CODfraud preventionorder verification

AI Bots Are Placing Fake COD Orders: How to Detect Them

Shopify COD order form with bot detection alerts and fraud prevention dashboard

Ecommerce fraud attacks grew 64% year over year in 2025, according to the LexisNexis 2026 Cybercrime Report. COD fake order bot detection is now a survival skill for merchants in MENA, South Asia, and Southeast Asia. The biggest driver isn't competitors placing revenge orders or serial returners using new phone numbers. It's AI-powered bots generating synthetic identities — fake names, phone numbers, and addresses that look real enough to pass basic validation.

If you're running a COD store, this hits different. Every fake order that ships costs you the product, the shipping fee, and the return handling. A single bot farm can generate hundreds of fake COD orders in an afternoon, and your blocklist won't catch a single one because every order comes from a "new" customer.

How COD Fake Order Bots Differ From Manual Fraud

The fraud you're used to — a competitor placing 20 orders with obvious fake names, or a serial returner cycling through burner numbers — is manual. It's annoying, but it's slow. You can spot the patterns and block the phone numbers.

Bot-driven fraud is different in three ways:

  • Volume: Bots can place hundreds of orders per hour. Manual fraudsters max out at maybe 10-20 before they get bored or run out of numbers.
  • Identity quality: Synthetic identities combine real and fabricated data. The name sounds local, the phone number has the right country code and carrier prefix, and the address uses real street names in real neighborhoods. Malicious bot attacks rose 59% in 2025, with bots now mimicking genuine human behavior patterns.
  • Blocklist evasion: Every order uses a different identity. Blocking by phone number, email, or IP address does nothing when the bot generates fresh credentials for each order.

Synthetic identity fraud accounted for 11% of all fraud globally in 2025 — an eight-fold increase from 2024. In Latin America, it's even worse: 48.3% of fraud involves synthetic identities.

5 Signs Your Fake Orders Are Coming From Bots

Bot-generated orders leave patterns that human fraudsters don't. Look for these signals in your order history:

  1. Timing clusters: 15 orders placed between 2:47 AM and 3:12 AM, each exactly 90-120 seconds apart. Humans don't order at metronomic intervals. Bots do.
  2. Address formatting consistency: Every order uses the same capitalization style, the same abbreviation pattern ("St." vs "Street"), and the same field structure. Real customers are messy and inconsistent with how they type addresses.
  3. Phone number sequences: The numbers look random, but check the last 4 digits. Bots often pull from sequential blocks or share the same carrier prefix. If 30 orders all have phone numbers starting with the same 6 digits, that's a flag.
  4. Zero browsing history: Bot orders skip your product page entirely. They hit the order endpoint directly. If your analytics show an order with no page views, no time on site, and no referral source — it wasn't a human.
  5. Name-address mismatches at scale: The names sound plausible for the region, but the addresses don't match any real resident at that location. One or two mismatches happen naturally. Twenty in an hour doesn't.

Check your orders from the past 30 days against these patterns. If three or more signals show up in the same batch, you're dealing with bots, not humans.

Why Your Blocklist Can't Stop Synthetic Identities

Traditional COD fraud prevention relies on blocking known bad actors: specific phone numbers, email addresses, IP ranges, or postal codes with high RTO rates. This works when the same person keeps trying with the same identity.

Synthetic identities break this model completely. Each order arrives from a "new customer" with no history. The phone number has never been blocked. The email was created minutes ago. The IP rotates through residential proxies that look like normal mobile connections.

Blocklists are still useful for catching repeat offenders and high-RTO regions — our guide on automating fraud blacklists covers how to set those up. But blocklists are a filter for yesterday's fraud, not today's. You need verification methods that test whether a real person is actually behind the order.

OTP Verification Stops Bots Where Blocklists Fail

OTP (one-time password) verification is the single most effective defense against bot-placed COD orders. It forces a real human to interact with a real phone before the order goes through. A bot can generate a fake phone number, but it can't receive and enter an OTP sent to that number.

