You know the kind of order we're talking about:
- The billing address is in one country, the shipping in another.
- The name is gibberish.
- The email ends in .ru but the product is being sent to California.
And yet, it sails through checkout. No flags. No alerts. Approved like it's a normal customer.
Merchants on several forums have been comparing stories like these, times when fraud looked painfully obvious, but tools like Stripe Radar, 3D Secure (3DS), or Shopify Protect didn't stop it.
If you're wondering why that happens, the answer comes down to how fraud systems are designed and where they fall short.
What Fraud Tools Are Actually Looking At
Most fraud detection systems don't "see" orders like humans do. They rely on data points, thresholds, and behavioral models.
Here's what many of them prioritize:
- Device fingerprinting (IP, browser, OS)
- Velocity checks (number of purchases in a short time)
- History with the merchant or card
- Card BIN data
- AVS and CVV match
- Behavioral biometrics (mouse movement, typing patterns)
So if an order doesn't trigger enough red flags based on those metrics, it might still pass—even if it looks completely sketchy to a human eye.
Stripe Radar: Smart, But Not Psychic
Stripe Radar uses machine learning trained on billions of transactions. It scores each payment with a fraud risk level (0–100), but by default, it doesn't block high-risk orders automatically. That decision is left to the merchant.
And that's where it gets tricky.
Unless a merchant sets strict custom rules (like rejecting mismatched countries or certain email domains), Radar might approve borderline orders. Especially if the fraudster mimics low-risk behavior like using the correct AVS/CVV, or mimicking normal browser activity.
In some forum threads, merchants said their rules were too relaxed. Others found that tightening them too much killed legitimate sales.
3DS Isn't a Silver Bullet Either
3D Secure is supposed to add a layer of authentication. In theory, it shifts liability away from the merchant. But it doesn't always stop fraud.
Here's why:
- Some issuing banks skip full authentication for "low-risk" transactions.
- Fraudsters often use stolen cards that still pass 3DS.
- If a customer completes 3DS, (because they're the real cardholder, or because the bank didn't require a challenge) it counts as authorized, even if it's still a scam.
In short: 3DS helps reduce your risk, but it doesn't always reduce fraud itself.
Shopify Protect: Great for Chargebacks, But Limited in Scope
Shopify Protect can cover chargebacks for certain orders, but only under strict conditions:
- The order must use Shop Pay.
- Shipping must be tracked.
- Signature confirmation may be required.
And that means:
- Digital goods aren't covered.
- Orders using other payment methods (like PayPal) don't qualify.
- The protection doesn't apply if you manually override Shopify's recommendations.
Some sellers assume "Shopify will handle it," but the protection is limited. One merchant posted that their order looked suspicious, but they shipped anyway and got burned when it wasn't covered.
Why Obvious Fraud Still Wins
Fraudsters test limits. They watch what gets approved, then fine-tune their tactics. Many have access to:
- Real cardholder data (from breaches or phishing)
- Bots that mimic legit behavior
- IP proxies and residential VPNs
- AI-generated names and emails
So even if their order looks shady to a human, it can pass technical checks.
Also, automation tools often prioritize minimizing false positives. That's good for conversion rates, but bad when the fraud is real and no one catches it in time.
What Merchants Are Actually Doing About It
From real forum discussions, here's what fraud-savvy merchants are doing differently:
- Manually reviewing high-ticket or international orders
- Flagging email domains and IP ranges with poor history
- Using velocity rules to block multiple attempts in a short window
- Blocking shipping to freight forwarders or certain countries
- Using third-party tools like Chargeblast for layered protection
- Training support staff to look for behavioral red flags (like rushed shipping or mismatched names)
Some merchants accept a bit of risk as a cost of doing business. Others would rather kill a few legit sales than deal with another chargeback.
Final Thought
One merchant summed it up like this:
"It looked fake. It was fake. I still let it through because the system said 'approve.' Lesson learned: Trust your gut, not just your tools."
That's the takeaway. Tools help. Automation saves time. But when something looks off, it probably is. Don't be afraid to intervene, even when the fraud score says it's safe.
Tired of Obvious Fraud Getting Through?
Chargeblast helps you stay ahead of chargebacks by giving you the full picture: Real-time alerts, rule automation, and real-time visibility. Whether it's a shady order or a confusing fraud code, we help you make better calls faster.
When fraud looks obvious, you shouldn't be left guessing.
