Store Security

Running WooCommerce Promotions Without Fraud Blind Spots

Running WooCommerce Promotions Without Fraud Blind Spots

Series Finale · Store Security

The Campaign That Earned Its Keep

Running a WooCommerce promotion and watching what it attracts are two separate activities. Most stores do only the first. This guide covers what it looks like to do both — before you launch, while the campaign runs, and after it ends.

Every discount campaign you run creates a risk surface the moment it activates. Not a hypothetical risk — a concrete one. The discount lowers the cost of buying from your store, and that lower cost attracts both the customers you want and the customers you would rather not serve. The two are not easy to tell apart at checkout. They often look identical.

Most WooCommerce stores manage the campaign side — the discount configuration, the schedule, the delivery method — with reasonable care. Fewer stores actively monitor the customer side during and after a campaign: who redeemed, what their patterns look like, and what the promotion actually cost once you factor in returns, abuse, and disputes.

This post is about the operational rhythm of managing both sides. It is the final post in a five-part series on building a WooCommerce store that handles discounts and fraud as connected problems, not separate ones. The practical workflow here pulls from everything covered in the series — and it works whether or not you own either plugin, because the underlying questions apply universally.


This is the series finale — posts 204 through 209

This five-part series covers the two-plugin stack of Smart Cycle Discounts (discount campaigns) and TrustLens (customer risk). If you’re joining here, the earlier posts give each piece more room than this one can: what TrustLens does and how it scores customers (post 204), the chargeback prevention playbook (post 205), how to read trust score trends over time (post 206), and how automation rules act on risk automatically (post 207). Post 208 covered choosing between bulk discounts and tiered pricing from the campaign side. This post closes the loop: the operational rhythm of running campaigns with the risk layer active.

Two Layers, One Rhythm — and No Shared Code Between Them

Smart Cycle Discounts and TrustLens do not share code or communicate directly. There is no built-in integration, no data handoff, and no automatic connection between a discount campaign activating in one plugin and a risk signal firing in the other. They are independent plugins that operate at different layers of the same store.

Smart Cycle Discounts manages campaigns: what the discount is, which products it applies to, who is eligible, when it starts and ends, and how it is delivered (automatic or requiring a code). TrustLens manages customer profiles: what each shopper’s behavioral history looks like, which signals have accumulated, what the score means, and what actions you have taken.

When you run both, the relationship between them is deliberate — not automated. You use TrustLens to inform decisions about how to configure a campaign in Smart Cycle Discounts. You use TrustLens to monitor what a live campaign is attracting. And you use TrustLens after a campaign ends to evaluate the quality of the customers it brought in. That deliberate connection is what this guide is about.


For the pattern taxonomy, see the earlier guide

The post on how Smart Cycle Discounts and TrustLens address specific discount fraud patterns covers the abuse types (coupon farming, BOGO return loops, account cycling, discount-then-refund patterns) in depth. This guide does not duplicate that material — it focuses on when and how you use each layer across the promotion lifecycle.

Before You Launch: What to Check and How to Configure

The pre-campaign phase is the easiest time to reduce risk. Once a campaign is live, your options narrow — you can pause or modify it, but you cannot undo orders that have already processed. The work you do before launch determines how much cleanup you will need after.

Review your trust score baseline in TrustLens

Before activating a major campaign, open the TrustLens Command Center dashboard and look at your current segment distribution. The six-segment breakdown (VIP, Trusted, Normal, Caution, Risk, Critical) tells you the baseline quality of your current customer base before you open the discount surface.

What you are looking for: an unusually high proportion in Caution, Risk, or Critical before a campaign launch is a warning. It suggests active risk in your store already — risk that your promotion is about to give a cheaper entry point. If 15% of your customers are already in the Risk or Critical segment, a sitewide percentage-off promotion hands them a discount on top of the pattern they have already established.

You are not necessarily canceling the campaign because of this. You are making an informed decision: whether to restrict the campaign to logged-in customers with a better-established profile, tighten the eligibility criteria, or simply proceed with more attentive monitoring during the live period.

Also check your linked-account clusters before launch. A cluster of five accounts sharing the same shipping address, detected before your campaign, is worth addressing now rather than after those accounts have all redeemed your welcome offer.

Choose your delivery method deliberately in Smart Cycle Discounts

Every Smart Cycle Discounts campaign can be set as auto-apply (the discount activates automatically at checkout for eligible customers) or code-required (the customer enters a code to unlock it). This applies to all free discount types — percentage off, fixed amount, and BOGO — as well as the Pro types.

