How to Stop Fake COD Orders on Shopify: Multi-Layer Fraud Prevention Playbook

Multi-layer COD fraud prevention stack for Shopify: OTP verification, invisible CAPTCHA, blocklists and automated fraud rules

A fake COD order costs you more than just the order value. The courier picks it up, drives to the address, and finds nobody. Or finds someone who says they never ordered anything. The parcel comes back. You pay the forward shipping, the return shipping, and the handling fee. You get nothing back in revenue, and your remittance cycle delays by another week.

This guide covers how to stop fake COD orders on Shopify: what fake orders actually are, why a single defense never holds, and how to stack four protection layers that block fraudulent submissions before they become dispatched parcels. Every configuration step maps directly to what you can set up in Releasit COD Form & Upsells today.

Table of Contents

  1. What Is a Fake COD Order?
  2. The True Cost of Fake COD Orders
  3. Why a Single Layer of Defense Always Fails
  4. Layer 1: OTP Phone Verification
  5. Layer 2: Invisible CAPTCHA & Bot Defense
  6. Layer 3: Blocklists: IP, Phone, Email & Country
  7. Layer 4: Automated Fraud Rules & Risk Scoring
  8. Quick Configuration Checklist
  9. Regional Fraud Patterns by Market
  10. How to Measure Fraud Reduction
  11. Related Reading
  12. FAQs

What Is a Fake COD Order?

Not every failed delivery is fraud, but a meaningful share of COD failures are entirely preventable because the order was never real. Understanding the four types of fake COD order helps you choose the right defense for each.

Prank & Competitor Orders
Someone places an order with no intention of paying. Motivations range from boredom to deliberate competitor sabotage. Volume tends to spike during campaign launches when store visibility is high.
Serial Refusers
Real people who place genuine-looking orders but have a pattern of refusing delivery. They may be price-testing, window-shopping with intent to cancel, or have changed their mind between order and dispatch.
Bot-Generated Orders
Automated scripts submit dozens or hundreds of COD orders at once, often using randomly generated name and address combinations. More common than most merchants realise, especially on stores running high-visibility promotions.
Disposable Identity Orders
Orders placed using temporary email addresses, virtual phone numbers, or VPNs by repeat bad actors who have previously been blocked. A blocklist alone cannot stop them because their identity details keep changing.

Each type requires a different countermeasure. Prank orders are stopped by OTP. Bots are stopped by CAPTCHA. Serial refusers are stopped by blocklists. Disposable-identity fraudsters require automated rule scoring. None of these alone covers the full attack surface.

The True Cost of Fake COD Orders

Fake orders are not just an RTO problem. They generate real operational cost at every stage of the fulfillment chain.

15-30%
Of COD orders in high-fraud markets like India & MENA are fake or prank submissions
60-80%
Reduction in fake orders achieved by merchants who activate OTP verification
95%+
Of bot-generated checkout submissions blocked by invisible CAPTCHA
3x
Return on investment from fraud prevention vs. absorbing RTO costs with no defenses

Every fake order that reaches dispatch costs you forward shipping, return shipping, courier handling, warehouse reprocessing, and inventory holding time. For a COD store shipping 500 orders per month with a 20 percent fake rate, that is 100 orders generating pure cost with no revenue. At a conservative estimate of $4 per round-trip shipping cost, that is $400 per month in direct losses before factoring in labour or inventory.

Fake orders also inflate your RTO rate artificially, which damages your courier relationship and pushes you onto less favorable shipping terms. Couriers use your delivery success rate to price your rates. A fake-order-driven RTO rate of 25 percent puts you in the same bracket as poorly managed stores, even if your genuine buyer experience is excellent.

Why a Single Layer of Defense Always Fails

Most merchants start with one countermeasure. It reduces the problem temporarily and then fraud finds the gap.

  • OTP only. Genuine prank orders stop. But bots programmed to use real phone numbers bypass OTP verification unless CAPTCHA is in place to block the submission before the OTP request fires. Legitimate customers with slow SMS delivery experience friction. OTP alone is not complete protection.
  • CAPTCHA only. Automated bot submissions stop. But human-operated prank orders, serial refusers, and disposable-identity repeat fraudsters pass through without issue. CAPTCHA does not verify human intent, only human presence.
  • Blocklist only. Customers already flagged in your system are blocked. But first-time fraudsters and disposable-identity actors who change their contact details every few orders pass through every time. A blocklist only works on known offenders.
  • Fraud rules only. Pattern-based filtering catches many new fraudsters but generates false positives without behavioral data and does not stop bots or verify phone numbers.

Multi-layer fraud prevention works because it attacks each fraud type at the point where it is most vulnerable, before it moves to the next stage. OTP verifies real buyers before bots get to the OTP step. CAPTCHA stops the bots before OTP fires. Blocklists stop repeat offenders instantly. Fraud rules catch everyone the first three layers miss. Together they form a stack with no meaningful gap.

