WooCommerce Shipping Address Fraud: What TrustLens Detects and Why It Matters
Store Security · TrustLens
The Address That Changed Three Times This Month
WooCommerce shipping address fraud is quieter than card-testing and less dramatic than chargebacks — but it often points to a deeper problem. TrustLens’s Shipping Address Anomalies module tracks three behavioral signals to surface the patterns. This post explains exactly what it detects, what triggers a score penalty, and what you need to do with that information.
Most WooCommerce fraud discussion centers on chargebacks and stolen cards. Those threats are real and they are loud — a chargeback creates a paper trail, a fee, and a support ticket. Shipping address fraud is quieter. A customer who ships repeatedly to reshipping warehouses, or who hops between dozens of addresses across a short span of orders, rarely triggers an immediate alarm. The pattern only becomes visible when you look across the customer’s full order history.
WooCommerce shipping fraud detection sits in TrustLens’s Shipping Address Anomalies module — one of eight detection modules in the plugin, all included in the free version. It does not block anyone automatically. What it does is produce a score adjustment that reflects the risk level a shipping-address pattern implies, and make that adjustment visible on the customer’s profile so you can decide what to do with it.
This post explains the three signals the module uses, the exact thresholds that trigger penalties, what the configurable velocity window does, and — importantly — what you need to bring yourself in order to act on a shipping anomaly flag responsibly.
Why Shipping Address Patterns Reveal Fraud Risk
A legitimate customer’s shipping address behavior is usually stable. Most shoppers have one home address, perhaps a workplace address for weekday deliveries, and occasionally a gift address for a family member or friend. Over a year of orders, a genuine customer might use two or three distinct shipping addresses. The ratio of addresses to orders stays low.
Certain fraud patterns look completely different. A reshipping mule — someone who receives goods on behalf of a fraud ring and forwards them — might receive dozens of shipments at a single address that has no connection to the billing country. Someone cycling through a first-order welcome discount with new accounts may reuse the same shipping address across multiple customer accounts, which shows up in linked-account detection rather than here — but a single account that genuinely hops between many delivery destinations raises a different concern.
The billing/shipping country mismatch pattern is particularly telling for certain categories. If a customer’s payment method consistently bills to one country but their shipping destinations are routinely in a different country, that is worth noticing — not because international shipping is inherently suspicious, but because the specific combination of billing country, shipping country, and order frequency tells a different story than either signal alone.
None of these patterns are proof. They are behavioral signals that shift the probability of a problem. That is precisely what trust scoring is designed to handle: moving information about probability onto the customer’s profile so you can see it, weigh it alongside everything else you know, and make a judgment call.
The Three Signals the Module Tracks in the Free Version
TrustLens’s Shipping Address Anomalies module is confirmed as a free-tier feature — the module code sets $is_pro = false explicitly. It calculates three independent signals and combines them into a single module-level score adjustment. There is also a fourth signal available in Pro (covered below), but the three free signals cover the core patterns.
Each signal is calculated separately. They can stack — a customer who trips two or three thresholds receives the combined penalty from all of them, up to a module-level ceiling of -50 points.
Minimum orders threshold applies here too
Like the other behavioral modules in TrustLens, the Shipping Address Anomalies module will not score a customer who has fewer than the configured minimum orders (default: 3). A customer below the threshold accumulates address data silently but receives no penalty from this module until enough signals exist for meaningful analysis. This prevents noisy false positives from new customers with only one or two orders.
Signal 1: Address Diversity Ratio (Address Hopping)
The address diversity signal compares the number of distinct shipping addresses a customer has used to their total order count. The ratio tells you roughly what proportion of orders went to a unique destination.
