TrustLens Pro Automation Rules: A Practical Playbook With Five Rules to Build First

There’s a gap that quietly costs stores money: the gap between seeing a risk and acting on it in time. TrustLens free is built to close the first half — it scores every customer from 0 to 100, sorts them into six segments, and shows you exactly which behaviors moved each score. But seeing a customer slide into the Risk segment at 11pm doesn’t help if nobody’s looking at the dashboard until Monday, and the fraudulent order has already shipped.

Automation Rules (a Pro feature) close the second half. They watch for the events you’d otherwise have to catch by hand — an order placed, a dispute recorded, a card-testing attack, a set of linked accounts surfacing — and take the action you’d have taken yourself, immediately, every time, without you being awake for it.

But here’s the catch nobody tells you: automation rules do nothing until you design them. The feature ships as an empty canvas. That’s correct behavior — TrustLens free deliberately never auto-blocks anyone behind your back, and Pro keeps that promise by never inventing rules for you. But it means the first time you open the Automation Rules page, you’re staring at a blank screen with no idea what a good rule looks like.

This playbook fixes that. Five rules, drawn from the fraud patterns that show up again and again in real WooCommerce stores. For each one you’ll get the exact trigger, the condition fields to set, the action, and a cooldown recommendation. Build these five and you’ll have a working automation layer in an afternoon — then you can adapt them to your own store from a known-good starting point instead of a blank one.

Why automation rules matter

Manual review works right up until it doesn’t. A store doing 30 orders a day can eyeball flagged customers. A store doing 300 can’t — and the orders that matter most (high-value, high-risk) tend to arrive at the worst times: overnight, during a flash sale, in the middle of a card-testing burst when your attention is already split.

The cost of the gap isn’t abstract. A serial returner who slips through for another month. A second chargeback that pushes your ratio closer to a Visa or Mastercard monitoring program. A stolen-card order that ships before you wake up. None of these are failures of detection — TrustLens saw all of them. They’re failures of timing. Automation rules are how you make the response as fast as the detection.

The anatomy of a rule (30-second primer)

Every TrustLens automation rule is three parts plus a guardrail. If you’ve read the full mechanics guide on how automation rules work, skip ahead — this is the compressed version.

• Trigger — the event that wakes the rule up. TrustLens Pro ships 15+ triggers, including Order Placed, Score Updated, Refund Processed, Chargeback Filed, Dispute Recorded, Linked Accounts Detected, Card Testing Attack, and Shipping Anomaly.
• Conditions — the tests the customer or order has to pass before the rule acts. There are 20+ condition fields, including trust score, segment, total order value, total disputes, customer age, country mismatch, coupon total, payment method, and linked accounts count. Multiple conditions combine, so you can be as narrow as you like.
• Action — what the rule does when conditions are met. The options are block customer, hold order, send email, fire webhook, allowlist customer, cancel order, and tag customer.
• Cooldown — the guardrail. A per-rule window that stops the same rule firing repeatedly for the same customer in a short span (so a burst of events doesn’t send you ten identical alerts). When a rule skips because of it, the inspector says so explicitly.

That’s the whole model. Trigger, conditions, action, cooldown. Every rule below is just a specific filling-in of those four slots.

Rule 1 — Block after a second lost dispute

The pattern: a customer files a chargeback, you lose it, and then it happens again. One lost dispute can be a genuine grievance or a confused buyer. A second lost dispute from the same customer is a different signal — it’s the strongest leading indicator of someone you should not be selling to, and every additional dispute drags your store-wide ratio toward a card-network monitoring program.

This is one place where TrustLens Pro also offers a dedicated, non-rule path: the Advanced Chargeback Monitor includes an Auto-Block After N Lost Disputes setting that does exactly this enforcement without you building a rule at all. Use whichever fits your mental model — the automation rule gives you more control over the conditions; the built-in setting is one toggle. If you want the background on where dispute data comes from in the first place, TrustLens ingests chargebacks from Stripe and WooPayments automatically, which is what makes the Dispute Recorded trigger fire on its own.

Rule 2 — Hold large orders from Caution-and-below customers

The pattern: a customer whose behavior has already pushed them into the Caution, Risk, or Critical segment places an unusually large order. The order value is what makes this worth a manual look — a $20 order from a shaky customer isn’t worth your time; a $400 one is. Holding (rather than blocking or cancelling) is the right reflex here: you’re not accusing anyone, you’re just buying yourself the chance to glance at the order before it fulfills.

Tune the $150 threshold to your store. The right number is roughly your average order value plus a margin — high enough that normal orders sail through, low enough that the orders worth a second look get caught. If you find yourself releasing nearly every held order, the threshold is too low or the segment net is too wide. This is the graduated-response philosophy in a single rule: rather than blocking outright, you can hold high-risk orders without blocking good customers and keep the human in the loop for the borderline cases.

Rule 3 — Alert the moment a Critical customer orders

The pattern: you have a small number of customers who’ve earned their way into the Critical segment — the worst 0–9 band of the trust score. You’re not necessarily ready to auto-block them (maybe they have legitimate orders mixed in, maybe you want eyes on it first), but you absolutely want to know the instant one of them places an order, so you can decide in minutes instead of finding out days later.

Two accuracy notes worth being precise about. First, TrustLens automation rules deliver alerts through the Send Email action and the Fire Webhook action. To get a message into Slack, you point a webhook action at a Slack incoming-webhook URL — TrustLens doesn’t need a dedicated Slack integration for this; the webhook action is the bridge. (Outgoing webhooks are HMAC-SHA256 signed by default and dispatched asynchronously with automatic retry, so a momentary network blip doesn’t lose the alert.) Second: alerting is non-destructive, which makes Rule 3 the safest of the five to turn on first. Nothing gets blocked, held, or cancelled — you’re simply wiring up a tripwire.