Layer 1: OTP Phone Verification

OTP verification sends a one-time code to the customer's phone number before the COD order is confirmed. If the code is not entered correctly, the order does not go through. This single step ties every order to a real, accessible phone number, which eliminates most prank and anonymous fake submissions.

The critical implementation detail is friction. A poorly designed OTP flow redirects the customer to a separate page, requires manual copy-paste, and expires too quickly. Conversion drops. A well-designed inline OTP flow stays within the checkout page, autofills where possible, and gives the customer a generous but reasonable time window to enter the code.

How to configure OTP in Releasit COD Form & Upsells
  1. Open Releasit COD Form & Upsells and go to COD Form Settings
  2. Under the Verification section, enable Phone OTP
  3. Set the OTP expiry window (90 to 120 seconds is a good default for most markets)
  4. Choose whether to require OTP on all orders or only orders above a configurable order value threshold
  5. Preview the inline OTP prompt on mobile to confirm it loads correctly within the checkout layout
  6. Test end-to-end with a real phone number before enabling on live traffic

Merchants who enable OTP for all COD orders typically see a 60 to 80 percent reduction in fake and prank orders within the first two weeks. The reduction is higher in markets with a cultural pattern of low-commitment prank ordering, such as parts of India, Egypt, and Morocco.

If your concern is conversion impact, start by enabling OTP only for orders above a certain value threshold, for example, orders over $15 or $20. This targets the orders where fraud protection matters most while leaving low-value orders frictionless.

Video: How to Enable OTP SMS Verification & Order Updates in Releasit COD Form & Upsells

Layer 2: Invisible CAPTCHA & Bot Defense

Invisible CAPTCHA runs silently in the background as the customer interacts with your checkout form. Unlike the older style that asks users to identify traffic lights or fire hydrants, invisible CAPTCHA scores behavioral signals such as mouse movement, typing rhythm, and session patterns, then blocks submissions that look automated without ever interrupting a real customer.

Bot-generated COD orders are more common than most Shopify merchants realise, particularly during sales events when store visibility is high. A promotional campaign with heavy ad spend attracts not only genuine buyers but also automated tools that submit bulk order entries. Without bot protection, these submissions reach your fulfillment queue and generate real dispatch costs before anyone notices the pattern.

How to configure invisible CAPTCHA in Releasit COD Form & Upsells
  1. In Releasit COD Form & Upsells, go to COD Form Settings > Security
  2. Enable Invisible CAPTCHA
  3. No additional customer-facing setup is required. The protection runs in the background on every form submission
  4. Check your order logs after 7 days. Any sharp drop in orders with no corresponding revenue drop indicates blocked bot traffic that was previously reaching your queue

Invisible CAPTCHA blocks over 95 percent of bot-generated checkout attempts. Because the customer never sees it, there is no friction and no conversion impact. It is one of the highest-impact, lowest-effort fraud prevention steps available.

One note: invisible CAPTCHA scores browser behavior, not intent. A customer using an accessibility tool or an unusual browser configuration may occasionally trigger a low confidence score. The Releasit COD Form & Upsells implementation includes a fallback challenge threshold so that genuine customers who trigger borderline scores see a one-step verification rather than an outright block.

Layer 3: Blocklists: IP, Phone, Email & Country

A blocklist is a record of confirmed bad actors. Once a customer has been identified as a serial refuser, a prank orderer, or a repeat fraudster, you add their identifiers to your blocklist and every future order attempt from them is automatically rejected at checkout, before it enters your queue.

Releasit COD Form & Upsells supports four types of blocklist entry, each targeting a different way a fraudster might attempt to re-enter your store:

IP Address Block
Blocks all orders submitted from a specific IP address or IP range. Effective against prank orders originating from the same device or network, and against bot farms using identifiable IP blocks.
Phone Number Block
Blocks specific phone numbers from placing COD orders. The most direct defense against serial refusers who have been identified by their mobile number in previous failed deliveries.
Email Address Block
Blocks specific email addresses or email domains, including disposable email services. Useful when your fraud analysis identifies that a bad actor is rotating through multiple phone numbers but reusing the same email.
Country Block
Restricts COD availability to specific countries. If your store ships to India, Saudi Arabia, and the UAE but not to other markets, you can limit COD to those three countries and prevent orders from all other locations from reaching checkout as COD.
How to configure blocklists in Releasit COD Form & Upsells
  1. In Releasit COD Form & Upsells, go to COD Form Settings > Blocklist
  2. Add individual phone numbers, email addresses, or IP addresses directly using the input field
  3. To block entire email domains (for example, mailinator.com or guerrillamail.com), enter the domain rather than a full address
  4. To restrict COD by country, use the Country Availability settings in the same section and enable only the countries where you actively ship and accept COD
  5. Export your courier's returned order list monthly and cross-reference phone numbers against your blocklist to identify repeat offenders not yet in the system

Blocklists are most effective as a maintenance layer that you update regularly rather than a set-and-forget configuration. Your courier's NDR reports and order cancellation data are the best sources for identifying who to add. A good operating rhythm is to review and update your blocklist weekly when you are in an active growth phase with high order volume.