A customer with 20 orders and 4 distinct shipping addresses has a diversity ratio of 0.20. That is typical — home address, one gift, one workplace delivery, perhaps a holiday address. A customer with 20 orders and 17 distinct shipping addresses has a ratio of 0.85. That is unusual, and the module flags it accordingly.
| Address diversity ratio | Score adjustment | Label shown on profile |
|---|---|---|
| Above 80% (unique addresses > 80% of orders) | −15 points | Very high address diversity: N unique shipping addresses |
| 51–80% | −10 points | High address diversity: N unique shipping addresses |
| 31–50% | −5 points | Elevated address diversity: N unique shipping addresses |
| 30% or below | No penalty | — |
The “distinct shipping address” count uses the hashed fingerprint from TrustLens’s linked-account detection table. Each unique normalized shipping address — lowercased, punctuation stripped, common abbreviations expanded — produces a distinct hash. Two entries for “123 Main Street” and “123 main st” produce the same hash and count as one address. This normalization matters: a customer who writes their address slightly differently on different orders is not inflated to look like they are hopping.
Signal 2: Billing/Shipping Country Mismatch
The country mismatch signal looks at whether a customer’s shipping destinations and billing country are consistent with each other. It works by comparing the set of countries appearing in shipping-address fingerprints against the set of countries in billing-address fingerprints. When a shipping country appears that is not among the billing countries, that order contributes to a mismatch count.
A single mismatch produces a small penalty. Consistent mismatch across multiple orders produces a larger one. The free version distinguishes between one-off and repeated mismatches:
| Pattern | Score adjustment | Label shown on profile |
|---|---|---|
| Billing/shipping country mismatch across 2 or more orders | −10 points | Billing/shipping country mismatch across N orders |
| Single mismatch detected | −3 points | Billing/shipping country mismatch detected |
| No mismatch | No penalty | — |
The Pro version adds enhanced severity detection. When a customer ships to three or more different countries while billing from a single country, Pro labels this as a reshipping pattern and applies a −15-point penalty. When two shipping countries are combined with a single billing country, Pro applies −10. These enhanced checks only run when Pro is active; the free version applies the flat penalties above regardless of the number of countries involved.
Country mismatch needs context before you act on it
International customers who live in one country and regularly send gifts to family in another are a common legitimate case for country mismatch. The same pattern a reshipping operation produces — billing in country A, shipping consistently to country B — can appear in perfectly ordinary cross-border shopping behavior. Check what the customer is buying and whether the destination country pattern is consistent before drawing a conclusion. The signal is meaningful when it appears alongside other risk indicators; on its own, it is a prompt to look, not to act.
Signal 3: Address Change Velocity
The velocity signal asks a different question to the diversity ratio: not how many unique addresses a customer has across their entire history, but how many new addresses they have introduced in a recent window of time. A customer who has genuinely moved, or who has a natural reason to use different delivery addresses frequently, will accumulate those addresses gradually. A customer who suddenly begins shipping to multiple different addresses in a short period — without a similar pattern in their prior history — looks different.
The velocity window is configurable from 7 to 90 days in TrustLens Settings. The default is 30 days. The module counts distinct new shipping-address hashes whose first_seen timestamp falls within the window:
| New addresses in the velocity window | Score adjustment | Label shown on profile |
|---|---|---|
| 5 or more new addresses | −10 points | N new shipping addresses in D days |
| 3 or 4 new addresses | −5 points | N new shipping addresses in D days |
| Fewer than 3 new addresses | No penalty | — |
The label shown on the customer profile includes both the address count and the configured window length — so it reads something like “5 new shipping addresses in 30 days” — which means the flag makes sense even if you look at it weeks after it was calculated.
What Pro Adds: The Diversity Trend Signal
The Pro version adds a fourth signal: address diversity trend. Instead of looking at raw counts, this signal compares a customer’s recent address diversity rate to their historical average. A customer who has always used different addresses frequently — because they genuinely ship to many locations — will not score worse during a period when they continue to do the same. The signal is specifically designed to catch a behavioral shift: a customer whose pattern was stable for a long time and who has recently started introducing addresses at a markedly higher rate than their own prior average.
The trend signal requires meaningful history to calculate — at least two distinct lifetime addresses and at least five orders — and it uses a fixed 30-day comparison window (separate from the configurable velocity window on the free signals). If recent address introductions are at least double the customer’s lifetime average rate, the signal applies a -5 penalty. If they are three times or more, the penalty is -10.
