Shopify VPN Fraud: How to Stop Proxy Checkout Fraud
VPN and proxy checkout fraud hides stolen cards behind rotating IPs. Learn how to read the signals and block VPN traffic on Shopify before orders happen.
On this page
- The fraud pattern: anonymized IPs before the order exists
- Why 2018-era IP reputation lists fail
- What proxy checkout fraud actually costs
- Reading the signals
- What Shopify gives you natively, and where it stops
- How Cordon blocks it
- Not every VPN user is a fraudster
- Setting up VPN and proxy blocking
- Frequently asked questions
TL;DR: VPN and proxy checkout fraud works by making the attacker's IP address lie about where they are. Stolen card testing, serial refund abuse, and drop sniping all rely on rotating anonymized IPs. Shopify's built-in fraud analysis only flags orders after they exist. Blocking anonymized traffic at the visit level, with a fraud-score threshold so ordinary privacy users still get through, stops most of it before checkout is ever reached.
Every fraudulent order starts with a visit. Before the stolen card number is typed, someone connects to your storefront from an IP address. Fraudsters know that IP is their weakest link, so they hide it. This post explains how that hiding works, what it costs, and how to block it without also blocking honest customers who happen to use a VPN.
The fraud pattern: anonymized IPs before the order exists
Card fraud on Shopify follows a predictable shape. Someone buys a batch of stolen card numbers, then needs to test which cards still work and cash out the live ones. Both steps happen behind a VPN, a residential proxy network, or Tor, because the fraudster's real IP would place them in a different country than the card's billing address. That mismatch is the oldest fraud signal in payments, so professional fraud hides it first.
Card testing is the noisy version: rapid small orders to see which numbers authorize. Cash-out is the quiet version: a single large order shipped to a freight forwarder or reshipping mule. Both arrive through anonymized connections, usually a different IP per attempt.
The same infrastructure serves non-card abuse too. Serial refund abusers who have been banned once come back through a fresh IP and a fresh email. Discount-code farmers create dozens of accounts to claim a first-order coupon repeatedly, rotating IPs so account-per-IP limits never trigger. And when you run a limited product drop, sniping bots check out through pools of thousands of residential proxies, so each purchase looks like a different household. The proxy pools that snipe drops are often the same ones that scrape catalogs.
Why 2018-era IP reputation lists fail
Most legacy blocking apps work from downloaded IP reputation lists: a snapshot of known VPN exit nodes, datacenter ranges, and proxies, refreshed occasionally. That approach made sense when anonymization meant renting a server. It does not survive contact with residential proxies.
A residential proxy routes the fraudster's traffic through a real home internet connection. The exit IP belongs to an actual consumer ISP, often on a connection whose owner installed a "free VPN" app that quietly resells their bandwidth. On paper the visitor is a household on a cable modem. No static list can flag that, because the IP genuinely is residential, and it may only act as a proxy for a few hours before the pool rotates it out.
Detecting this requires live commercial detection data: providers that score each IP on how it is behaving right now, not what network block it belonged to years ago. This is the core difference between Cordon and list-based blockers. Cordon queries live detection data per visitor and caches the decision, rather than shipping a stale list. The feature breakdown covers what each signal contributes.
What proxy checkout fraud actually costs
| Cost | Mechanism |
|---|---|
| Chargeback amount | The cardholder disputes the charge, you refund the full order value |
| Chargeback fee | Your payment processor charges a fixed fee per dispute, win or lose |
| Lost inventory | Physical goods shipped to a mule or forwarder are gone |
| Fulfillment cost | Picking, packing, and shipping paid on an order that reverses |
| Processor risk score | Sustained disputes raise your rate profile and can trigger reserves or termination |
| Card-testing fees | Hundreds of failed authorizations still incur per-transaction costs |
The last two rows matter most. A store can absorb one chargeback, but a rising dispute ratio gets you flagged by your processor, and once you are in a high-risk bucket, everything gets more expensive. Prevention is cheaper than dispute management at every scale.
Reading the signals
You can spot proxy checkout fraud in your own order data before you install anything. Three signals carry most of the weight:
IP country versus shipping country. A visitor whose IP resolves to one country ordering delivery to another is not automatically fraud (expats and gift buyers exist), but a cluster of such orders in a short window is, especially when the IP country also fails to match the card's billing country. If one region is the consistent source, blocking that country outright is a blunt but effective first response.
A datacenter ASN at checkout. Every IP belongs to an autonomous system, and the ASN tells you who operates the network. Real shoppers browse from consumer ISPs and mobile carriers. A checkout completed from an AWS, Alibaba, Tencent, or Huawei Cloud address is a script, full stop; humans do not shop from inside a datacenter. If you are new to network-level signals, the ASN explainer covers how one rule can cover an entire hosting provider.
