botsfraud preventionShopify security

How to Stop Fake Account Signups on Shopify

Shopify store dashboard showing fake bot account signups being blocked by spam protection tools

One Shopify merchant logged into their admin in early 2026 and found 2,066 customer accounts they'd never seen before. No orders. No activity. Just rows of gibberish names and junk Gmail addresses, all created by a bot using the user agent okhttp/5.3.2. The bot rotated through the same 15 fake name pairs, over and over, filling the customer list with garbage.

This wasn't an isolated case. Shopify fake account signups are hitting stores everywhere — Community threads from the past year are full of merchants reporting the same pattern: 5, 20, sometimes 50 spam accounts per day. And because Shopify doesn't charge per customer record, most merchants don't notice until their email list is polluted, their analytics are skewed, and their marketing costs are climbing for all the wrong reasons.

Why Fake Accounts Cost You More Than You Think

A fake customer account doesn't place an order, so it feels harmless. It's not.

  • Email costs go up. If you're on Klaviyo, Shopify Email, or any platform that charges by list size, every bot account inflates your bill. A store with 2,000 fake accounts on a $0.01/email plan wastes $20/month on sends that hit dead inboxes.
  • Deliverability drops. Sending to fake addresses tanks your sender reputation. Gmail and Yahoo start routing your real customer emails to spam.
  • Analytics become useless. Customer counts, signup conversion rates, and cohort data all get distorted. You can't make good decisions with dirty data.
  • Pixel fires go to waste. Some bots trigger page views and events that feed into your Meta or Google pixels, polluting your ad audiences with fake profiles.

According to Imperva's 2025 Bad Bot Report, 51% of all internet traffic in 2024 was automated — and 37% of total traffic came specifically from bad bots. Ecommerce stores are a top target. If you're running a Shopify store and haven't checked your customer list for spam accounts recently, you probably have them. For a broader look at bot threats, see our guide to blocking bots and spam on Shopify.

How Do You Know if Your Store Has Fake Account Signups?

Before you fix anything, figure out the scale of the problem. Go to Shopify Admin > Customers and sort by date created, newest first. Look for these patterns:

  • Matching first and last names (e.g., "Jkdfs Jkdfs")
  • Random letter strings that aren't real names
  • Gmail addresses with random number strings
  • Accounts with zero orders and no activity
  • Clusters of accounts created within minutes of each other

If you see dozens of accounts matching these patterns, you have a bot problem. Export your customer list to a spreadsheet and filter for accounts with 0 orders — that gives you a rough count of how many are likely fake.

Turn On Shopify's Built-In Spam Protection

Shopify includes hCaptcha on all stores by default, but it's worth confirming it's actually enabled. Go to Online Store > Preferences > Spam protection and make sure the checkbox is active.

hCaptcha runs invisibly at first, analyzing visitor behavior without showing a challenge. When it detects something suspicious — like a bot hammering the account creation form — it escalates to a visual challenge. This catches most basic bots, but sophisticated ones can bypass it. Think of hCaptcha as your first line of defense, not your only one.

One important detail: if your theme uses a custom registration form or a headless storefront, hCaptcha may not be applied to your signup flow. Check with your theme developer to make sure CAPTCHA protection is actually wired up on every form that creates a customer account.

Use a Bot Protection App for Persistent Attacks

When built-in spam protection isn't enough — and for the okhttp bot wave hitting stores in 2026, it often isn't — a dedicated bot protection app adds deeper filtering.

Blockify Fraud Filter & Blocker lets you block traffic by IP address, country, VPN/proxy detection, and user agent. One merchant dealing with a card-testing attack reported reducing fake customers from thousands per day to about a dozen after installing it. You can also set it to auto-cancel orders flagged as high-risk.

Negate Bot Protection uses AI to identify and block bot traffic before it reaches your store. It focuses on protecting your marketing spend by filtering out bot clicks that inflate your ad costs, but it also blocks bots from creating fake accounts and scraping your product data.

Both apps are on the Shopify App Store. For a deeper comparison, check our roundup of the best Shopify fraud prevention apps. If you're seeing the specific okhttp/5.3.2 bot pattern, Blockify's user agent blocking is the fastest fix — you can block that exact user agent string in minutes.

Clean Up Existing Fake Accounts

Blocking new bots doesn't fix the fake accounts already in your system. Here's how to clean them out:

  1. Export your customer list from Shopify Admin > Customers > Export.
  2. Filter in a spreadsheet for accounts with 0 orders, no tags, and creation dates that cluster together.
  3. Review before deleting. Some legitimate customers create accounts without ordering right away. Check for any email engagement (opens, clicks) in your email platform before flagging an account as fake.
  4. Bulk delete in Shopify. Select the fake accounts in your customer list and delete them. Shopify lets you select up to 50 at a time, so this takes a while if you have thousands.
  5. Suppress in your email platform. If you've already synced these accounts to Klaviyo or another tool, remove them there too. Just deleting from Shopify won't automatically clean your email list.

For stores with more than a few hundred fake accounts, consider using Shopify's bulk actions API or a CSV import tool to speed up the cleanup. Doing it manually at 50 accounts per page gets tedious fast.

Switch to New Customer Accounts for Stronger Protection

Shopify offers two customer account systems: classic (legacy) and new customer accounts. The new system uses email verification codes instead of passwords, which makes automated account creation significantly harder for bots.

With classic accounts, a bot just needs to POST a name, email, and password to your registration endpoint. With new accounts, the customer receives a one-time code via email and must enter it to complete registration. Most spam bots can't complete that verification loop.

To switch: go to Settings > Customer accounts and select "New customer accounts." Be aware that this changes the login experience for existing customers — they'll use email codes instead of passwords going forward. Test it on a development store first if you have a large existing customer base.

Monitor for New Fake Signups Every Week

Bots evolve. The okhttp/5.3.2 bot is today's problem, but next month it'll be a different user agent string with a different pattern. Build a simple monitoring habit:

  • Check new customer accounts weekly. Sort by newest first, scan for patterns. Takes 2 minutes.
  • Set a Shopify Flow automation. Create a flow that tags new customer accounts with 0 orders after 7 days. If tagged accounts spike, you know bots are getting through again.
  • Watch your email list growth rate. If your subscriber count jumps without a corresponding increase in traffic or orders, bots are likely the cause.

If you're running a COD store with order verification through tools like EasySell — which includes phone/OTP verification and blocklists — you already have a layer of fraud prevention at the order level. But account-level spam requires the separate fixes described above, since bot accounts don't go through your order form.

Start with the 2-minute check: go to your customer list right now, sort by newest, and see how many accounts have zero orders and names that look like keyboard smashes. If the answer is more than a handful, turn on hCaptcha, install a bot blocker, and clean house before your next email send.