This is the kind of signal that is most useful for longer-tenured customers at higher order volumes. For newer customers or stores with relatively low order counts per customer, the three free signals cover the meaningful patterns adequately.
How the Penalties Combine — and the Module Cap
The four signals (three free, one Pro) calculate independently and their scores are summed. A customer with a very high diversity ratio (-15), a consistent country mismatch (-10), and five new addresses in the velocity window (-10) would receive a combined module penalty of -35 points.
The module enforces a ceiling of -50 points total, regardless of how many signals fire or how severe they individually score. A customer cannot lose more than 50 points from shipping anomalies alone.
That combined penalty then feeds into the overall trust score alongside all the other active modules — return abuse, order patterns, coupon abuse, category-aware scoring, linked accounts, chargebacks, and card-testing exposure. A customer with a -35 shipping anomaly penalty and a clean record everywhere else will still sit in a higher segment than a customer who combines shipping anomalies with a high refund rate and repeated coupon abuse.
This is why reading a trust score requires looking at the full signal breakdown on the customer profile, not just the total number. The Shipping Address Anomalies section on the profile lists each reason string — “Very high address diversity: 14 unique shipping addresses; 5 new shipping addresses in 30 days” — so you can see exactly which thresholds the customer crossed and what the individual contribution was.
Verified against TrustLens version 1.2.5
The signal logic, thresholds, and penalty values described in this post are confirmed against the TrustLens source code at includes/modules/class-module-shipping-anomalies.php. The module is free tier ($is_pro = false). The velocity window range (7–90 days, default 30) is confirmed in the settings HTML (min="7" max="90") and the sanitize callback (max(7, min(90, $value))). The Pro trend signal logic is in the same file under calculate_diversity_trend(), gated by $this->is_pro_active().
The Velocity Window Setting: 7–90 Days
The address change velocity signal is the only part of this module that you can tune directly. The setting — found at TrustLens → Settings → Modules → Shipping Address Anomalies → Velocity window — controls the number of days TrustLens looks back when counting new addresses. Valid values are 7 to 90 days; the default is 30.
Changing this setting affects how sensitive the velocity signal is to bursts of new-address activity. A 7-day window flags customers who introduce three or more new addresses in a single week — a tighter bar that catches fast-moving patterns but may also flag customers who are genuinely moving or traveling. A 90-day window is much more forgiving about short bursts but catches customers who sustain an elevated new-address rate over three months.
Most stores should leave the default in place until they have looked at the customer profiles the signal is flagging and have a sense of whether the current window is producing meaningful alerts or noisy ones. The right window depends on your order frequency and your customer base. A store with very high-volume customers who order weekly may find a 30-day window catches things that are genuinely innocent — they simply order a lot and gift a lot. A store with lower-volume customers where 3 new addresses in 30 days is genuinely unusual will find the default works well.
This velocity system is separate from the other two in TrustLens
TrustLens has three independent velocity systems that measure completely different things. The shipping anomalies velocity (configurable 7–90 days, email-keyed, counts distinct new addresses) is separate from the Card-Testing Defense velocity (60-second and 10-minute rolling windows, device-fingerprint-keyed, counts gateway declines) and from the Payment Method Controls velocity (hours-keyed, email-keyed, counts completed orders). Each system targets a different threat model. Adjusting the shipping anomaly velocity window has no effect on card-testing defense thresholds, and vice versa.
What the Module Cannot Tell You on Its Own
Shipping address signals are behavioral indicators. They tell you something about patterns — not about intent. The gap between “this pattern is statistically unusual” and “this customer is committing fraud” is where your judgment is irreplaceable.
Several entirely legitimate scenarios produce high shipping anomaly scores. A small business owner who buys stock for different branch locations uses many shipping addresses. A frequent gift-giver with a large extended family ships to different addresses most months. A customer who has moved multiple times in a year of ordering from you creates a genuine address-change velocity spike. None of these are fraud, and the scoring engine has no way to distinguish them from reshipping or multi-account abuse without more context.