Many accounts from one network. Discount farmers and refund abusers rotate IPs, but proxy pools have finite breadth, so the accounts still cluster: same ASN, same city-level geolocation, same device fingerprint, created within hours of each other. Five new accounts from one network claiming the same welcome code is not a coincidence.
What Shopify gives you natively, and where it stops
Shopify includes fraud analysis on qualifying plans, and it is genuinely useful: it scores each order and flags high-risk ones for review. The documentation at help.shopify.com covers how the indicators work. The structural limitation is timing. Fraud analysis evaluates an order that already exists. The authorization already hit your processor, the inventory is already reserved, and on automated fulfillment the order may already be moving before anyone reads the flag.
Blocking at the visit level inverts this. If the anonymized visitor never loads your storefront, there is no session, no cart, no authorization attempt, and no order to review. The two layers are complementary: visit-level blocking as the filter, Shopify fraud analysis as the safety net for whatever gets through.
How Cordon blocks it
Cordon makes its detection decision before the page renders, in under 50 milliseconds, using live commercial VPN, proxy, and Tor detection data. VPN and proxy blocking is available on the Growth plan and above.
The design choice that matters most is the fraud-score threshold. Cordon does not block an IP just because it is technically a relay. Low-risk privacy services, most visibly iCloud Private Relay, which is switched on by default for millions of iPhone users, score below the threshold and pass through. High-risk exits, rotating residential proxies, and Tor score above it and get the block screen. This is the difference between blocking anonymized fraud and blocking everyone who cares about privacy.
Cordon also fails open. If the detection service ever hiccups, real customers shop normally instead of hitting an error. A fraud filter that can take your store down is worse than no filter.
Not every VPN user is a fraudster
This deserves its own section because it is the most common objection, and it is correct. Plenty of legitimate customers browse through a VPN: corporate laptops, privacy-conscious shoppers, travelers on hotel Wi-Fi. Blocking all of them by default is a mistake for most stores.
The practical pattern we see: many merchants leave VPN blocking off during normal operation, enable it when a fraud wave starts, and turn it off once the attack burns out. Cordon supports this directly. VPN blocking is a per-store toggle, and the allowlist exempts known customers permanently. The live visitor log shows exactly who was blocked and why, with SHA-256 hashed IPs so the log itself stays GDPR-safe.
Setting up VPN and proxy blocking
- Review your recent flagged orders and note the pattern: IP versus billing country mismatches, repeated ASNs, account clusters.
- Install Cordon and enable the app embed in your theme (it is a theme app extension, no script tags, no theme code edits).
- Start with country and bot blocking on the free plan if you only need geography-level control.
- On Growth or above, toggle on VPN, proxy, and Tor blocking, or use the Anti-scraper preset as a starting point.
- Add known VPN-using customers to the allowlist.
- Watch the visitor log for a few days and adjust. Blocked-visit entries tell you what the filter caught; the VPN checkout fraud use case page walks through a full configuration.
Frequently asked questions
Does blocking VPNs on Shopify stop all checkout fraud?
No, and any vendor claiming otherwise is overselling. What it does is remove the anonymity layer that card testers, serial refund abusers, and discount farmers depend on. Fraud that has to run from a real, traceable connection is rarer, riskier for the attacker, and easier to dispute when it happens. Keep Shopify fraud analysis as your second layer.
Will blocking VPNs also block legitimate customers?
Not if the blocker distinguishes risk levels. Cordon applies a fraud-score threshold, so low-risk privacy services like iCloud Private Relay pass through untouched, and you can allowlist known customers who shop through a VPN. Blanket blocking of every relay is the legacy approach, and it is why VPN blocking got a bad reputation.
Why doesn't Shopify's built-in fraud analysis solve this?
Shopify fraud analysis scores an order after it is placed. By then the payment attempt, the inventory hold, and the processor risk signal already exist, and on automated fulfillment the order may already be moving. Blocking at the visit level prevents the order from ever being created, which is cheaper in every way.
What is a residential proxy and why is it hard to detect?
A residential proxy routes traffic through a real home internet connection, usually an infected device or a bandwidth-sharing app the owner barely knows they installed. The exit IP genuinely belongs to a consumer ISP, so static IP lists see a normal household. Detection requires live commercial data that scores how an IP is behaving right now.
Which Cordon plan includes VPN and proxy blocking?
VPN, proxy, and Tor detection starts on the Growth plan at $19 per month for 100k visitors, and is included on every plan above it. Every paid plan comes with a 7-day free trial, so you can enable it during a fraud wave and evaluate it on your own traffic.
If your flagged-order queue is growing and the IPs never match the shipping addresses, visit-level blocking is the fix that works before the damage, not after. Try Cordon on the Shopify App Store with a 7-day free trial on every paid plan.