Your Shopify welcome offer keeps getting used by the same people

You launched a 15% welcome offer to bring in first-time buyers. You set it to "limit one use per customer" in Shopify's discount settings. And then you pulled your order data last month and found the same person used it four times.

Different email each time. Same shipping address. Same credit card. Shopify treated every single order as a brand new customer.

This is not a rare edge case. If you run a welcome offer on Shopify for more than a few weeks, it's happening to you right now.

Why your welcome discount keeps getting reused

The short answer: Shopify identifies customers by email address. That's it. And email addresses are the easiest identity to fake.

Here's what your repeat buyers are doing:

Gmail dot and plus tricks. A customer with [email protected] can check out as [email protected], [email protected], or [email protected]. Gmail delivers all of those to the same inbox. Shopify sees each one as a unique customer. One Gmail account can generate hundreds of valid variations that all land in the same inbox.

Guest checkout. When someone checks out as a guest, there is no customer account attached to the order. Shopify's "limit one per customer" setting only applies to logged-in accounts. Guest orders skip the check entirely. Your customer grabs the welcome code, checks out as a guest, and the restriction never fires.

Disposable email services. Tempmail, Guerrillamail, 10minutemail. There are over 3,000 throwaway email providers. A repeat buyer can generate a fresh email in seconds, use your welcome discount, and the email address ceases to exist 10 minutes later. You can't even send them a follow-up.

Multiple accounts. Even without any tricks, a customer with a work email and a personal email is already two "different" customers in Shopify. Add a partner's email and that's three welcome discounts from one household.

If you're seeing your welcome offer redeemed far more often than you have genuinely new customers, this is almost certainly what's happening. We've written more about the email trick specifically in how one customer uses multiple emails to get the same discount.

Why "limit one per customer" doesn't actually work

Shopify's built-in restriction sounds like it should solve the problem. The setting is right there in the discount configuration. But it has three gaps that make it ineffective for welcome offers:

It only checks the email field. If the email is different, the customer is different. No normalization, no alias detection, no cross-referencing against order history beyond the exact string match on the email.

It doesn't apply to guest checkout. There is no "customer" to limit at guest checkout. The order processes with whatever email the buyer typed in. If you require accounts to shop on your store, you'll reduce abuse, but you'll also tank your conversion rate. Most Shopify stores see a 10-20% drop in conversions when they force account creation.

It's discount-level, not product-level. If you're protecting a new-customer-only product (a trial kit, a starter box, an intro-priced bundle), Shopify's discount limit won't help. The product itself has no purchase restriction. A returning customer can buy it again at full price, or with your next promotional code, or just because they want another one.

We broke this down in more detail in why Shopify's limit one per customer fails at guest checkout.

What the numbers actually look like

Say you sell a $50 product with a 20% welcome discount. Each abuse instance costs you $10 in margin.

If 8% of your welcome offer redemptions are repeat buyers (a conservative estimate for stores with popular products), and you process 500 welcome offer orders per month, that's 40 fraudulent uses. At $10 each, you're losing $400/month on a single discount code.

Stores with higher-value welcome offers or free product trials lose significantly more. A $30 free sample box that gets abused 40 times costs $1,200/month in product and shipping alone.

The problem compounds over time. Deal-hunting communities share notes. Once someone figures out your welcome offer is easy to reuse, they tell others. The abuse rate doesn't stay at 8%.

What actually stops welcome offer reuse

The only way to reliably enforce "one per customer" is to stop relying on email as the sole identifier. You need to match across multiple signals so that even when the email changes, you can still recognize the person.

Here's what a working system checks:

Email normalization. Strip Gmail dots, remove plus aliases, resolve domain variants like googlemail.com. The hundreds of addresses that one Gmail account can generate all reduce to a single canonical form.

Phone number matching. Most people reuse the same phone number across orders, even when they change everything else. A phone number is harder to fake than an email and most customers enter their real one for shipping notifications.

Address fuzzy matching. "123 Main St Apt 4" and "123 Main Street, Apartment 4" and "123 Main st #4" are the same address. Fuzzy matching catches formatting differences, abbreviation variations, and minor typos that would fool an exact string comparison.

IP validation. If five "new customers" all check out from the same IP address within a week, that's a pattern worth flagging. IP alone isn't conclusive (shared networks exist), but combined with other signals it adds confidence.

Device fingerprinting. Browser characteristics, screen resolution, installed fonts, timezone, and other attributes create a fingerprint that persists even in incognito mode. A customer who clears cookies and switches emails still has the same device fingerprint.

The key is that these signals work together. No single signal is perfect on its own. But when someone matches on 3 out of 5 signals, you can be confident they're a returning buyer, even if the email is completely new.

How this works in practice

OfferGuard runs these checks server-side through Shopify's Checkout Extensions API before the order completes. When a customer tries to purchase a protected product, OfferGuard checks their checkout details against your existing order history across all five signals. If the match confidence is high enough, the checkout is blocked and the customer sees a message explaining the product is limited to new customers.

This happens before payment, not after. You don't need to manually review orders, issue refunds, or chase down repeat buyers. The abuse is prevented at the point of purchase.

It works at guest checkout. It works in incognito browsers. It works when someone uses a completely new email they've never used before. Because identity isn't just an email address.

For a deeper look at the full range of tactics customers use and the specific countermeasures for each, check out our guide on how to prevent discount code abuse on Shopify.

Stop the leak

Your welcome offer should bring in new customers, not subsidize your most loyal bargain hunters. If you've noticed the same names, addresses, or patterns showing up in your welcome discount orders, the problem is real and it's costing you money every month.

OfferGuard's free plan lets you protect one product with full identity matching. Paid plans start at $4.99/mo for stores that need to protect more products.

See pricing and start protecting your welcome offer →