This is also why the module’s score contribution matters in combination with other signals. A customer with a high diversity ratio and a high refund rate and linked accounts is a very different picture from a customer with a high diversity ratio and a four-year purchase history and perfect completion rate. The total trust score and the full signal breakdown together give you the picture — neither alone is sufficient for a confident judgment.
For a broader view of how the eight detection modules combine into a single customer-level decision, the post on reading a TrustLens customer profile walks through the full signal breakdown view and explains what to look for when a score needs investigation.
Acting on a Shipping Anomaly Flag
TrustLens Free surfaces the shipping anomaly signal, adjusts the trust score, and makes both visible on the customer profile. What it does not do is block the customer automatically. That is a deliberate design choice — the same one that applies across all eight modules in the free version. You review, you decide.
For most shipping anomaly flags, the right first step is simply to look at the customer profile in full. Open the order timeline. See what they actually bought and where it went. Check whether the address pattern makes sense given what you sell — a clothing store might see address variety that a software store never would. Check whether any linked accounts share the flagged addresses, which would indicate a different pattern than a single account’s genuine diversity.
If the profile review gives you confidence the pattern is legitimate — a loyal customer with documented purchase history and a good reason for varied shipping — the right action is to add them to the allowlist. That locks their score at 100 permanently and prevents any future signal from affecting them, regardless of how their address behavior develops. It’s the appropriate tool for customers whose risk signals are clearly explained by their legitimate behavior.
If the profile raises genuine concerns — high diversity ratio combined with country mismatches, new customer with no order history and multiple addresses in the first 30 days, linked accounts with known problem customers at the same shipping addresses — the right action is to review the specific orders involved before deciding whether to block or simply watch. A manual block from the customer profile page or customer list puts them on the checkout blocker list. Nothing happens automatically in the free version.
Pro stores can configure Automation Rules to respond to the shipping_anomaly trigger. When the module detects an anomaly on an order completion, it fires a trustlens/shipping_anomaly action that automation rules can listen for. A rule might hold the order for review, send an email alert, or apply a tag to the customer for follow-up — without auto-blocking, which remains a deliberate configuration choice rather than a default action. The guide on how TrustLens Automation Rules work covers the trigger and condition model in detail.
Key Takeaways
- TrustLens’s Shipping Address Anomalies module is included in the free version with no trial limits. It tracks three behavioral signals: address diversity ratio, billing/shipping country mismatch, and address change velocity.
- Address diversity penalizes customers whose unique shipping-address count is a high proportion of their total order count — thresholds at 30%, 50%, and 80%.
- Country mismatch penalizes orders shipped to countries not in the customer’s billing-country history. Consistent mismatch across two or more orders triggers a larger penalty than a single occurrence.
- Address change velocity penalizes customers who introduce 3 or more new distinct shipping addresses within the configurable window (7–90 days, default 30). Three new addresses triggers a small penalty; five or more triggers a larger one.
- The three free signals can stack, up to a module ceiling of -50 points. Pro adds a fourth signal: diversity trend, which compares recent address introduction rate to the customer’s lifetime average.
- The velocity window is the only configurable parameter in this module. Adjust it only after reviewing which customers the current setting is flagging — the right window depends on your order frequency and customer profile.
- The module never auto-blocks. Free version: score and profile visibility only, you decide the action. Pro: the
shipping_anomalytrigger enables automation rules to hold, alert, or tag — configurable, not automatic. - Legitimate scenarios (gift-givers, multi-location business buyers, customers who have moved) can produce high shipping anomaly scores. Always read the full profile and order timeline before acting on a flag.
Frequently Asked Questions
Does TrustLens automatically block customers who trip the shipping anomaly thresholds?
No. TrustLens Free never auto-blocks any customer based on trust score, segment, or module signals — including shipping anomalies. When the module detects a pattern that crosses a threshold, it applies a score penalty and logs the signal to the customer’s profile. What you do with that information is your decision. The free version’s checkout blocker only enforces customers you have explicitly marked as blocked. Pro can be configured to respond to the shipping_anomaly trigger via Automation Rules, but even then the specific action — hold, email, tag, block — is something you define deliberately, not a default behavior.
What is the configurable velocity window and what does changing it actually do?