Blocklists also support whitelisting: you can designate specific customers as trusted buyers who bypass additional verification steps. This is useful for wholesale accounts or repeat high-value customers who would otherwise trigger fraud rule flags due to order size or frequency.

Layer 4: Automated Fraud Rules & Risk Scoring

The first three layers handle known fraud patterns: prank orders, bots, and identified bad actors. Layer 4 is where you catch unknown first-time fraudsters who have never been seen in your store before and do not yet appear on any blocklist.

Automated fraud rules score each incoming COD order in real time against a set of configurable signals and then block, flag, or allow the order based on the cumulative risk score. No manual review is required for each order. The rule engine runs automatically on every submission.

Common fraud signals to build rules around:

  • Orders where the delivery address is a freight forwarder, parcel collection point, or known reshipping address
  • Multiple orders placed to the same address within a short time window from different names or emails
  • Orders where the name, phone, and email show no overlap with any previous order history in your store
  • Orders placed from a VPN exit node or anonymising proxy
  • Very high order values for a first-time COD buyer with no purchase history
  • Orders placed within seconds of page load, indicating automated submission rather than human browsing
  • Disposable email domain detected in the email field
How to configure automated fraud rules in Releasit COD Form & Upsells
  1. In Releasit COD Form & Upsells, go to COD Form Settings > Fraud Rules
  2. Enable the default rule set as your starting point. This covers the most common risk signals without requiring manual configuration
  3. Set the rule action to Block for high-confidence rules (disposable email, known bot IP range) and Flag for Review for medium-confidence rules (first order above value threshold, unusual order timing)
  4. Review flagged orders in the dashboard daily during the first two weeks. Use this data to calibrate thresholds and reduce false positives before switching flagged orders to automatic block
  5. Add custom rules as you identify patterns specific to your store and market

The most important calibration step is threshold tuning. Rules set too aggressively block legitimate orders. Rules set too loosely let fraud through. The right approach is to start with flagging rather than blocking, review the flagged orders for two weeks, identify what proportion are genuine versus fraudulent, and then adjust thresholds accordingly. After this initial calibration period, most stores can switch to automatic blocking with low false positive rates.

Quick Configuration Checklist

Use this checklist to confirm all four layers are active and correctly configured before going live.

Layer 1: OTP Verification
  • OTP enabled for all COD orders (or orders above your chosen threshold)
  • OTP expiry window set to 90-120 seconds
  • Inline OTP display confirmed on mobile layout
  • End-to-end test completed with a real phone number
Layer 2: Invisible CAPTCHA
  • Invisible CAPTCHA enabled in Security settings
  • Test order placed from a standard browser to confirm no friction shown to real users
  • Reminder set to check order logs after 7 days for bot traffic drop
Layer 3: Blocklists
  • Known serial refusers added by phone number
  • Disposable email domains added (mailinator.com, guerrillamail.com, etc.)
  • COD country availability restricted to active shipping markets
  • Monthly courier NDR export review scheduled
Layer 4: Automated Fraud Rules
  • Default rule set enabled
  • Initial action set to Flag for Review (not Block) for first two weeks
  • Daily flagged-order review scheduled for calibration period
  • Custom rules added based on store-specific patterns (if any already identified)
Set Up All 4 Layers with Releasit COD Form & Upsells
OTP verification, invisible CAPTCHA, blocklists, and automated fraud rules all configure inside a single app. No developer required.
Install Releasit COD Form & Upsells

Regional Fraud Patterns by Market

Fraud behavior varies by market. The same product sold in three different countries can have very different fake order profiles depending on local consumer behavior, courier infrastructure, and the cultural context around COD.

India
India has the highest volume of prank and competitor-driven fake COD orders globally. Tier 2 and Tier 3 cities show higher prank order rates than metros. Phone OTP is the most effective single intervention. Disposable phone number use is lower than in MENA because Indian telecoms require ID verification for SIM cards, so OTP is more reliable here than anywhere else.
MENA (Egypt, Morocco, Saudi Arabia, UAE)
Serial refuser behavior is more common than outright prank ordering. Customers frequently place COD orders across multiple stores for the same product and accept from whichever courier arrives first, refusing all others. WhatsApp pre-delivery confirmation reduces this pattern significantly. UAE and Saudi Arabia have lower fake order rates than Egypt and Morocco due to higher consumer purchasing power and formal address systems.
Latin America (Colombia, Brazil, Mexico)
Address fraud is a larger issue than prank ordering. Customers sometimes provide real-looking but non-existent addresses, leading to delivery failures that look like genuine RTO but are actually fraud-driven. Address validation at checkout in Releasit COD Form & Upsells dramatically reduces this pattern by confirming deliverability before dispatch.

