Understanding Risk Scores: How Fraud Detection Actually Works
What is a fraud risk score and how is it calculated? A clear, jargon-free guide to the signals behind the 0–100 score, how thresholds work, and how to tune them without blocking real customers.
Behind every "high risk" flag on your Shopify orders is a single number doing a lot of quiet work: a risk score. It's the engine of modern fraud detection the thing that decides, in milliseconds, whether a visitor sails through checkout, gets flagged for review, or is blocked outright.
Yet most merchants treat the score as a mysterious verdict handed down from a black box. That's a missed opportunity. Once you understand how a risk score is built what signals feed it, how they're weighted, and how thresholds turn a number into an action you can stop fearing the score and start using it as a precision tool.
This guide demystifies risk scoring from the ground up. (For the wider strategy, see our complete guide to Shopify fraud prevention.)
What Is a Fraud Risk Score?
A fraud risk score is a single number, usually on a scale of 0 to 100, that represents how likely a visitor or order is to be fraudulent. Think of it like a credit score, but for fraud risk: it takes a messy pile of behavioral and technical signals and translates them into one actionable measure.
Most systems break the scale into three bands:
- 0–33: Low Risk the visitor or order looks safe and is allowed through.
- 34–66: Medium Risk some suspicious signals are present; flag for review or verification.
- 67–100: High Risk strong fraud indicators; block, redirect, or investigate before fulfilling.
The power of a single score is that it lets you treat a clearly safe order differently from a clearly risky one automatically, at scale, without reading every signal by hand on every order.
How a Risk Score Is Calculated: The 5-Step Process
A risk score isn't magic. Under the hood, almost every fraud scoring system follows the same structured, automated pipeline:
Step 1 Signal collection. As a visitor browses or checks out, the system gathers data about the payment, the customer, the device, and the context IP address, location, device characteristics, and behavior.
Step 2 Data enrichment. The raw signals are expanded with outside context: Is this IP a known proxy or datacenter? Has this card or email been flagged elsewhere? This step reveals patterns a single transaction can't show on its own.
Step 3 Risk weighting. Not all signals matter equally. A clear warning sign like a location mismatch carries far more weight than a minor irregularity. Each signal is assigned a weighted value.
Step 4 Model evaluation. A scoring model often machine learning processes the weighted signals and estimates the likelihood of fraud by comparing this order to millions of known past outcomes.
Step 5 Score generation. The result is a single number on the 0–100 scale, returned instantly so you can approve, block, or review without slowing the customer down.
Crucially, good systems keep learning: as outcomes come in (confirmed fraud, clean orders, disputes), the model adapts to stay current as fraud tactics change.
The Signals That Move Your Risk Score
So what actually pushes a score up? While every system weighs things differently, these are the signal categories that consistently matter and understanding them tells you exactly why an order scored the way it did.
Payment signals. Failed AVS (billing address) or CVV checks, and a card-issuing country that doesn't match the billing country. Multiple failed authorization attempts are a strong signal real customers occasionally mistype a CVV once, but they don't fail it four times in a row while cycling through different numbers.
Network and location signals. Use of proxies, commercial VPNs, or TOR to hide the real IP; connections from known fraud-hotspot datacenters; and geolocation mismatches. As a rule of thumb, shoppers usually buy within a short distance of their billing address, so a large gap between IP location and billing address can raise a flag though legitimate exceptions like travel exist.
Device and behavioral signals. Device fingerprint anomalies, suspicious user agents, incognito mode, rapid-fire ordering, frequent fingerprint changes, and other bot-like behavior.
Identity signals. A brand-new customer with no order history, a free-email domain paired with a random-string address, or a thin overall digital footprint.
To make this concrete, here's a simplified example of how individual risk factors might each add points toward a total score:
| Risk Factor | Example Points |
|---|---|
| Proxy/VPN use | +70 |
| Automation/bot use | +80 |
| Multiple country changes in 24h | +70 |
| Card country mismatch | +70 |
| Mismatched shipping/IP location | +80 |
| Multiple card attempts | +50 |
| Billing info mismatch | +60 |
| Rapid order placement | +60 |
| Incognito mode use | +30 |
The system sums the points from every rule the visitor triggers, then caps the total at 100. A visitor using a VPN (+70) who also shows bot behavior (+80) lands deep in High Risk territory almost immediately. One who merely uses incognito mode (+30) stays Low Risk on that signal alone. (Exact factors and weights vary by tool; this illustrates the logic.)