Two channels work for COD order verification:

  • WhatsApp OTP: Best for markets where WhatsApp is the default messaging app — India, Pakistan, MENA, Latin America, Southeast Asia. WhatsApp messages hit 98% open rates and reach 95% of recipients within three seconds.
  • SMS OTP: Broader reach, but delivery rates can drop to 85% at scale in some markets. Works better for mixed audiences where WhatsApp adoption varies.

The tradeoff is real: OTP adds a step to your checkout, and some legitimate customers will drop off. Merchants who've implemented it typically see a 25-40% reduction in fake COD orders. The math usually works — if your RTO rate is above 15%, the orders you save are worth more than the conversions you lose to the extra step.

EasySell includes built-in OTP verification via SMS and WhatsApp directly in the COD order form, along with per-customer order limits that cap how many orders a single phone number can place within a set timeframe.

Add Behavioral Signals to Catch What OTP Misses

OTP stops bots that use fake phone numbers. But some bot operators use banks of real SIM cards or virtual numbers that can receive messages. To catch these, layer behavioral signals on top of OTP:

  • Time on page: A real shopper spends 30-120 seconds reading your product page before ordering. A bot submits in under 5 seconds. Flag orders where the form was completed faster than a human could read it.
  • Form fill patterns: Humans type fields one at a time with pauses. Bots paste all fields simultaneously. Track the time between the first and last field entry — if it's under 2 seconds for a 6-field form, it's automated.
  • Device and session signals: Check if the browser has JavaScript enabled, whether cookies are accepted, and if the screen resolution matches a real device. Headless browsers used by bots often have telltale signatures: no plugins, generic user agents, and viewport sizes that don't match any real phone or desktop.

You don't need enterprise fraud software like Signifyd or Riskified for this. Shopify's own analytics and your order form's submission data give you enough to build basic behavioral checks. Set up a behavioral risk scoring system or a Shopify Flow automation that flags orders matching two or more bot signals for manual review before fulfillment.

How Order Velocity Limits Contain Bot Damage

Velocity limits cap the damage from bot attacks by restricting how many orders can come from the same identity signals within a timeframe. Even with OTP and behavioral checks, some fake orders will get through — velocity limits prevent those from scaling into hundreds of wasted shipments:

  • Per phone number: Maximum 2-3 orders per phone number per 24 hours. Legitimate repeat customers rarely order more than once a day.
  • Per IP address: Maximum 5 orders per IP per hour. This catches bot farms using the same exit node, but use a generous limit since shared IPs are common in emerging markets.
  • Per postal code: If a single postal code suddenly generates 50 orders in an hour when it normally generates 2 per day, pause fulfillment for that batch and verify manually.

Velocity limits won't prevent fake orders from being placed, but they prevent you from shipping 200 fake orders before you notice the pattern. That's the difference between losing one shipment and losing a month's margin.

Build a Daily Fraud Check Into Your Workflow

Bot attacks come in waves. You might see nothing for weeks, then get hit with 300 fake orders on a Friday night when nobody's watching. A 5-minute daily check catches attacks before they drain your inventory:

  1. Sort yesterday's COD orders by creation time. Look for clusters of orders placed within seconds of each other.
  2. Scan phone numbers for sequential patterns or repeated carrier prefixes.
  3. Check the ratio of COD orders to total orders. If COD suddenly jumped from 60% to 90% of orders, investigate.
  4. Review any orders flagged by your velocity limits or behavioral checks.

Export your COD orders to a spreadsheet daily — even a Google Sheet works. Sorting and filtering 50-100 orders takes minutes, and it's the fastest way to spot a bot attack before you've packed and shipped the evidence.

Bot-driven COD fraud isn't going away. Agentic AI traffic rose 450% in 2025, and the tools to generate synthetic identities are getting cheaper. The stores that survive this shift are the ones that stop relying on blocklists alone and start verifying that a real person exists behind every COD order. Start with OTP verification on your order form — it's the single highest-impact change you can make today.