For a detailed breakdown of fraud patterns and recommended rule configurations by country, see the full regional playbook: COD Fraud Prevention by Region: India, LATAM, MENA & Europe Shopify Playbooks (coming soon).

How to Measure Fraud Reduction

You cannot manage what you do not measure. Before activating your fraud prevention stack, record your current baseline for each of the following metrics. Check them again after four weeks of running all four layers.

  • Fake order rate. The percentage of all COD orders that are cancelled before dispatch, refused on delivery, or returned with no cash collected. Calculate it as (cancelled + refused + returned with no payment) divided by total COD orders placed.
  • First-attempt delivery rate. The percentage of dispatched orders delivered successfully on the first courier visit. Fraud reduction should push this metric up as fewer fake orders reach dispatch.
  • RTO rate. Total returns divided by total dispatches. A decline in RTO rate after fraud prevention activation confirms that a meaningful share of your RTO was fraud-driven rather than address or availability-driven.
  • Order block rate. The percentage of checkout submissions blocked by your fraud stack. This tells you how much fraud was reaching your checkout before you had defenses in place. A block rate under 3 percent is typical for a well-calibrated stack. Over 5 percent suggests either aggressive thresholds generating false positives, or a store with genuinely high incoming fraud volume that justifies maintaining tight settings.

The most telling signal is the gap between RTO rate before and after fraud prevention activation, measured over equivalent time periods. Merchants in high-fraud markets typically see a 10 to 20 percentage point improvement in RTO rate within the first 30 days, driven almost entirely by the removal of fake orders from the dispatch queue.

Frequently Asked Questions

What percentage of COD orders are fake? +
In high-fraud markets such as India and parts of MENA, fake or prank COD orders can represent 15 to 30 percent of total COD volume. The exact figure varies by product category, price point, and how many fraud defenses are active at checkout. Stores with no fraud prevention active tend to see higher rates because they attract repeat offenders who face no barrier. After activating OTP, CAPTCHA, and blocklists in Releasit COD Form & Upsells, most stores see their effective fake order rate fall below 5 percent within 30 days.
Does OTP verification reduce conversion rates? +
With a well-designed inline OTP flow, conversion impact is typically under 2 percent. The reduction in fake orders and RTO costs far outweighs this small friction cost. Silent CAPTCHA has near-zero conversion impact because real customers never see it. If you want to minimise OTP friction further, start by enabling it only for orders above a value threshold, for example, orders over $15 or $20, where fraud prevention ROI is highest.
Can I block an entire country from placing COD orders? +
Yes. Releasit COD Form & Upsells lets you restrict COD availability by country so only customers in your target markets can see and use the COD payment option at checkout. If your store ships to India, Saudi Arabia, and the UAE but you do not want to accept COD from other markets, you can configure this directly in the Country Availability settings. Customers outside your allowed countries will not see COD as a payment option.
What is the difference between a blocklist and automated fraud rules? +
A blocklist acts on known bad data: specific phone numbers, email addresses, or IPs you have already confirmed as fraudulent. It blocks those identifiers every time they appear, regardless of any other signals. Automated fraud rules act on patterns and risk signals in real time, flagging or blocking suspicious orders even from first-time customers you have never seen before. The two layers complement each other: blocklists stop repeat offenders instantly, while fraud rules catch new fraudsters the blocklist does not yet know about.
How do I know if bots are submitting fake COD orders? +
Signs include order spikes with no corresponding increase in ad spend, clusters of orders from the same IP range within minutes of each other, orders using randomly formatted names and address combinations, disposable email addresses in the email field, and high cancellation rates immediately after placement. Once you enable invisible CAPTCHA and fraud rule logging in Releasit COD Form & Upsells, the dashboard will surface blocked submissions so you can see the volume of bot activity that was reaching your checkout before protection was active.
Will fraud rules block legitimate high-value orders? +
This is why the recommended setup starts with flagging rather than blocking. Spend two weeks reviewing flagged orders manually to understand what your store's high-value legitimate order profile looks like. Adjust thresholds to accommodate it before switching to automatic blocking. You can also add known high-value or repeat customers to your whitelist so they bypass fraud checks entirely, ensuring your best buyers are never inconvenienced by fraud detection.
Stop Fake COD Orders Before They Cost You
Releasit COD Form & Upsells includes OTP verification, invisible CAPTCHA, blocklists, and automated fraud rules. Set up all four layers in under 30 minutes, no developer required.