Auto-apply is easier for customers and typically converts better. Code-required narrows the eligible pool to people who have the code. Neither is inherently more secure — a shared code exposed to a coupon aggregator site is no different from auto-apply from a fraud standpoint — but the delivery method affects which risk mitigations are available to you.

If you use a code, your main options are a shared code (all recipients get the same one) or single-use codes (each recipient gets a unique code redeemable exactly once, Pro feature). Single-use codes are the structural answer to code sharing: when a recipient’s code is used, it is exhausted. Sharing it does not multiply the discount. Smart Cycle Discounts Pro can generate up to 50,000 single-use codes per campaign with CSV export, and the URL auto-apply feature (?wsscd_code=YOURCODE) works with single-use codes so you can embed personalized links directly in email sequences.

For campaigns going to a large audience with a shared code, role targeting and location targeting (both free in Smart Cycle Discounts) are worth considering. A campaign restricted to logged-in customers cannot be farmed through guest account cycling. A campaign restricted to a specific user role cannot be accessed by customers outside that segment.

Set usage limits — they matter more than you think

Campaign-level usage limits in Smart Cycle Discounts cap how many times a discount is redeemed across the entire campaign. Per-customer limits cap how many times a single customer can redeem. Both are available in the free version for most discount types.

The common mistake: setting a per-customer limit of 1 and assuming that protects against abuse. WooCommerce’s per-customer enforcement is account-based, not identity-based. Someone with two accounts can redeem twice. The per-customer limit is a useful soft gate, but it is not a substitute for TrustLens’s linked-account detection when someone is systematically farming an offer across multiple accounts.

Set limits that match your actual intent. If the campaign is a seasonal sale for your full catalog, a campaign-level redemption cap forces you to think about budget exposure: at X% off, how many orders at your average order value exhaust your promotional budget? Set that number before launch, not after you see the bill.

If you have TrustLens Pro: prepare an automation rule for the campaign period

TrustLens Automation Rules (Pro) let you build trigger-condition-action rules that fire automatically when specific events happen. Before a major campaign, one rule worth configuring: when the coupon abuse module fires for a customer during the campaign period, send an email alert to the store owner.

This is not about blocking customers automatically — the risk of a false positive is real, and an alert keeps you in the decision loop rather than automating a response that might affect a legitimate buyer. The goal is to surface the pattern at the moment it appears, not to discover it three weeks later when reviewing analytics. The automation rules guide covers the trigger-condition-action model and which responses are appropriate to automate versus keep manual.

If you do not have TrustLens Pro, the alternative is a manual check schedule: commit to reviewing the TrustLens customer list once per day during an active campaign, filtering for new entries in the Caution or Risk segment.

While the Campaign Runs: What to Monitor

A live campaign is not a set-and-forget event. The revenue numbers will look good in the first 24 hours regardless of what is happening on the customer side — because abuse typically takes a few days to accumulate into a visible pattern, and chargebacks take 30–60 days to arrive. The monitoring that matters during a campaign catches the early signals before they become expensive problems.

Watch trust score trends, not just revenue

The TrustLens Command Center shows a Trust Score Trends chart that displays the distribution of customer scores over time. During a promotion, you are watching for a downward shift: the Normal segment shrinking and the Caution or Risk segments growing. When a campaign attracts a higher proportion of bad actors, that shift is visible in the aggregate score distribution before the individual fraud events become obvious.

This is the dashboard-level signal. The post on reading trust score trends in TrustLens explains how to interpret these movements and what a meaningful shift looks like versus normal variation. For a campaign spanning two weeks, checking the trend chart every three to four days gives you enough data to see whether the trajectory is healthy or concerning.

The coupon abuse module during a live promotion

If your campaign uses a coupon code, TrustLens’s coupon abuse detection module runs continuously in the background. It tracks two specific patterns: first-order coupon reuse (a customer who has claimed a first-order coupon before) and the coupon-then-refund pattern (applying a coupon at checkout, then requesting a refund on the same order).

During a live campaign, the useful action is to check the TrustLens customer list sorted by the coupon abuse signal and filter for entries created or triggered during the campaign period. A spike in new entries during a short window is meaningful. Three new coupon abuse flags in two weeks might be noise. Thirty flags in three days suggests something more organized.

Linked-account surges: what they mean

TrustLens creates fingerprints from shipping addresses, billing addresses, phone numbers, payment tokens, and device identifiers (HMAC-SHA256 hashed, no raw personal data stored). When multiple accounts share fingerprints, they are flagged as linked.

