Same Phone Number, Third Fake Order: How COD Stores Are Automating Fraud Blacklists Without Losing Real Customers

COD fake order prevention on Shopify comes down to one thing: automatically blocking repeat offenders by phone number, IP, and email before they cost you another wasted shipment. Most merchants try manual blacklists and fail — because fraudsters rotate numbers, swap names, and tweak addresses faster than any spreadsheet can track.

A store in Karachi processed the same fake order three times last month. Same phone number. Slightly different name each time. Three shipments sent, three packages returned, roughly $45 in wasted shipping per round trip. The store owner only caught the pattern after the third return — and by then, the damage was done.

This isn't an edge case. Merchants across Pakistan, India, Egypt, Saudi Arabia, and Southeast Asia report that 20–40% of their return-to-origin (RTO) rate comes from repeat offenders. The same handful of phone numbers and addresses cycling through new orders with minor variations. Manual blacklisting catches some of them, but it's slow, inconsistent, and completely blind to the tricks repeat fraudsters use.

Every fake order that ships costs you $15–50 in logistics alone. Multiply that by 10–20 repeat offenders placing 3–5 orders each per month, and you're looking at $500–5,000/month bleeding out of your business before you even notice. That's not a rounding error. That's your ad budget, your inventory investment, or your margin on legitimate orders — gone.

Why Does Manual COD Fraud Blacklisting Fail?

Most COD merchants start the same way: a spreadsheet or a mental list. Someone returns an order, you note the phone number, and next time you see it, you cancel. Simple enough when you're processing 20 orders a day.

At 100+ orders daily, it falls apart. Your team doesn't have time to cross-reference every incoming order against a growing list. And the fraudsters adapt faster than your spreadsheet does:

• Phone number rotation — They swap the last two digits or use a second SIM. Your blacklist has +92-300-1234567 but they order from +92-300-1234576.
• Name variations — "Ahmed Khan" becomes "A. Khan" becomes "Ahmad K." Same address, same fraud.
• Address tweaks — "House 14, Street 3" becomes "H-14, St. 3" or "Near mosque, Street 3." Your system sees three different addresses.

By the time you spot the pattern, they've already cost you 5–10 wasted shipments. Manual processes don't scale, and they don't catch variations. You need rules that fire automatically before the order ships.

Block by Phone Number — Your First Line of Defense

Phone numbers are the most reliable identifier in COD markets. Customers rarely change their primary number, and even when they rotate to a secondary SIM, they eventually reuse their main one. Blocking by phone number catches the majority of repeat offenders with zero false positives — if someone placed 3 fake orders from that number, the number is burned.

EasySell lets you block specific phone numbers directly in your order form settings. When a blocked number tries to place an order, the form rejects it before it ever reaches your system. No shipment, no RTO, no cost.

Build your blocklist from your RTO data. Export your returned orders from the last 90 days, sort by phone number, and flag any number with 2+ returns. That list is your starting blocklist. Update it weekly — 15 minutes that saves hours of wasted fulfillment.

IP Blocking — Handle With Care in Shared-Network Regions

IP-based blocking sounds like the obvious next step. Serial fraudster placing orders from the same device? Block the IP and they're done.

But in COD-heavy markets, IP blocking is a scalpel, not a sledgehammer. In countries like Pakistan and Bangladesh, entire neighborhoods share a single IP through a common ISP gateway. Block that IP and you could cut off 50 legitimate customers along with the one fraudster.

Use IP blocking selectively:

1. Cross-reference IP + phone number — If the same IP appears with multiple blacklisted phone numbers, it's likely a serial offender operating from one location. Block it.
2. Look at order velocity from a single IP — 5+ orders from the same IP in 24 hours is suspicious in almost any market. Flag or block.
3. Don't auto-block IPs from mobile networks — Mobile carrier IPs rotate frequently and are shared across thousands of users. Blocking them causes more collateral damage than fraud prevention.

