E-commerce Fraud Prevention Checklist

Confirm the Shopify Customer Accounts flow (or Auth0 / Klaviyo double opt-in) is sending a verification link before checkout for new accounts. Disposable-email domains (mailinator, tempmail) should be blocked at the form layer — most fraud rings cycle through them.

Verify the SMS / call-back step fires above your AOV threshold (commonly $250+ on first-order accounts). Postscript or Attentive can carry the trigger; otherwise Twilio Verify. Sanity-check the threshold against last month's chargeback floor — fraud usually clusters above it.

Pull the 2FA enrollment report from Shopify staff settings, Amazon Seller Central, Klaviyo, and Gorgias. Anyone with order-edit, refund, or payout permissions must be enrolled — Seller Central account takeovers usually start with an unenrolled VA login.

Run the duplicate-customer report in Shopify (or via Triple Whale / Lifetimely). Look for the same phone number on different emails, the same device fingerprint across accounts, or the same shipping address with mismatched billing names — classic signals for promo abuse and stolen-card testing.

For each flagged cluster, freeze the account in Shopify, cancel pending orders without refund until ID-verified, and add the contact data to the Stripe Radar block list. Document the cluster in the fraud log so it informs the next monthly review.

Spot-check 20 recent orders for AVS match status and freight-forwarder zip codes (33122, 33166, 90061 are common reship hubs). Mismatched billing-vs-ship country with declined AVS should be auto-canceled, not just flagged.

Work through every order tagged Elevated or High in Stripe Radar / Shopify's fraud analysis. Capture obvious-good, refund obvious-bad, and route the gray middle to Signifyd / NoFraud / Kount for guarantee coverage. Don't let high-risk orders auto-capture overnight.

Pull every order above 3x AOV from the past 30 days. Cross-check IP geolocation against billing address, device fingerprint history, and prior order count. First-time buyer + 5x AOV + expedited shipping is the canonical card-tester profile.

Look for 10+ orders within an hour from the same IP, ASN, or device fingerprint — usually card testing or sneaker-bot scalping. Tighten Cloudflare Bot Fight Mode or Shopify's bot protection if you see clusters.

Review false-decline rate vs. chargeback rate from last month. If false declines crept above 1.5%, loosen the velocity rule on returning customers; if chargebacks crept above target, tighten on first-order high-AOV. Keep a changelog so reversals are easy.

Most Shopify Payments / Stripe merchants qualify for SAQ A or SAQ A-EP. Verify the attestation in your processor's compliance portal isn't expired and that no theme app introduced a custom card field that would push you to SAQ D.

Confirm no PAN or CVV is hitting your servers — checkout fields must be iframed from Shopify Payments, Stripe Elements, or Braintree Hosted Fields. A Wayback / page-source check of the live checkout catches the most common regression.

PSD2 SCA requires 3DS2 challenge on most EU/UK card transactions. In Stripe, set Radar rules to request_three_d_secure: any for EEA cards. Skipping 3DS shifts liability to the merchant — every chargeback dispute is auto-lost.

Audit installed Shopify apps and theme JS for known CVEs (Magecart-style skimmers love stale jQuery and abandoned analytics tags). Uninstall apps not used in 90 days — every app is a potential script-injection surface.

Pull every chargeback from the past 30 days. File representment evidence (delivery confirmation, AVS match, IP log, prior order history) within the processor's window — usually 7-21 days. Track chargeback ratio against the 1% Visa / Mastercard threshold; crossing it triggers monitoring programs.

Minimum 14 characters with manager-stored randomness (1Password, Bitwarden) for any account that can issue refunds or change payout bank. Rotate after any contractor offboard. NIST SP 800-63B has long since dropped forced periodic rotation — focus on length plus breach-list checks instead.

Pull the staff list from Shopify, Seller Central, Klaviyo, Gorgias, and Meta Business Manager. Remove anyone who left in the last 90 days, downgrade VAs from Owner to Limited, and remove anyone whose role doesn't justify refund/payout permissions.

Audit Shopify Custom App tokens, Stripe restricted keys, and SP-API refresh tokens. Anything older than 12 months or unused in 90 days gets rotated. A leaked token in a public repo is the most common path to a Seller Central takeover.

Run a smoke test in a private window: 6 failed attempts on the customer login should trigger lockout / CAPTCHA. Same on the admin URL. Credential-stuffing campaigns hit Shopify customer logins constantly to validate breached email-password pairs.

Review Cloudflare's Bot Analytics (or Shopify's bot protection) for the past 30 days. Any session marked Verified Bad that completed checkout or login is a control failure — escalate to incident response.

Force a password reset on the affected account, revoke active sessions and API tokens, pull the 30-day audit log, and notify the customer or staff member. If customer PII or payment data was accessed, start the breach-notification clock — 72 hours under GDPR, varying state windows in the US.

Shopify and Stripe handle this by default. The risk is exports — CSV downloads of customer lists sitting in Drive, Slack DMs, or a contractor's laptop. Inventory exports from the past 90 days and purge or move to encrypted storage.

Klaviyo, Gorgias, Yotpo, Postscript, and Recharge each maintain a subprocessor page. Check for new entries — new sub-processors in non-adequate jurisdictions can require GDPR Article 28 disclosure or Standard Contractual Clauses updates.

Use Rewind, BackupMaster, or your warehouse data export to actually restore a sample customer record into a staging Shopify store. Untested backups are ransomware bait — quarterly restore drills catch silent corruption.

Sucuri SiteCheck or Detectify against the live storefront catches injected skimmers, exposed staging URLs, and outdated tags. Any critical finding goes into the next sprint, not the backlog.

Walk Gorgias / Zendesk agents through the month's social-engineering attempts: fake CEO Slack DMs requesting gift-card purchases, customers claiming refunds for orders they didn't place, and refund-bombing chains. New patterns get added to the macro library so the next agent recognizes them.