5 Ways Customers Game Your New Customer Offers

Your New Customer Offer Has a Leak

New customer discounts are one of the most effective acquisition tools in ecommerce. A well-crafted welcome offer can convert hesitant first-time visitors into buyers, and the lifetime value of that initial conversion often justifies a generous discount.

But there is a catch. The same features that make new customer offers attractive to genuine first-time buyers also make them attractive to existing customers who want a discount on their next purchase. According to Signifyd's 2025 research, 53% of merchants report increasing promotional abuse. Riskified estimates $89 billion is lost to promo abuse globally per year.

And bypassing the "one per customer" restriction is far easier than most merchants realize.

Here are the five most common tactics we see, ranked by how frequently they occur.

1. Email Aliasing and Dot Tricks

How common: Very common. This is the first thing most people try because it requires zero effort.

How it works: Gmail — the world's most popular email provider — has two features that make it trivially easy to create unlimited email variations that all deliver to the same inbox.

The dot trick exploits the fact that Gmail ignores periods in the local part of an email address. The address "[email protected]" is identical to "[email protected]" and "[email protected]." But to your Shopify store, each variation looks like a different customer.

The plus alias trick uses Gmail's support for the "+" character. Anything after the plus sign and before the @ is ignored by Gmail but treated as a unique address by most other systems. So "[email protected]" and "[email protected]" and "[email protected]" all reach the same inbox.

Combined, these two tricks give a single Gmail user access to thousands of unique email addresses, each of which appears as a new customer to Shopify.

How to detect it: Email normalization. By programmatically removing dots from the local part and stripping plus aliases before comparing against your customer database, you collapse all variations into a single canonical address. For example, [email protected] normalizes to [email protected]. This is the first signal in OfferGuard's detection chain — it catches the majority of abuse with zero false positives.

2. Disposable Email Addresses

How common: Common, especially among tech-savvy shoppers and deal-hunting communities.

How it works: Disposable email services provide free, temporary email addresses that require no registration. A customer visits a site like Tempmail, Guerrillamail, or Mailinator, receives a random email address, uses it to check out on your store, receives the order confirmation, and moves on. The email address self-destructs after a set period.

There are over 3,000 known disposable email providers, and new ones appear regularly. Some are well-known (tempmail.com, throwaway.email) while others use obscure domains that are harder to identify.

The appeal is obvious: each disposable address is genuinely unique, so even basic email comparison will not catch it. The same person can claim your new-customer discount an unlimited number of times by simply generating a fresh email for each order.

How to detect it: Maintain and regularly update a blocklist of known disposable email domains. When a checkout email matches a domain on the list, block the discount immediately. There is no legitimate reason for a customer to use a temporary email for a purchase that requires shipping and order tracking.

3. Guest Checkout Bypass

How common: Very common. This is the biggest gap in Shopify's native protection.

How it works: Shopify's "limit one per customer" checks against customer accounts. If your store allows guest checkout — and most stores do because disabling it tanks your conversion rate — there is no account to check against. The customer just enters a different email address and the discount applies. No registration, no account creation, no barriers at all.

This is the bypass that Shopify's native system simply cannot address. Even if the customer used the exact same phone number and shipping address as their previous order, Shopify's discount system does not cross-reference those signals.

How to detect it: Pre-checkout blocking that works independently of customer accounts. OfferGuard checks all five signals (email, phone, address, IP, device) regardless of whether the customer is logged in or checking out as a guest.

4. VPN and Incognito Browsing

How common: Moderate and increasing. Browser privacy tools are becoming mainstream, and many people use them habitually rather than specifically for discount abuse.

How it works: Incognito or private browsing mode prevents your store from reading previously set cookies, making a returning visitor appear as if they have never been to your site before. Combined with a different email address, this defeats any client-side tracking you might use.

VPNs go a step further by masking the customer's IP address. A customer who previously ordered from one IP can connect through a VPN and appear to be visiting from an entirely different city or country.

The combination of incognito mode plus a VPN plus a different email address creates a fairly convincing "new customer" profile, at least on the surface.

How to detect it: Device fingerprinting looks beyond cookies and IP addresses to identify devices based on browser characteristics, installed fonts, screen resolution, hardware capabilities, and other signals. A well-implemented fingerprint can identify the same device even in incognito mode, even behind a VPN. This is the fifth signal in the detection chain — and the hardest one for abusers to change.

5. Multiple Shipping Address Variations

How common: Moderate. Requires slightly more effort than email tricks but is still straightforward.

How it works: A customer uses their real email and phone number for each order but varies their shipping address just enough to avoid a direct match. Common variations include:

• "123 Main Street" vs "123 Main St"
• "Apartment 4B" vs "Apt 4B" vs "#4B" vs omitting the unit number entirely
• "123 Main St, Springfield" vs "123 Main Street, Springfield, IL"
• Adding a company name or care-of line

To a simple string comparison, each of these is a different address. But they all result in the package being delivered to the same location.

How to detect it: Fuzzy string matching with address standardization. Convert all addresses to a standard format (abbreviating "Street" to "St," normalizing unit designations, etc.) and then use similarity scoring to compare against previous orders. A threshold of 85-90% similarity typically catches most intentional variations while avoiding false positives.

The Pattern Behind All Five Tactics

Notice the common thread: each tactic works by changing one or two identity signals while leaving others the same. Email aliasing changes the email but not the phone, address, IP, or device. Disposable emails change the email domain but the person still checks out from the same device. Address variations change the address but the email and phone often stay the same.

This is why single-signal detection will always have gaps, and why multi-signal detection is so effective. When you check five different identity signals and require a match on any two, you create a net that is extremely difficult to slip through.

A customer would need to simultaneously use a different email (not an alias, not disposable), a different phone number, a different shipping address (not a variation), a different IP address, and a different device. That level of effort is possible but exceedingly rare, and the cost of the effort typically exceeds the value of the discount.

What This Means for Your Store

If you run new-customer promotions, you should assume that some percentage of redemptions are coming from repeat buyers. Industry data suggests 5-10% of first-time buyer discounts are fraudulent. The question is not whether it is happening, but how much it is costing you.

Audit your recent discounted orders. Look for patterns: the same phone number on multiple "new customer" orders, very similar addresses, multiple orders from the same IP. The results might surprise you.

Then implement protection that matches the level of exposure you find. Start with the free Watchdog plan to see your abuse levels with email detection alone. Upgrade to Sentinel ($29/month) for full 5-signal protection when you are ready.

The goal is straightforward: make sure your new-customer offers actually go to new customers.