During a campaign, a surge in newly detected linked accounts is a warning sign. It means new accounts were created specifically around the campaign period and share identifying characteristics with existing accounts. This is the signature of systematic offer farming — someone creating fresh email addresses to claim a first-order or limited-use discount repeatedly.

The linked-accounts detection in version 1.3.8 was updated to require a stronger shared signal (shared address, phone, or payment method) before flagging, specifically to reduce false positives from shared networks like office Wi-Fi. A detection under this threshold is more meaningful than a low-signal detection from an earlier version. Look for clusters, not isolated flags.

Card-testing defense during high-traffic promotions

Flash sales and sitewide promotions are attractive periods for card-testing attacks. The elevated checkout volume makes high decline rates slightly less conspicuous, and any one bot session may be harder to distinguish from legitimate traffic spikes. TrustLens’s card-testing defense module (free) watches per-device decline rates in a 60-second rolling window. When a device crosses the threshold, it is locked out of checkout for 90 seconds.

During a high-traffic campaign, keep an eye on the Card-Testing Defense panel. If you see the lockout list filling up across many different device fingerprints simultaneously, that is an active attack. The one-click Panic Freeze halts all checkouts for 15 minutes — a blunt instrument, but appropriate if an attack is running faster than your thresholds can catch individual devices. VIP Customer Bypass is on by default, so established customers in good standing are never blocked by velocity rules.

When to pause a campaign

There is no automatic trigger for pausing a Smart Cycle Discounts campaign based on TrustLens data — the two plugins do not communicate. This is a judgment call you make based on what you see. Some signals worth treating as serious enough to pause:

  • The linked-account detection has flagged more than 10% of new customers acquired during the campaign as connected to known-risk accounts
  • The coupon abuse rate has spiked to more than three times your pre-campaign baseline in a short window
  • Chargeback disputes start filing within the first week of the campaign — this is unusually fast and suggests stolen card usage, not friendly fraud
  • The Card-Testing Defense panel shows an active, sustained attack that your thresholds are not containing

Pausing a campaign in Smart Cycle Discounts is immediate: change the campaign status to Paused and the discount deactivates. You can reactivate with adjusted settings when the issue is resolved.

The Risk Profile Changes With Your Discount Type

Different Smart Cycle Discounts discount types create different abuse profiles. The signals to watch in TrustLens shift accordingly. This is not covered in general guidance about fraud prevention because it requires knowing both what a specific discount type does and what behavioral signal it produces in the customer-side data.


Free vs Pro discount types (verified against SCD readme.txt v2.1.6)

Free: percentage off, fixed amount, BOGO. Pro: tiered pricing, spend threshold, bundle deals. Coupon code delivery (including single-use code generation up to 50,000 codes) is Pro. URL auto-apply (?wsscd_code=) is free on shared codes. The table below covers the types most relevant to abuse risk.

Discount TypeTierPrimary Abuse PatternTrustLens Signal to Watch
Percentage off / Fixed amountFreeCode sharing (shared code reaches coupon aggregator sites); account farming for first-order codesCoupon abuse module; linked-account clustering during campaign period
BOGOFreeReturn loop: buy one, receive free item, return only the paid item for a refundReturn abuse module (full-refund pattern); high refund-to-BOGO-order correlation
Tiered pricingProLinked accounts gaming the quantity threshold (multiple accounts each hitting a tier instead of one large order)Linked accounts module; order pattern module (similar quantity orders from connected accounts)
Spend thresholdProCart padding: adding cheap filler items to clear the threshold, then returning filler after the discount is appliedReturn abuse module; orders that barely cleared the threshold with subsequent partial returns
BundleProPartial return after bundle discount is applied (keeping most of the bundle, returning one item that covered the discount’s cost)Return abuse module (partial-return flag); refund-to-discount ratio on bundle orders

None of these abuse patterns is unique to Smart Cycle Discounts. They apply to any WooCommerce promotion using these structures. Knowing which pattern to watch for which discount type is what makes the TrustLens monitoring useful rather than generic.

The BOGO case deserves a direct note. TrustLens does not know that a specific order was a BOGO order — the two plugins do not share data. What TrustLens sees is the downstream effect: a customer with a high full-refund rate on their primary-item orders. That signal accumulates across the campaign period and becomes visible in the return abuse module. It is not real-time BOGO abuse detection; it is behavioral pattern detection that surfaces the same result over a slightly longer window.

