchant sees these third-party indicators alongside Shopify's own in the same Order risk section.

A companion webhook, orders/risk_assessment_changed, fires every time an assessment is added or updated. Shopify Flow can then trigger off the combined result via Order risk analyzed, which now reflects both native and third-party assessments.

The practical difference: when your fraud app uses orderRiskAssessmentCreate, the score lives in the same admin screen the CS team already opens for every order. When the app doesn't, the team has to open a second tab, find the order, and translate between two scoring systems. Most apps that skip the native API do so because their scoring model doesn't fit Shopify's Low / Medium / High enum. How RefundSentry's 50+ signal engine writes into native admin

How to decide: a Shopify operator's framework

Four diagnostic questions before you spend on an app. Answer them honestly and the right category usually self-selects.

  1. 1. Is your chargeback rate above 1%?

    If yes, you're at risk of Shopify Payments' 20% reserve trigger and approaching VAMP's 1.5% threshold (April 2026). Start with a chargeback-recovery app (Layer 4) AND a payment-fraud app (Layer 1). Recovery alone doesn't stop the rate from climbing.

  2. 2. Where is the margin actually leaking?

    Pull the last 90 days. If most of the bleed is post-delivery (returns, refunds, friendly fraud), you need Layer 2 (returns management) or Layer 3 (return-fraud intelligence). If it's pre-ship (card-not-present fraud, INR claims on delivered orders), you need Layer 1.

  3. 3. Do you already have a returns app?

    If you run Loop, AfterShip Returns, or ReturnGo, you have Layer 2. Don't replace it. Add Layer 3 (return-fraud intelligence) on top for the cross-shop and behavioral signals your returns app doesn't compute. The two are read/write complements, not substitutes.

  4. 4. What's your GMV?

    Under $1M GMV: native tools + one rule-based app (Beacon, SEON) is usually enough. $1M-$10M: add Layer 3 for returns and a recovery app once disputes hit 50/month. Above $10M: probably need a guarantee app (Signifyd, NoFraud) at Layer 1, plus 2 or 3 of the other layers.

One last note: don't pay for a guarantee until you've measured your false-positive cost. A guarantee app that declines 2% of legitimate high-AOV orders can cost more in lost revenue than it saves in chargebacks. Run a 30-day shadow mode if the vendor offers it. When to actually block a customer

Shopify fraud protection, answered

What is Shopify fraud protection?+

Shopify fraud protection is the combined set of native tools (Fraud Analysis ML scoring, the Fraud Control app, Shopify Flow risk automations, Shopify Protect chargeback reimbursement for eligible Shop Pay orders) and third-party apps from the Shopify App Store that flag, block, automate, and reimburse fraudulent orders. The native tools detect risk and reimburse a narrow set of chargebacks. Most merchants add at least one App Store app to fill the gaps.

Does Shopify have built-in fraud protection?+

Yes, but it's fragmented. Every Shopify store gets free Fraud Analysis (Low / Medium / High risk recommendations) and the free Fraud Control app for blocking checkouts. US-based Shop Pay stores on Shopify Payments also get free Shopify Protect chargeback reimbursement on eligible orders. The built-in tools detect risk and reimburse a subset of chargebacks. They do not auto-cancel orders, score return requests, or cover most non-fraud chargeback categories.

What does Shopify Protect actually cover?+

Shopify Protect covers the total order amount plus the Shopify chargeback fee on Visa Fraudulent (10.4) and Mastercard Unrecognized (4837) chargebacks. Eligibility requires a US Shopify Payments account, Shop Pay enabled, the order fulfilled within 7 days with valid tracking via a supported carrier, in transit within 10 days, physical items only. It does not cover INR, not-as-described, duplicate charges, credit-not-issued, cancelled subscriptions, friendly fraud claiming dissatisfaction, digital goods, BOPIS, Shop Pay Installments, or any order with a shipping address change after checkout.

Is Shopify Protect free?+

Yes. Shopify Protect costs nothing for eligible US Shop Pay orders on Shopify Payments. There is no per-order fee and no subscription. The trade-off is the narrow eligibility window: most chargeback reason codes are not covered, and any operational slip (late fulfillment, address change, unsupported carrier) voids protection on that order.

