Why Shopify's 'Limit One Per Customer' Isn't Enough

The promise vs. the reality

When Shopify added the "limit to one use per customer" option for discount codes, merchants celebrated. Finally, a way to ensure new-customer promotions reached only new customers. But in practice, this feature has a critical blind spot that undermines its entire purpose.

The setting works by associating a discount redemption with a customer account. The next time that same account tries to use the code, Shopify blocks it. Sounds reasonable, right? The problem is that "customer account" is not the same thing as "customer." And that difference is where all the abuse happens.

How the bypass works

To understand why Shopify's protection fails, you need to understand what it actually checks. When a customer applies a discount code at checkout, Shopify verifies whether that specific customer account has already redeemed the code. If the customer checks out as a guest, Shopify tracks the email address used.

This means the entire system relies on a single identifier: the email address associated with the checkout. Change the email, and you are a "new" customer in Shopify's eyes.

Bypass method 1: new account creation

A customer who has already used your WELCOME15 code with their primary email can simply create a new account with any other email address they control. Their spouse's email, their work email, a free email they created in 30 seconds. They check out with the new account, and Shopify happily applies the discount again.

Bypass method 2: guest checkout

This is the biggest gap. If your store allows guest checkout — and most stores do because disabling it hurts conversion — there is no account to check against at all. The customer just enters a different email address in the checkout form and completes their order. No registration, no verification, nothing.

Bypass method 3: email aliasing

This is the most common technique because it requires zero effort. Gmail and many other providers support aliasing, where variations of the same email address all deliver to one inbox.

A single person can use:

• [email protected] (original)
• [email protected] (dot trick)
• [email protected] (plus alias)
• [email protected] (another alias)
• [email protected] (alternate domain)

All five addresses reach the same person's inbox, but Shopify treats each one as a unique customer. That is five discount redemptions from one person, all appearing legitimate in your Shopify admin.

The real-world impact

According to Signifyd's 2025 report, 53% of merchants report increasing promo abuse. Industry estimates put 5-10% of first-time buyer discounts as fraudulent. Let's put numbers to this.

Consider a Shopify store running a "20% off your first order" promotion.

Average order value: $80. Discount: 20% ($16 per order). Monthly new customer orders with discount: 200.

If even 10% of those "new customer" orders are actually repeat buyers abusing the system, that is 20 fraudulent discount uses per month. At $16 each, you are giving away $320 per month — $3,840 per year — to customers who were going to buy from you anyway at full price.

For stores with higher average order values or more aggressive discounts, the numbers scale quickly. A store with a $200 AOV and a 25% new customer discount could lose over $12,000 annually to this single exploit.

What would actually fix this

For discount protection to truly work, it needs to go beyond email and check multiple identity signals:

1. Normalize email addresses before comparison, collapsing aliases and dot variations into a single canonical form
2. Cross-reference phone numbers — people rarely change their phone
3. Fuzzy match shipping addresses — "123 Main St" and "123 Main Street Apt 4B" are the same place
4. Track IP addresses — same WiFi, different "customer"
5. Fingerprint devices — same browser, same hardware, no matter what email they use

And critically, this detection needs to happen at checkout, before the order is placed — not after you have already given away the discount.

Pre-checkout vs. post-order

This is where the approach matters. Some tools (like CustomerGenius) identify abuse after the order. They tag orders, they flag customers, they give you data. But the discount has already been given. You are doing cleanup, not prevention.

Pre-checkout blocking stops the discount from being applied in the first place. The customer sees a polite message — "This offer is limited to first-time customers. You can still complete your purchase at the regular price." No accusation of fraud. No awkward interaction. Just the rule being enforced as you intended.

Why you need more than one signal

No single detection method catches everything. Email normalization stops Gmail tricks but not completely different email addresses. Phone matching works unless the person uses a different phone number. Address matching fails if they ship to a different location.

The strength of multi-signal detection comes from combining signals. When a checkout shares two or more identity signals with a previous order — say, the same normalized phone number and a fuzzy address match — the confidence level is high enough to block without worrying about false positives.

OfferGuard's 5-signal detection chain works on this principle. Each signal adds a layer of certainty, and you control the threshold for how many matching signals trigger a block. Most merchants find that requiring a match on any 2 of the 5 signals provides strong protection with virtually zero false positives.

The Watchdog plan (free) gives you email detection to see how much abuse you have. Sentinel ($29/month) enables all five signals for comprehensive protection.

Beyond blocking: post-purchase intelligence

Detection at checkout is the first line of defense, but post-purchase automation adds valuable operational intelligence. When an order passes through that matches a previous buyer on some signals but not enough to trigger a block, you want to know about it.

Automated tagging lets you flag these orders for review. Risk scoring gives your team context. Fulfillment holds give you time to investigate before shipping. And over time, this data builds a clear picture of abuse patterns in your store that helps you refine your protection thresholds.

Making the switch

If you are currently relying solely on Shopify's "limit one per customer" setting, here is a pragmatic path forward:

1. Audit your current exposure. Look at your last 90 days of discounted orders and check for patterns: multiple orders to the same phone number, same address, or suspiciously similar email addresses.

2. Start with email normalization. This catches the most common abuse vector with zero false positives. There is no legitimate reason for the same person to claim a new-customer discount twice.

3. Add phone and address detection. These catch the next tier of abusers who use genuinely different email addresses but the same contact and shipping information.

4. Enable IP and device fingerprinting. For comprehensive protection, these layers catch even determined abusers who change all their contact details.

None of this should feel adversarial to your customers. You just want your new-customer promotions to actually reach new customers, and your marketing budget to work the way you planned.