Should You Block VPN & Proxy Traffic on Your Shopify Store?

When you look at your fraud logs and see that most bad orders came through VPNs or proxies, the obvious move seems to be: block all VPN traffic. Problem solved, right? Not so fast. Millions of regular, paying customers use VPNs every day — for privacy, for work, or because their internet provider requires it. Block all VPN traffic and you are turning away real money along with the fraudsters. This guide shows you how to tell the difference and block the bad traffic without losing good customers.

Why So Many Fake Orders Come from VPNs

Fraudsters love VPNs for one simple reason: they hide where you really are.

Here is how it works in practice. Someone in Vietnam steals a credit card number from a person in Texas. If they try to use that card from a Vietnamese IP address, fraud detection systems immediately flag it — the card is American but the buyer is in Vietnam. That is an obvious mismatch.

So instead, the fraudster turns on a VPN, connects to a server in Texas, and suddenly their order looks completely normal. American card, American IP address, American shipping address (usually a freight forwarder that sends the package overseas).

This is why VPN-masked orders account for a disproportionate share of fraud:

  • Over 60% of online fraud originates from IP addresses that do not match the fraudster's real location
  • Residential proxies — which use real home IP addresses — make the fake location even more convincing
  • A VPN costs $3 to $10 per month. That is nothing compared to the value of a single fraudulent order
  • Free proxy lists are available on dozens of websites, giving fraudsters instant access to thousands of IP addresses

The Problem: Real Customers Use VPNs Too

Here is where it gets complicated. If you block all VPN traffic, you will stop some fraud — but you will also block real customers who were ready to buy.

Who uses VPNs legitimately?

  • Privacy-conscious customers: About 31% of internet users worldwide use a VPN regularly. Many are simply people who do not want their internet provider tracking everything they do. These are real customers with real money.
  • Corporate network users: Many companies route all employee internet traffic through a VPN for security. Someone shopping on their lunch break from a work laptop will show up as VPN traffic.
  • Travelers: A person on vacation in Europe who normally lives in the US might connect to their home VPN. Their credit card is American, their shipping address is American — the order is completely legitimate.
  • Apple iCloud Private Relay users: If your customer uses an iPhone or Mac with iCloud+, their traffic automatically goes through Apple's Private Relay system. This looks like a proxy to detection systems. There are over 1 billion active Apple devices — you cannot afford to block these users.
  • People in restrictive countries: Customers in some countries need VPNs just to access the open internet. Blocking VPNs means losing these markets entirely.

If 31% of internet users use VPNs and you block them all, you are potentially turning away roughly one-third of your potential customers. For a store doing $10,000 per month, that could mean $3,000 in lost sales — far more than most stores lose to fraud.

VPN vs. Proxy vs. TOR — What's the Difference?

These three tools all hide someone's real IP address, but they work differently and carry very different fraud risk levels:

VPN (Virtual Private Network):

  • A paid service ($3–$12/month) that encrypts all your internet traffic and routes it through a server in another location
  • Used by millions of regular people for privacy and security
  • Big names: NordVPN, ExpressVPN, Surfshark
  • Fraud risk: Medium. Plenty of legitimate users, but also used by fraudsters

Proxy:

  • A middleman server that forwards your traffic. Can be free or very cheap (pennies per IP)
  • Two types: datacenter proxies (from server farms — very suspicious) and residential proxies (from real home connections — harder to detect)
  • Fraud risk: High. Especially datacenter proxies — almost no regular shopper uses one

TOR (The Onion Router):

  • A free network that bounces your traffic through multiple random computers worldwide
  • Almost no regular online shopper uses TOR to buy products
  • Fraud risk: Very High. If someone is accessing your Shopify store through TOR, the chances of it being a legitimate purchase are extremely low

The key takeaway: VPN traffic is a mix of good and bad. Datacenter proxy traffic is mostly bad. TOR traffic is almost always bad. A smart blocking strategy treats each one differently.

Smart VPN Blocking: How to Block Fraud Without Blocking Customers

The goal is not to block all hidden traffic — it is to block the dangerous hidden traffic while letting real customers through:

Block TOR traffic entirely. The odds of a legitimate customer placing a real order through TOR are close to zero. This is one of the safest, highest-impact rules you can set.

Block datacenter proxies. When someone's IP belongs to a server farm (Amazon Web Services, Google Cloud, DigitalOcean) instead of a home internet provider, they are almost certainly not a regular shopper.

Allow iCloud Private Relay. Apple's Private Relay is used by tens of millions of regular iPhone and Mac users. Blocking it is like putting a "no iPhones allowed" sign on your store.

Do not block VPNs outright — combine with risk scoring. A VPN by itself is a yellow flag, not a red one. But a VPN combined with other red flags becomes a serious warning:

  • VPN alone = allow, maybe flag for monitoring
  • VPN + billing/shipping address mismatch = review before fulfilling
  • VPN + multiple card attempts = block automatically
  • VPN + known fraud device fingerprint = block immediately

This approach lets the privacy-conscious customer buy through their VPN without friction. But when a fraudster uses a VPN and starts testing stolen cards, the combination of signals catches them.

Browsify handles this automatically — it combines VPN detection with Visitor ID fingerprinting, risk scoring, and behavioral analysis to make the right call for each individual visitor.

Setting Up VPN & Proxy Rules in Browsify

Here is exactly how to configure smart VPN and proxy blocking in Browsify:

  1. Enable VPN and proxy detection. Go to your Browsify dashboard, click Settings, then Detection. Turn on "VPN/Proxy Detection."
  2. Set your TOR rule: Block. Under Connection Rules, set TOR traffic to "Block." Almost zero legitimate customers will be affected.
  3. Set your datacenter proxy rule: Block. Set datacenter proxy traffic to "Block." These are IP addresses from server farms, not homes or offices.
  4. Set your residential VPN rule: Flag but allow. Set residential VPN traffic to "Flag" rather than "Block." VPN users can still shop, but their risk score gets a bump. If they have no other risk factors, they buy normally.
  5. Allow iCloud Private Relay. Make sure Apple's iCloud Private Relay is set to "Allow." Browsify recognizes this traffic separately so your Apple customers are never blocked.
  6. Optional: Block specific ISPs. If you notice repeated fraud from specific internet service providers, you can add them to your ISP block list.

These rules start working immediately. Most merchants find that smart VPN blocking reduces fraud by 40–60% while blocking fewer than 1% of legitimate customers.

Block Fraud Traffic, Not Your Customers

Browsify's smart VPN and proxy detection blocks the dangerous traffic while letting real customers through — so you stop fraud without losing sales.

Install Browsify Free on Shopify

Related Guides

What Is Visitor ID & Why IP Blocking Isn't Enough

Learn why IP blocking fails and how Visitor ID identifies fraudsters by their device instead.

Read guide →

Understanding Fraud Risk Scores on Shopify

Learn what risk scores mean and how to use them to make smart decisions about suspicious orders.

Read guide →

How to Stop Fake Orders on Shopify

Stop fake orders at the source with Visitor ID fingerprinting and real-time fraud scoring.

Read guide →