How to prevent discount code abuse on Shopify

You're probably giving away more discounts than you think

If you offer a new-customer discount, there's a decent chance the same person has used it more than once. Riskified puts the global cost of promo abuse at $89 billion a year. A Signifyd survey from 2025 found that 53% of merchants say the problem is getting worse.

The reason is straightforward. Shopify's "limit to one use per customer" checks the customer account. Not the person. A different email, a guest checkout, a Gmail alias, and the discount works again.

Roughly 5-10% of first-time buyer discounts go to people who aren't actually first-time buyers. On a store doing $50k a month with a 15% welcome offer, that's $375 to $750 in discounts that shouldn't have been applied.

How people do it

Gmail dots

Gmail ignores dots. [email protected], [email protected], and [email protected] all go to the same inbox. One person, dozens of "new" emails.

Plus aliases

[email protected], [email protected], [email protected]. All the same person. Takes two seconds to type.

Throwaway emails

Tempmail, Guerrillamail, Mailinator. No signup required, email works for a few minutes, discount code redeemed, email gone. There are over 3,000 of these services.

Guest checkout

This is the big one. If your store allows guest checkout (and most do), there's no account to check. Different email, discount applied, done. Shopify has nothing to match against.

Address variations

"123 Main St" vs "123 Main Street" vs "123 Main St Apt 1." Same place, looks like three different customers.

Why Shopify's built-in tools don't solve this

"One use per customer" needs the customer to be logged in. Guest checkout bypasses it completely. So does creating a new account.

Usage limits cap total redemptions but can't tell if the same person is responsible for five of them.

Customer segments help, but again, only if the person is logged into an account you recognize.

The root problem: Shopify matches by account, not by identity. Making a new account is as easy as typing a different email.

What actually works

Normalize emails first

This catches the most abuse with the least effort. Before comparing against your order history, strip dots from Gmail addresses, remove everything after a + sign, lowercase everything, and resolve domain aliases like googlemail.com to gmail.com. Now [email protected] and [email protected] are the same address.

Block throwaway email domains

Keep a list of disposable email providers and reject them at checkout. The list needs updating, since new services pop up regularly, but it blocks the laziest form of abuse.

Check phone numbers

People change emails easily. Phone numbers, not so much. Normalize the formatting, strip country codes, and compare against previous orders. Most repeat buyers use the same phone.

Fuzzy-match addresses

Don't require exact string matches. "123 Main Street Apartment 4B" and "123 Main St #4B" are obviously the same place. An 85% similarity threshold catches most variations without blocking legitimate customers.

Block before the order, not after

This matters more than it might seem. If you catch abuse after the order is placed, you're canceling orders and processing refunds. You still pay the transaction fee. If you block at checkout, the discount never gets applied. No order to cancel, no fee to eat.

Combine signals

No single check catches everything. Email normalization misses the person who uses a completely different email. Phone matching misses the person with a prepaid SIM. Address matching misses someone shipping to their office. But all five together (email, phone, address, IP, device) are very hard to beat. You'd need to change everything at once.

Automating it

Checking each order by hand isn't realistic. OfferGuard runs these checks automatically at checkout through Shopify's Checkout Extensions API. When a match is found, the customer sees a message that the offer is for new customers only. They can still buy at full price.

The free Watchdog plan covers email normalization, so you can see how much abuse your store actually has. Sentinel ($29/month) turns on all five signals.

After an order goes through, post-purchase rules can tag it, flag the risk level, or hold fulfillment for review.

Measuring whether it's working

After you set things up, keep an eye on:

• What percentage of discount uses come from genuinely new customers
• Whether your discount costs as a share of revenue are going down
• How many abuse attempts are getting caught
• Whether real customers are getting blocked by mistake

Most stores see discount costs drop 15-40% in the first month. Depends on your traffic and how much abuse was happening before.

When to set it up

Before your next promotion. Whether it's a seasonal sale, a new welcome offer, or an influencer campaign with exclusive codes, protecting those discounts before they go live saves you from cleaning up after.

Start with email normalization and disposable email blocking. They catch the majority of abuse with almost no false positives. Add phone, address, IP, and device when you're ready for full coverage.