Merchants talk. And when they do, one topic keeps coming up: clean-looking buyers who slip through fraud filters only to file disputes days or weeks later.
Shopify, Stripe Radar, Riskified… These tools catch a lot, but not everything. Especially not the patterns that fall just outside their scoring models. The biggest red flags, it turns out, are sometimes the ones only humans can see.
Here are three behaviors merchants say they've spotted after getting burned, and behaviors that most platforms don't flag.
1. Fast Repeat Orders From Different Emails
A buyer places an order that looks normal. Then they do it again five minutes later, same shipping address, different email.
Individually, these transactions pass fraud checks. The IP might match. The AVS and CVV pass. But what's really happening?
It's often a fraud test pattern. The buyer uses stolen cards but keeps the details close enough to avoid suspicion. One merchant reported seeing seven orders in 30 minutes, all shipping to the same PO box, each with a new Gmail variation. Fraud tools saw seven legitimate purchases. The merchant saw something else: a buyer fishing for the card that wouldn't fail.
What to watch for:
- Repeated orders to the same address with minor email changes
- Different cards, same ZIP code or phone number
- A cluster of orders within a short window
Why it matters: This behavior usually means the fraudster is testing which stolen cards work, and once they find one, the big-ticket order follows.
2. Buyers Who Message Support First
Most merchants love a proactive customer. But when someone reaches out before making a purchase, especially with questions about shipping speed or return policies, it can be a sign of trouble.
Support chats are used as trust-building tools. In several forum stories, merchants explained that fraudsters messaged their teams to create a "paper trail," hoping to look legitimate when the inevitable chargeback was filed.
One merchant said the fraudster asked about product stock, shipping times, and even requested a coupon. The order came through 10 minutes later and was disputed a week after delivery.
What to watch for:
- Pre-purchase support chats with urgency or excessive detail
- Repeated messages from the same person under slightly different names
- Buyers who ask for things to be put in writing (e.g., "Can you confirm this here in the chat?")
Why it matters: Fraudsters know that support logs can help them in a dispute. If they create enough "legitimate" interaction, they can claim they were misled.
3. Small Test Orders Before the Real Hit
It starts with a low-risk purchase. Something under $20. It goes through, gets delivered, and nothing seems off.
Then a week later, the same customer (or same shipping address) places a $900 order for a high-ticket item.
This is a classic velocity test. Fraudsters use small orders to probe merchant risk systems. If the test passes, they assume the merchant isn't using strict fraud logic and feel safe placing the bigger order. Sometimes they'll even wait until the chargeback window for the first order has passed, making the merchant feel even more secure.
What to watch for:
- Tiny purchases followed by a large one within 7 to 14 days
- Different emails or phone numbers, but same name or address
- Order size increasing without customer history
Why it matters: By the time the big order comes in, the fraudster already knows your store is vulnerable.
Why Fraud Tools Miss These
Most automated fraud systems rely on historical data, behavioral patterns, and shared blacklists. They're excellent at flagging bot behavior, mismatched geos, and known risky BINs.
But they don't always catch:
- Context across orders
- Human manipulation (like fake chats)
- Velocity trends that span different customer profiles
These are often the "gray zone" behaviors. Clean on paper, but suspicious when seen in context.
How Merchants Spot What Tools Can't
Seasoned merchants build internal red flag lists. Some even tag repeat addresses or manually review orders that hit too many soft signals. Others build Zapier workflows that track unusual behavior across helpdesk tickets and order data.
A few tricks that actually work:
- Auto-tagging addresses used more than once per day
- Slack alerts for repeat orders with different emails
- Flagging any order placed within 10 minutes of a support interaction
The goal isn't to block more orders. It's to slow down and inspect the ones that pass technical checks but feel "off."
Real Quote From a Merchant
"Stripe said the fraud risk was low. But the customer contacted support three times before buying, and then disputed it three days after delivery. I should've trusted my gut."
Conclusion: Trust the Tools, But Trust Your Eyes More
Fraud detection is never perfect. Platforms like Shopify and Stripe catch a lot, but not all. Merchants still need to look at context, spot odd behavior, and flag patterns that don't fit clean fraud models.
If you've ever been burned by a buyer who looked clean but turned out to be a chargeback, you're not alone. The signs were likely there; you just had to know where to look.
Want to Catch These Red Flags Sooner?
Chargeblast helps you go beyond what automated tools can see. Our system doesn't just score transactions; it also gives you the human signals. Track order timing, buyer behavior, and support patterns before the dispute hits.
Stop trusting scores alone. Start spotting the subtle patterns. Book a demo below today!
