Preventing Fraudulent SHIPAID-Only Orders (Credit Card Testing Attacks)

Fraudsters sometimes use eCommerce stores to test stolen credit cards by placing very small orders. Because SHIPAID is often the lowest-priced item in a store, it can become a target for these attacks.

What This Looks Like

Common signs of credit card testing fraud include:

• Multiple low-value orders placed within a short period of time
• Orders containing only the SHIPAID product
• Orders from different customers using similar patterns
• No legitimate purchase intent
• Increased chargebacks or fraudulent payment notifications

If you are seeing SHIPAID-only orders, they are likely fraudulent and should be addressed immediately.

Recommended Action

1. Refund and Block the Customer

If an order appears fraudulent:

• Refund the order immediately
• Cancel the order
• Block the customer if appropriate
• Review recent orders for similar activity

Why This Happens

Shopify does not natively prevent customers from checking out with only a single product in their cart. Fraudsters can exploit this by purchasing only the SHIPAID product to test whether a stolen card is active.

This is a known issue discussed by other Shopify merchants:

• Shopify Community Discussion: https://community.shopify.com/t/help-someone-is-using-our-store-to-test-stolen-credit-cards/363198

Recommended Solution: Craftly Checkout Rules

We recommend using the Craftly Checkout Rules app to prevent SHIPAID from being purchased by itself.

How It Works

1. Tag the SHIPAID product.
2. Create a checkout rule that prevents checkout when SHIPAID is the only item in the cart.
3. If a customer attempts to purchase SHIPAID alone, they will be prompted to add another product before proceeding.

This prevents fraudulent SHIPAID-only transactions while allowing legitimate customers to continue checking out normally.

Shopify App Store:

https://apps.shopify.com/checkout-essentials

Alternative Protection: Set SHIPAID to “Unlisted”

Another effective option is to set the SHIPAID product status to Unlisted in Shopify.

Important

• Use only the Unlisted status.
• Do not change the SHIPAID product to Draft, Archived, Hidden, or any other status, as doing so may interfere with SHIPAID functionality.

When a product is set to Unlisted, customers cannot directly discover it through your storefront, search, collections, or navigation, which can help prevent automated bot attacks targeting the product.

Shopify documentation:

https://help.shopify.com/en/manual/products/details/product-details-page#unlisted-products

Best Practice

For maximum protection, we recommend:

1. Setting the SHIPAID product to Unlisted
2. Creating a Craftly Checkout Rule that prevents SHIPAID-only purchases
3. Monitoring for unusual low-value orders
4. Refunding and blocking fraudulent customers immediately

This combination has proven to be the most effective method for stopping credit card testing attacks without negatively impacting legitimate customers.

If you need assistance configuring either of these options, please contact the SHIPAID support team.

Updated on: 04/06/2026