If you are running tiered pricing campaigns and you are considering the commercial trade-offs between a flat bulk deal and a graduated structure, the earlier post on choosing between bulk discounts and tiered pricing covers the decision framework in detail. The linked-account gaming risk is one more input into that decision: a tiered structure with multiple thresholds creates more gaming surface than a single-threshold flat deal.

After the Campaign Ends: The 30-Day Review

When a Smart Cycle Discounts campaign expires, the discount deactivates automatically and prices revert. From the campaign side, the work is done. From the customer-risk side, it is just beginning. The 30 days after a promotion ends are when the downstream effects become measurable: return requests, chargeback disputes, and the behavioral signals from customers who bought specifically because of the discount.

Review what the campaign attracted

In TrustLens, pull up the customer list sorted by most recent activity and filter for customers whose first order falls within the campaign period. This is the cohort the promotion acquired. Their current segment distribution tells you what you actually brought in.

A healthy campaign cohort looks roughly like your broader customer base — mostly Normal and Trusted, a small tail of Caution, a rare Risk. A campaign cohort that is significantly heavier in Caution or Risk than your baseline suggests the promotion attracted a disproportionate share of abuse-prone customers. That information should feed back into how you design the next campaign.

Look specifically at new Caution and Risk customers whose scores moved down from Normal during or after the campaign. A customer who joined during a promotion and immediately triggered the return abuse or coupon abuse signal is telling you something clear: they came for the discount, not for your product.

The chargeback watch window

Chargebacks from promotional activity typically arrive 30–60 days after the transaction. The customer disputes the charge with their card issuer, and the dispute lands in your gateway account. Promotions involving high-value orders (spend threshold campaigns that reward large carts) or first-time customers (welcome discounts) carry higher chargeback risk because both patterns are more likely to involve customers who have no prior relationship with your store.

After a major campaign ends, keep the TrustLens Chargeback Ratio Speedometer in view during the 30-day window. The speedometer tracks your blended monthly chargeback ratio against Visa, Mastercard, Amex, and Discover thresholds and flags when you are approaching monitoring enrollment levels. If a campaign produced a meaningful volume of first-time orders, a spike in disputes during this window may be concentrated in that cohort. The chargeback prevention playbook covers how to respond to disputes effectively and what TrustLens’s Dispute Evidence Report (Pro) does for representment cases.

Feeding what you learned back into the next campaign

The most useful thing you can do with post-campaign TrustLens data is annotate your next campaign configuration. This is not a software feature — it is a habit. After reviewing the cohort from a BOGO campaign, if you saw a higher-than-normal full-refund rate from BOGO orders, you know to tighten your refund policy on BOGO orders for the next run, or to add role restrictions so the offer is limited to customers above a certain trust threshold. After a spend-threshold campaign with cart-padding abuse, you know single-use codes (Pro) would have helped, or that a minimum item count alongside the spend threshold might reduce padding behavior.

Smart Cycle Discounts and TrustLens do not close this feedback loop for you. You close it. But the data is there to close it with, if you make the review part of your post-campaign routine.

Making the Margin Math Honest

A 20% off sitewide campaign that generated $12,000 in revenue over a week looks like a straightforward win. The margin calculation starts to shift when you add the missing line items.

Return processing from BOGO orders: if 8% of BOGO redemptions triggered the paid-item return loop, those orders cost you the free item with no net revenue. Discount farming via linked accounts: if 40 of 400 redemptions were from a coordinated cluster farming a first-order code, the per-redemption cost on those 40 was the full discount with no customer relationship on the other side. Chargeback disputes filed at day 45: each dispute is the disputed amount plus a fee, plus the administrative time to respond, plus the risk to your chargeback ratio if you lose. A ratio that crosses Visa VDMP thresholds has ongoing consequences beyond the individual dispute.

None of this means the campaign was not worth running. It might still have been. The honest version of the calculation includes these lines, and TrustLens gives you the data to populate them. The return abuse module tells you how many orders from the campaign period had the full-refund pattern. The coupon abuse module tells you how many redemptions were from accounts with prior abuse signals. The Chargeback Ratio Speedometer tells you how the dispute rate moved in the 30-day window.

The store that builds this review into every campaign gradually gets better at designing campaigns that attract the customers it wants. The store that only ever looks at the headline revenue number keeps running the same campaign profile and wondering why the margin never matches the expectation.

Common Questions

Do Smart Cycle Discounts and TrustLens integrate with each other?

No. The two plugins do not share code, data, or API connections. They are completely independent. What you are building when you run both is a manual operational habit — using TrustLens data to inform how you configure campaigns in Smart Cycle Discounts, and using TrustLens monitoring to evaluate what a live campaign is attracting. The workflow is deliberate rather than automated.

