Shipping Anomalies
4 min read
The Shipping Address Anomalies module detects fraud patterns that show up in where orders ship rather than what customers buy. It catches address hopping (rapid changes between shipping destinations), billing/shipping country mismatches (a known high-risk-corridor signal), and address-change velocity that doesn’t match legitimate customer behavior.
Module ID: shipping_anomalies. Default: enabled. Free tier (complete detection; Pro adds diversity-trend analysis and enhanced country-mismatch severity).
What It Observes #
Every completed checkout, the module:
- Records the shipping address (hashed) and the timestamp
- Records the billing country and shipping country
- Compares against the customer’s previous addresses to detect changes
- Computes address velocity — number of distinct addresses in a configurable lookback window (default 30 days)
- Flags country mismatches and high-risk corridors
- Updates aggregate stats on the customer record
- Queues a score recalculation if any anomaly is detected
Address hashes use the same keyed HMAC-SHA256 approach as the Linked Accounts module — raw addresses are never stored alongside the anomaly data. The hash is built from address line 1 + city + postcode, lowercased and whitespace-stripped.
What It Signals #
Address Hopping #
| Trigger | Score | Reason Shown on Profile |
|---|---|---|
| 3+ distinct shipping addresses in 30-day window | -10 | “Address hopping (4 addresses in 30 days)” |
| 5+ distinct addresses in 30-day window | -15 | “Severe address hopping (6 addresses in 30 days)” |
Country Mismatch #
| Trigger | Score | Reason Shown on Profile |
|---|---|---|
| Billing/shipping country differ | -5 | “Country mismatch (US billing → DE shipping)” |
| High-risk corridor (Pro) | -15 | “High-risk country corridor” |
The Pro tier adds a curated list of high-risk corridors known to correlate with carding and reshipping fraud. The Free tier emits the basic mismatch signal without distinguishing severity.
Address Change Velocity #
| Trigger | Score | Reason Shown on Profile |
|---|---|---|
| Sustained ≥ 1 address change per week over the window | -10 | “Rapid address changes” |
Diversity Trend (Pro) #
Pro adds a signal for diversifying address patterns — a customer whose addresses are spreading across an unusually wide geographic area over time, which can indicate reseller or drop-ship-fraud activity.
The Velocity Window #
The default lookback window for velocity signals is 30 days. Configurable from 7 to 90 days in Settings → Modules → Shipping Anomalies.
| Window Size | When to Use |
|---|---|
| 7 days | Tight — catches very recent bursts; good for stores with stable customer addresses |
| 30 days (default) | Balanced — catches typical hopping patterns without over-flagging customers with monthly relocations |
| 60–90 days | Loose — only catches sustained long-term hopping; good for stores with naturally diverse address patterns (gift-heavy stores, B2B) |
Settings #
| Setting | Default | Description |
|---|---|---|
| Velocity window | 30 days | Lookback window for hopping and change-velocity signals (7–90 days) |
| Address hopping threshold | 3 addresses | Number of distinct addresses in window before signal fires |
| Module enabled | On | Master toggle |
Common Patterns #
The Reshipping-Fraud Customer #
Signature: Different shipping address on every order, often in a different country from the billing address. Card sometimes shows up later in disputes.
Detection: Address hopping (-10 to -15) + country mismatch (-5 to -15). Often paired with Chargebacks signals.
Profile: Risk or Critical depending on history.
The Drop-Shipper / Reseller #
Signature: Many orders, many different shipping addresses (the resellers customers), same billing card and address.
Detection: Address hopping fires hard. No country mismatch usually.
Profile: Caution or Risk. Often legitimate (drop-shipping business) — allowlist if confirmed, since the pattern is operational rather than abusive.
The Carding / Stolen-Card User #
Signature: One order, country mismatch, sometimes high-risk corridor. The first dispute lands within 30–60 days.
Detection: Country mismatch -5 (or -15 in Pro with high-risk corridor). May be the first signal before any dispute is filed.
Profile: Caution if Free, Risk if Pro corridor signal fires. Combined with Card-Testing module signals if the card was tested first.
The Gift-Sender #
Signature: Multiple shipping addresses (gifts to friends/family) but consistent billing address. Holiday-season spikes.
Detection: Address hopping fires. Country mismatch may or may not.
Profile: Likely false positive. Allowlist for known gift-buyers, or widen the velocity window to reduce sensitivity.
False-Positive Watch List #
- Gift purchases. Especially around holidays. A customer buying 8 gifts at once with 8 different shipping addresses looks like address hopping but is normal seasonal behavior.
- Drop-shippers and resellers. Legitimate businesses ship to many addresses. Allowlist confirmed business customers.
- Travelers / digital nomads. Customers who order during travel can show country mismatches and rapid address changes.
- Multi-property owners. Customers with a primary residence and a vacation home will rotate addresses without abuse.
- Office-and-home orders. Many customers order both to home (for deliveries when working from home) and to office (for in-office days). Two addresses isn’t hopping.
Disabling the Module #
Reasonable to disable for stores that:
- Ship to a single country only and rarely see country mismatches
- Have many gift-buying customers and find the address-hopping signal noisier than helpful
- Are pure-digital (no physical shipping)
When disabled, no shipping anomaly signals fire and no shipping address events are recorded.
Reading the Shipping Anomalies Section of a Profile #
- Signal breakdown shows 0–3 shipping signals depending on what’s triggered
- Address history panel shows distinct shipping addresses with first-seen and last-seen timestamps
- Event timeline shows
shipping_anomalyevents with the specific anomaly type
The address history panel is the easiest way to understand the customer’s pattern at a glance. Three addresses spread across two years looks fine; three addresses in three weeks doesn’t.
Privacy Considerations #
Like Linked Accounts, the Shipping Anomalies module uses keyed HMAC-SHA256 hashes for addresses. Raw address text is never persisted by the module. Country names are stored in cleartext (they’re not personally identifying on their own).
Customer-initiated GDPR export requests include the customer’s address-history hashes and country list. Erasure requests wipe both.
Pro Enhancements #
Pro extends Shipping Anomalies in two ways:
Enhanced Country-Mismatch Severity #
A curated list of high-risk corridors (specific origin/destination country pairs known to correlate with fraud — based on industry data on carding and reshipping patterns). When a customer’s billing/shipping pair matches a corridor on the list, the signal fires at -15 instead of -5.
Diversity-Trend Detection #
An additional signal that fires when a customer’s address distribution is widening over time — specifically, when the customer’s order history shows progressive spread across new geographic regions. This catches resellers and drop-ship-fraud-rings whose individual orders look fine in isolation but show a building pattern of geographic diversification.
Both Pro enhancements complement, rather than replace, the Free signals.