Does Shopify Fraud Analysis catch return fraud?+

No. Shopify Fraud Analysis evaluates the purchase event for payment-fraud signals (stolen card, account takeover, card testing). It does not score return requests, refund patterns, or post-purchase customer behavior. Return fraud (wardrobing, empty-box, serial returners, refund-method abuse) requires either a returns-management platform like Loop or AfterShip Returns with fraud rules, or a dedicated return-fraud intelligence layer like RefundSentry.

What replaced the Shopify Fraud Filter app?+

The Fraud Filter app was sunset on January 31, 2025. Shopify offered two migration paths: Shopify Flow (for rules that block actions on existing orders) and the new free Fraud Control app (for rules that block checkouts before an order is created). Many merchants reported that only a small fraction of their old rules ported cleanly. If you had Fraud Filter rules, audit them, and rebuild the high-value ones in Fraud Control or Flow.

What's the best fraud app for Shopify?+

There is no universal best. The decision depends on where margin is leaking. For payment-time fraud at scale, Signifyd and NoFraud (Wyllo) are the most-installed picks. For return fraud, Loop and AfterShip Returns own the returns flow; RefundSentry sits on top as an intelligence layer with cross-shop signals. For chargeback recovery, Chargeflow and Justt automate representment. For sub-$1M GMV stores, Shopify's native tools plus a rule-based app like Beacon is often more cost-effective than a guarantee app.

Does Shopify support Visa Compelling Evidence 3.0?+

Shopify writes about CE3.0 in enterprise content, but the native admin dispute response form does not currently expose CE3.0 fields (prior undisputed transaction list, IP / device / shipping address match within 120 days). CE3.0 submissions for Visa reason code 10.4 currently require either your acquirer or PSP exposing Verifi Order Insight, or a third-party app like Chargeflow, Justt, or Chargebacks911 that submits via the network. Confirm against Shopify Payments' current roadmap before relying on this.

Primary sources cited on this page

Last reviewed: 19 May 2026. App Store reviews and Shopify product surfaces refresh constantly; always confirm pricing and coverage against the linked primary source before deciding. Disclosure: RefundSentry sells fraud-intelligence software for Shopify, so we have skin in the game on the framing of Layer 3 (return-fraud intelligence).

Related operator guides

Shopify fraud protection sits next to two other surfaces. Read all three for the full picture.

Sibling pillar

Return fraud on Shopify in 2026 →

The nine patterns Shopify merchants actually see (wardrobing, bracketing, INR, double-dip, fraud rings), the detection signals that catch them, and how return fraud sinks Shopify Payments accounts.

Sibling pillar

Chargeback prevention for Shopify in 2026 →

VAMP dropped to 1.5% on April 1, 2026. The four-layer playbook, the six chargeback types, and the apps that actually move the dispute ratio.

Privacy & Compatibility

Clear Setup, Low Data Risk, and No Workflow Rip-and-Replace

For a new app, trust starts with clarity: what gets installed, what data stays out of scope, and how RefundSentry fits into the tools you already use.

No Raw PII Stored

Shopify customer IDs and SHA-256 hashes of email and phone for cross-store matching. No raw names, emails, addresses, or payment data ever touch our database.

No raw names or emails storedNo raw addresses storedNo payment data

Privacy by Design

Return behavior analysis without building personal customer profiles. GDPR-ready from day one.

Minimal data collectionCustomer IDs onlyAggregate statistics

Real-Time Scoring

Returns are analyzed during webhook processing so your team sees new risk signals as activity comes in.

Webhook-based scoringDashboard visibilityNo batch review queue

Works With Your Stack

Add-on to your existing returns workflow. No need to replace Shopify Native, Loop, AfterShip, or ReturnGO.

No migration requiredAdd-on to current stackShopify-native integrations

What You Get on Day One

Shopify Native

Built for Shopify

Webhook-based

Scores as events arrive

Customer tagging

Risk labels in Shopify

Shopify billing

No external payments

Join the Private Beta

Score orders, hold risky fulfillments, detect return abuse, and predict chargebacks, all from one app that works with your current stack.

Free during betaShape launch pricingNo credit card