Can TrustLens automatically pause a Smart Cycle Discounts campaign when it detects abuse?

Not directly — there is no built-in connection between the two plugins. TrustLens Pro can send a webhook when a fraud signal fires, and if you connect that webhook to a custom automation (for example, via a middleware tool), you could theoretically trigger a campaign pause via the Smart Cycle Discounts REST API. But this is not a supported out-of-the-box workflow. The practical approach is a manual check schedule during active campaigns: review TrustLens daily and decide whether to pause based on what you see.

TrustLens free never auto-blocks — does that mean I have to check it constantly?

Not constantly — but deliberately. The free version of TrustLens surfaces risk; you decide what to do. During a major campaign, a once-daily check of the high-risk customer list and the coupon abuse module is usually sufficient. Outside of active promotions, a weekly review of anyone who moved into the Risk or Critical segment covers most situations. TrustLens Pro adds Automation Rules that can alert you the moment a signal fires, which shifts from scheduled review to event-driven response.

Which TrustLens features require Pro versus free?

All eight detection modules are free — returns, order patterns, coupon abuse, category-aware risk, linked accounts, shipping anomalies, chargeback tracking, and card-testing defense. The 0–100 trust score, six-segment classification, customer profiles, and manual blocking and allowlisting are also free. Pro adds Automation Rules (15 triggers, 30+ conditions, 10 action types), the Advanced Chargeback Monitor with per-brand ratios and Dispute Evidence Reports, Card-Testing Defense Pro (auto-escalation, attack analytics, Slack alerts), Payment Method Risk Controls, Scheduled Reports, and the Store Trust Network for multi-site. The free version contains everything you need to monitor a campaign and act on what you find manually. Pro automates the response.

What Smart Cycle Discounts features matter most for reducing fraud exposure?

In the free version: code-required delivery (narrows the eligible pool), role targeting (restrict campaigns to logged-in customers or specific user roles), location targeting, campaign expiration dates (discounts deactivate automatically so an offer cannot run indefinitely), and campaign-level plus per-customer usage limits. In Pro: single-use code generation (up to 50,000 unique codes per campaign) eliminates the code-sharing problem entirely, and discount combination policies let you control whether a campaign discount can stack with WooCommerce coupons.

How long should I monitor TrustLens after a campaign ends?

30 days covers most of the chargeback risk window for standard card disputes. 60 days covers the longer tail for some card brands. During those 30 days, watch the Chargeback Ratio Speedometer on the TrustLens dashboard — it shows your blended ratio against Visa, Mastercard, Amex, and Discover thresholds. A sustained upward movement in the 2–4 weeks after a campaign is a signal worth investigating, specifically in the cohort of customers acquired during the campaign period.

Key Takeaways: The Series in Practice

  • The two plugins are independent, not integrated. Smart Cycle Discounts manages the campaign lifecycle; TrustLens manages the customer risk layer. The operational connection between them is a deliberate habit you build, not a built-in automation.
  • The pre-campaign phase is where risk reduction is easiest. Reviewing your segment baseline, choosing your delivery method deliberately, setting usage limits, and (Pro) configuring an automation alert all happen before any orders are placed — when your options are still wide open.
  • Different discount types attract different abuse patterns. BOGO campaigns watch the return abuse module. Tiered pricing campaigns watch the linked-accounts module. Spend-threshold campaigns watch the return abuse module for cart-padding behavior. Knowing which signal to watch for which discount type is what makes the monitoring actionable.
  • Trust score trends during a campaign are a leading indicator. A downward shift in the score distribution (Normal segment shrinking, Caution or Risk growing) typically appears before individual fraud events become obvious. Checking the trend chart every few days during a live campaign gives you early warning.
  • The 30 days after a campaign end is the chargeback watch window. Most friendly fraud disputes arrive in this window. Keep the Chargeback Ratio Speedometer in view, and review your campaign-period customer cohort’s segment distribution to understand what the promotion actually attracted.
  • The margin math is incomplete without the customer-quality side. Revenue from a campaign minus returns, dispute costs, and the value of abuse that will not convert into long-term customers gives a more honest picture than the headline revenue number alone.

Run promotions. Watch what they attract.

Smart Cycle Discounts handles the campaign side: scheduling, delivery, eligibility, and automatic expiration. TrustLens handles the customer side: behavioral scoring, abuse detection, and the data that tells you what your promotions actually cost. Both are free to start.