Thresholds: Turning a Score Into a Decision
Here's the part many merchants miss: a risk score doesn't make decisions on its own. It's just a number. You decide what happens at each level by setting thresholds based on your risk tolerance.
A typical setup looks like this:
- Scores below your low threshold pass automatically, keeping checkout fast for the vast majority of genuine customers.
- Scores in the middle band get flagged for manual review or trigger a verification step.
- Scores above your high threshold are blocked or redirected automatically.
The threshold is your steering wheel. Set the auto-block threshold lower (say, 67) and you stop more fraud but risk catching more legitimate customers. Set it higher (say, 85) and you're more lenient but let more risk through. There's no universal "right" number it depends on your margins, your product, and your customers.
The Two Mistakes Merchants Make With Thresholds
Mistake 1: Setting it too aggressive. This is the expensive one almost nobody measures. Overly strict thresholds decline good customers and false declines reportedly cost retailers many times more than fraud itself. A first-time buyer placing a large order while travelling abroad on a VPN can score high yet be completely legitimate. Every one you wrongly block is lost revenue and a lost customer who may never return.
Mistake 2: Setting it and forgetting it. Fraud tactics evolve, and so should your thresholds. The merchants who get this right review the patterns in their flagged orders periodically and adjust tightening when fraud rises, loosening when false declines climb. Risk scoring is a continuous program, not a one-time switch.
The goal isn't the lowest possible fraud rate. It's the best possible balance between stopping fraud and approving good customers.
Why a Transparent, Tunable Score Matters
This is where many merchants hit a wall with built-in tools. Shopify's native fraud recommendation is powerful, but it's essentially a black box: it tells you "high risk" or "characteristics similar to past fraud" without always naming the specific signals, and you can't adjust how it weighs them.
A dedicated fraud tool with a transparent, tunable risk score solves both problems. You can see exactly which factors pushed a visitor's score up, and you can set your own thresholds for blocking, redirecting, or allowing.
This is precisely how an app like Browsify approaches it. Browsify assigns each visitor a clear 0–100 risk score built from the signals you've just learned about proxy/VPN/TOR use, location and country mismatches, device and behavioral anomalies, and repeat-offender history tied to a persistent visitor ID. Because the score is transparent, you can see why a visitor was flagged; because the threshold is yours to set, you can tune protection to your store's exact risk tolerance and act on it automatically blocking high-risk visitors before they ever reach checkout, while letting genuine shoppers (including those on iCloud Private Relay) straight through.
Try Browsify free and put a transparent, tunable risk score to work on your store. (https://apps.shopify.com/browsify-fraud-filter-blocker)
Frequently Asked Questions
Is a higher risk score always worse? On a 0–100 scale, yes higher means more likely to be fraudulent. But a high score isn't proof of fraud; it's a prompt to verify or review, especially near your threshold.
Can a legitimate customer get a high risk score? Absolutely. Travelers on VPNs, shoppers using privacy tools, or first-time buyers placing large orders can all score high. That's why thresholds and verification matter you don't want to auto-block every high score blindly.
What's the difference between a risk score and Shopify's fraud recommendation? Shopify's recommendation is a low/medium/high verdict you generally can't tune. A dedicated risk score is usually a transparent 0–100 number where you can see the contributing factors and set your own action thresholds.
Where should I set my auto-block threshold? There's no universal answer it depends on your margins and customers. Many stores start conservative (e.g., blocking only very high scores), then adjust based on the patterns they see in flagged orders and their false-decline rate.
Final Thoughts
A risk score isn't a verdict to fear it's a tool to wield. Once you understand the pipeline (collect, enrich, weight, evaluate, score), the signals that move the number, and how thresholds convert that number into action, fraud detection stops feeling like a black box.
The merchants who win don't chase a zero fraud rate. They use a transparent score, set thresholds to their real risk tolerance, and revisit them as fraud evolves catching the bad actors while waving through the good customers who actually pay the bills.
Next in this series: "Proxy, VPN, and TOR: How Fraudsters Hide and How to Block Them" and "Best Practices for Setting Fraud Thresholds to Avoid False Declines."
This article is for general educational purposes and reflects common ecommerce fraud-prevention practices; it isn't legal or financial advice. Scoring factors and weights shown are illustrative and vary by tool. Always confirm current Shopify features and your payment processor's policies, as they change over time.