The rule of thumb: block IPs only when you have a second signal confirming fraud (repeated returns, blacklisted phone, or impossible order velocity). One signal alone isn't enough in shared-IP regions.

Email Blocking and the "New Account" Problem

Email blocking is the weakest individual signal, but it matters as part of a layered system. Fraudsters create new email addresses in seconds — blocking one Gmail address does nothing when they can generate another in 30 seconds.

Where email blocking does work:

• Catching lazy repeat offenders — A surprising number reuse the same email. It's not sophisticated, but it's free to block.
• Domain-level blocking — If you're seeing fake orders from a pattern of disposable email services (guerrillamail, tempmail, yopmail), block the entire domain.
• Cross-referencing against phone and address — Same email + different phone + same address = the same person trying to get around your phone block.

Email alone won't stop determined fraudsters. But combined with phone and IP rules, it closes another gap in your defense.

Set Order Velocity Limits Before Bulk Fraud Hits

Some fraud isn't one repeat offender — it's coordinated. A competitor, a disgruntled ex-employee, or just someone with a grudge can place 20–50 fake COD orders in an afternoon using different names and numbers. By the time you notice, half of them have already shipped.

Order velocity limits stop this cold. Set maximum orders per phone number, per IP, or per address within a time window:

• Per phone number: Max 2 orders within 24 hours. Legitimate customers rarely order twice in the same day.
• Per IP address: Max 5 orders within 24 hours. Accounts for shared networks while catching bulk abuse.
• Per shipping address: Max 3 orders within 48 hours. Catches the "same house, different name" pattern.

These limits can be configured through EasySell's quantity restrictions and order control features. Set them once, and they run in the background — no manual monitoring required.

How Aggressive Should Your COD Fake Order Prevention Be?

This is where most merchants get it wrong. They either stay too lenient (and keep bleeding money) or go too aggressive (and block real customers who just happened to share an IP or misspell their name).

Your fraud prevention should match your RTO rate:

• RTO under 10% — Light touch. Phone number blacklist from repeat returners. No IP blocking. You're in good shape; don't over-engineer it.
• RTO 10–25% — Medium defense. Phone blocking + order velocity limits + email blocking for disposable domains. Review IP patterns monthly.
• RTO above 25% — Full stack. Phone + IP + email blocking. Tight velocity limits. Consider adding OTP verification via WhatsApp or SMS to confirm every order before fulfillment.

OTP verification is the nuclear option for high-fraud stores. Requiring a one-time password via SMS or WhatsApp before the order is confirmed adds friction — your conversion rate will dip 5–10%. But if your RTO is above 25%, the savings from prevented fake orders far outweigh the lost conversions. A store running at 30% RTO that adds OTP verification typically drops to 8–12% RTO within 30 days. For more on cutting RTO rates across all order types, see our guide on reducing COD return-to-origin rates.

Build Your Blocklist From Data, Not Gut Feeling

The merchants who do this well aren't guessing. They're running a simple weekly process:

1. Export RTO orders from the past 7 days from your shipping provider or Shopify admin.
2. Sort by phone number. Any number appearing 2+ times goes on the blocklist.
3. Sort by shipping address. Normalize formatting (remove abbreviations, standardize street names) and flag duplicates.
4. Cross-reference new returns against existing blocklist. If a blocked phone reappears with a new number but the same address, add the new number too.
5. Review and update your rules. If velocity limits are triggering too many false positives, loosen them by one order. If RTO crept up, tighten them.

This takes 15–20 minutes per week. That's less time than you spend dealing with a single returned shipment — and it prevents dozens of them.

Start with your phone number blocklist today. Export your last 90 days of returns, pull out the repeat numbers, and add them to your blocking rules. That single step will cut your repeat-offender fraud by 60–70% before the week is out. The rest — IP rules, velocity limits, OTP — layer on as your data tells you where the gaps are.

Ready to automate your COD fraud prevention? Install EasySell to block fake orders by phone number, set order velocity limits, and protect your margins — all from one dashboard.