Rule 4 — Cancel country-mismatch orders below trust 40

The pattern: an order arrives where the billing country and the shipping country don’t match, and the customer’s trust score is already low. Country mismatch on its own is a weak signal — plenty of legitimate people ship gifts abroad or travel. But country mismatch combined with a sub-40 trust score is a much stronger one, and it’s a classic shape for stolen-card and reshipping fraud. This is the one rule in the playbook aggressive enough to cancel rather than hold — and only because the two conditions together are specific enough to justify it.

Rule 5 — Allowlist your VIPs so rules never touch them

The pattern is the inverse of the others: protect your best customers from your own automation. Your highest-value, longest-tenured buyers occasionally do things that look superficially risky — a large order, a return, a shipment to a second address. You never want a fraud rule to hold or cancel an order from someone who’s spent thousands with you over three years. Allowlisting locks a customer’s score at 100 and prevents any negative signal from affecting them, which means none of the rules above can ever fire against them.

A word of caution on this one, because it’s the rule most worth thinking twice about. Allowlisting is a strong, semi-permanent grant of trust — an allowlisted customer’s score is pinned at 100 and stops responding to behavior, so if one of your VIPs ever does go bad, the system won’t catch it until you manually remove them from the allowlist. Many stores prefer to allowlist VIPs by hand, deliberately, rather than automate it across an entire segment. If you do automate it, keep the condition tight (VIP only, never Trusted) and review your allowlist periodically.

The validator and the inspector — your two safety nets

Two features make building rules far less nerve-wracking than it sounds, and they’re the reason a playbook like this is safe to follow. Both are confirmed parts of TrustLens Pro’s automation system.

The save-time validator

When you save a rule, TrustLens checks it before it ever goes live and blocks rules that can never fire. It catches unsatisfiable conditions, schema violations, trigger-state contradictions, invalid operators for a field type, and incomplete actions — and it tells you the specific reason inline, right next to the rule, rather than letting you publish something that silently does nothing.

This matters more than it first appears. The most dangerous automation bug isn’t a rule that does the wrong thing — it’s a rule you believe is protecting you that is actually a no-op. A condition that contradicts its own trigger, a comparison that can never be true: the validator catches these at save time, so you never get the false confidence of a rule that looks active on the list but never actually runs.

The inline rule inspector

The inspector answers the single most common question store owners ask about any automation system: “why didn’t my rule fire?” For each evaluation, it records whether the rule ran or skipped — and when it skipped, it gives the exact reason. You’ll see entries like Cooldown active or Condition not met: trust_score > 50, so instead of guessing, you can read precisely why a given order didn’t trigger the action you expected.

In practice, the inspector is how you tune every rule in this playbook. Build the rule, let it run against real traffic, then read the inspector to see what it’s selecting and skipping. If Rule 2 is holding orders you’d rather let through, the inspector shows you which condition let them in. If Rule 4 never fires, the inspector tells you whether it’s the country-mismatch test or the trust-score test that’s filtering everything out. It turns rule-tuning from guesswork into reading a log.

What’s free vs Pro

To be completely clear about the line, since this whole playbook lives on the Pro side:

The mental model TrustLens is built around: free surfaces the risk; Pro acts on it. If you’re still on free and doing manual review, that’s a legitimate place to operate from — plenty of smaller stores never need automation. The moment manual review starts losing the race against your order volume is the moment this playbook earns its keep.

Common questions

Will building these rules block legitimate customers?

Only if you configure them to, and only after you enable them. Three of the five rules (alert, allowlist, and — if you run it as a hold first — the country-mismatch rule) take no destructive action at all. The two that can block or cancel (Rules 1 and 4) are deliberately conservative: a second lost dispute, or a country mismatch combined with a sub-40 trust score. The recommended path is to watch every rule in the inspector before trusting it, and to run the sharpest rules as holds until your own data proves they should escalate.

What’s the difference between hold, cancel, and block?

Hold pauses a single order for manual review — the customer is unaffected and you decide. Cancel cancels that one order outright. Block acts on the customer, not the order — it stops that email from adding to cart or checking out on future visits, until you unblock them. As a rule of thumb: hold when you want a human to look, cancel when the order itself is clearly bad, block when the customer is the problem.

How do I send alerts to Slack specifically?

Use the Fire Webhook action and point it at a Slack incoming-webhook URL. TrustLens automation rules dispatch webhooks asynchronously, signed with HMAC-SHA256 and retried automatically on failure, so the alert is both secure and reliable. (Note: the dedicated Slack/email alert dispatcher built into Card-Testing Defense Pro is a separate feature for card-testing attack events — for general automation-rule alerts, the webhook action is the path.)

Why did my rule not fire?

Open the inline inspector. It logs every evaluation and, for skipped ones, gives the exact reason — Cooldown active, or Condition not met: followed by the specific condition that failed. This is the fastest way to debug any rule. If a rule won’t even save, the save-time validator will have told you why inline — usually an unsatisfiable condition or an incomplete action.

Do I need Pro to see risky customers at all?

No. All trust scoring, all six segments, all eight detection modules, the dashboards, the customer profiles, manual blocking and allowlisting, and chargeback tracking with the Ratio Speedometer are in the free version. Pro adds the ability to act automatically on what free shows you — automation rules, the validator and inspector, signed webhooks, scheduled reports, the Advanced Chargeback Monitor, and Card-Testing Defense Pro. If you only want to see and decide manually, free is genuinely complete.