COD fraud preventionecommerce securityfake orders

COD Device Farm Fraud: How Organized Rings Target Your Store

Illustration showing a device farm network with multiple phones connected to fake COD orders being blocked by fraud prevention shields

An April 2026 analysis of 70 million marketplace users found 256 organized fraud clusters operating across India — 45,000 fake accounts running on just 9,000 devices. One in six of those devices had 10 or more accounts tied to it. Some accounts recorded over 50 actions in a single hour. COD device farm fraud prevention isn't optional anymore — it's a survival requirement for any store accepting cash on delivery.

This isn't one person placing a fake COD order with a burner phone number. This is industrial-scale fraud. If you're running a COD store in India, MENA, or South Asia, these rings are already testing your checkout.

The cost isn't just the failed deliveries. Every fake COD order ties up inventory, wastes courier fees, and distorts your ad attribution data. A store processing 200 orders per day might not notice 15 fraudulent ones until the RTO rate spikes at month-end and the courier bill arrives. By then, the damage is done.

What a Device Farm Actually Looks Like

A device farm is a physical setup — a room with dozens of smartphones, sometimes hundreds, each running multiple accounts on the same platform. The operator cycles through accounts to place orders, claim cashback, abuse return policies, or flood COD stores with fake orders. None of these orders will ever be accepted on delivery.

The Bureau report that analyzed 70 million users found these farms concentrated in Delhi, Bengaluru, and Noida. But the technique isn't limited to India. Similar operations run in Pakistan, Bangladesh, Egypt, and across the Gulf states — anywhere COD is the dominant payment method and verification is weak.

What makes device farms different from casual fraud:

  • Volume: A single operator can place 50+ orders per hour across multiple stores
  • Coordination: Multiple accounts work together — different names, different phone numbers, same device fingerprint
  • Sophistication: They rotate IP addresses, use VPNs, and spread orders across time windows to avoid velocity triggers

Why COD Stores Are the Primary Target

Prepaid stores have a natural barrier: the customer pays before the product ships. If a fraudster enters fake payment details, the transaction fails. No money, no shipment.

COD removes that barrier entirely. The fraudster places an order with a fake name and a disposable phone number. The store packs it, ships it, pays the courier — and the package comes back undelivered. The store absorbs the shipping cost both ways, the courier charges an RTO fee, and the inventory sits in a return pile for a week.

Multiply that by 50 orders from the same device farm, and you've lost real money. The Bureau analysis found that while only 0.95% of users exhibited anomalous behavior, that small group drove a disproportionate share of platform abuse across cashback fraud, return fraud, and fake COD orders. If you haven't calculated what each fake order actually costs you, the true cost of COD fraud is higher than most merchants expect.

How Do You Detect COD Device Farm Fraud?

Device farm orders leave five patterns that individual fake orders don't. Watch for these signals — if you spot two or more together, you're likely dealing with a farm, not a lone bad actor:

  1. Multiple orders from the same device fingerprint. Different customer names, different phone numbers, but the same device ID. This is the single strongest signal. One device placing orders under 10 different identities is a farm, not a household.
  2. Geographic clustering with delivery spread. Orders originate from the same IP range or city but ship to scattered addresses across the country. Legitimate customers order from where they live.
  3. Velocity spikes. A sudden jump in COD orders from new customers within a short window — especially if your ad spend didn't change. If you didn't drive more traffic but orders surged, something is wrong.
  4. Phone number patterns. Sequential or recently activated numbers. Fraud rings buy SIM cards in bulk. The numbers often share the same carrier prefix or were activated within days of each other.
  5. High cart value with no browsing history. Legitimate shoppers browse, compare, and add to cart over multiple sessions. Farm accounts go straight to the most expensive item and checkout within seconds.

Set Up Order Limits Before You Need Them

The simplest defense is a constraint most merchants never think to add: cap the number of COD orders a single phone number, email, or IP address can place within a time window.

A legitimate customer might place 1–3 orders per week from the same phone number. A device farm places 10 per hour. Setting a limit of 3 COD orders per phone number per 24 hours catches farm activity without affecting real buyers.

Layer this with IP-based limits. If 5 different "customers" all place COD orders from the same IP address within an hour, that's not a shared office — that's a farm. Block the IP automatically after the threshold.

If you're using EasySell, you can set order limits per phone number and block specific IPs or phone numbers directly from the order form settings — no code required. For a step-by-step setup, see the COD fake order prevention guide.

OTP Verification Stops Farms at the Gate

Device farms rely on speed. The faster they can cycle through accounts and place orders, the more profitable the operation. Adding a one-time password (OTP) verification step to your COD checkout introduces friction that hits farms harder than it hits real customers.

A real customer entering a 6-digit code from their phone takes 15 seconds. A farm operator managing 30 accounts simultaneously can't verify 30 different phone numbers in real time — especially if those numbers are virtual or disposable SIMs that can't receive SMS reliably.

OTP verification via SMS or WhatsApp filters out the bulk of device farm orders because the economics break. Each fake order now requires a working phone number that can receive and respond to an OTP. The cost per fake order jumps from near-zero to unworkable at scale.

Build a Blocklist That Updates Itself

Static blocklists — manually adding phone numbers one at a time — don't work against farms. By the time you've blocked 10 numbers, the ring has 40 new ones.

Instead, build a blocklist strategy around patterns:

  • Auto-block after RTO. If a COD order is returned to origin, automatically add that phone number and email to your blocklist. Legitimate customers who genuinely missed a delivery will contact you. Fraudsters won't.
  • Block by phone prefix. If you notice a cluster of fake orders from numbers sharing the same carrier prefix and area code, block the prefix temporarily. This is aggressive — use it only during active attacks.
  • Share intelligence with your courier. Your delivery partner sees RTO patterns across their entire network, not just your store. Ask them which delivery zones and phone prefixes are flagged. Some couriers in India now offer fraud scoring as part of their COD service.

Partial Prepayment: The Best Long-Term Device Farm Fraud Prevention

The most effective long-term defense against COD device farm fraud isn't detection — it's removing the incentive. A ₹50 or ₹99 partial prepayment requirement makes every fake order cost real money.

Device farms work because placing a fake COD order is free. The moment you require even a small deposit — 5% to 15% of the order value — the farm operator needs a working payment method for every account. Stolen cards get flagged. UPI requires a linked bank account. The operation becomes expensive enough that your store isn't worth targeting.

Merchants who've added partial prepayment typically see RTO rates drop by 25–40% across all orders, not just fraudulent ones. The deposit acts as a commitment signal that filters out impulse orders and fraud simultaneously.

Monitor Weekly, Not Monthly

Most merchants review fraud data at month-end when the courier invoice arrives. By then, a device farm has had 30 days to operate. Switch to weekly monitoring of three numbers:

  • RTO rate by customer source: If your RTO rate from "new customers" is 3x higher than from returning customers, dig into those new orders
  • Orders per unique phone number: Any number placing more than 3 orders in a week deserves a manual review
  • COD-to-prepaid ratio shifts: A sudden increase in COD orders while prepaid stays flat often signals a fraud spike, not a sales spike

Set up a simple spreadsheet or Google Sheet that pulls these three metrics weekly. You don't need a fraud analytics platform — you need to look at your own data consistently.

The stores that catch device farm fraud early share one trait: they check their numbers before the courier does. Start with your RTO report from last week. If any phone number appears more than twice, you have your first lead.