The velocity window (TrustLens → Settings → Modules, under Shipping Address Anomalies) controls how far back the address change velocity signal looks when counting new distinct shipping addresses. It ranges from 7 to 90 days, defaults to 30. A shorter window catches fast bursts of new addresses but is more sensitive to normal short-term variation. A longer window smooths out short-term spikes and catches sustained elevated rates. The velocity window applies only to the address change velocity signal — it does not affect the address diversity ratio or the country mismatch signal, both of which use lifetime history. It is also entirely separate from the card-testing defense velocity windows (which measure gateway declines per device fingerprint in 60-second and 10-minute rolling windows).
How is address hopping different from linked-account detection in TrustLens?
They detect complementary but different patterns. Address hopping (the diversity ratio signal in Shipping Address Anomalies) flags a single customer account that has used many distinct shipping addresses across their own order history. Linked-account detection flags multiple separate customer accounts that share the same shipping address, billing address, or other fingerprint signals. A fraud ring that creates ten accounts to farm your welcome discount and all ships to the same warehouse address would trigger linked-account detection across those ten accounts — not address hopping on any individual account. A single account that ships to 15 different addresses over 20 orders triggers address hopping, but may not show any linked-account signal at all. Both signals are free-tier features and both feed into the overall trust score independently.
What is a reshipping fraud pattern and how does TrustLens handle it?
Reshipping fraud involves a customer who receives goods at their address and then forwards them to a fraud operator elsewhere — often internationally. The recruited “reshipping mule” may not know they are participating in fraud; they are sometimes targeted through fake work-from-home job postings. The shipping anomaly signals that are most relevant here are country mismatch and, in the Pro version, the enhanced reshipping pattern detection (three or more distinct shipping countries against a single billing country). The free version will flag consistent country mismatches and may flag address diversity if the customer is shipping to different reshipping addresses over time, but the dedicated reshipping pattern label requires Pro. Neither version can tell you with certainty that reshipping is occurring — they can surface the pattern for investigation.
Can a legitimate customer have a high shipping anomaly score?
Yes, easily. The signals measure behavioral patterns statistically — they do not have access to the reasons behind the pattern. A customer who regularly sends gifts to a large extended family across multiple countries will have high address diversity, possible country mismatch, and potentially high velocity during gift-giving seasons. A small business buyer who ships to different branch locations will accumulate many unique addresses quickly. A customer who has moved homes twice in the past year will show a genuine address-change velocity spike. All of these are legitimate and may score in the elevated or high range. This is why TrustLens puts the information in front of you for review rather than acting on it automatically. If you identify a customer whose high score is explained by legitimate behavior, add them to the allowlist to prevent future false signals from affecting them.
Does the shipping anomaly module work for guest checkouts?
Yes. TrustLens identifies all customers — registered and guest — by a keyed HMAC-SHA256 hash of their billing email address. Guest checkout orders produce address fingerprints in the same way registered orders do. If a guest customer later creates a registered account with the same email, their full address history carries over automatically. So a guest who has placed several orders at different shipping addresses before registering will have those historical signals applied to their newly registered profile as soon as the account is recognized by email hash match.
When should I adjust the velocity window from the 30-day default?
Consider shortening the window (toward 7 days) if your store has high-frequency buyers who order multiple times per week — for them, 30 days covers enough orders that 3 new addresses in the window is not unusual. A shorter window tightens the focus to genuinely rapid bursts. Consider lengthening the window (toward 90 days) if your customers tend to order infrequently — monthly or quarterly — and you want to catch sustained patterns rather than one-off spikes. In practice, the best approach is to leave the default in place, run the Historical Sync, review the profiles that get flagged by velocity, and then decide whether the flags look meaningful or noisy before adjusting. The 30-day default is designed to work reasonably well across typical WooCommerce order frequencies.
See what your address patterns look like
TrustLens’s Shipping Address Anomalies module — along with all seven other detection modules and the full trust scoring engine — is included in the free version. Install, run the Historical Sync, and find out what your customer risk picture actually looks like before making any enforcement decisions.
