How do I install CustomerGenius in my Shopify store?

Click Install app in the Shopify App Store, approve the requested permissions, and our onboarding wizard pops up inside Shopify Admin to guide you through threshold settings and a one-time data sync for the past 60 days.

Does CustomerGenius start refunding orders the moment I install it?

No. Auto-refund is disabled by default. During onboarding you choose your auto-refund thresholds. You can either manually review the orders for some time to see how it works, or turn on auto-refunding from the start.

What signals feed the fraud score?

CustomerGenius compares every new order's email, phone number, billing and shipping addresses (fuzzy and exact), and name against prior orders that used the same discount code. Each matching field adds points to the fraud score.

What exactly happens when an order is refunded?

CustomerGenius issues a full refund via the Shopify API, and optionally sends you and the customer an email alert. If you use Recharge or ShipStation and have connected them in the settings tab, the order will also be cancelled there.

Will CustomerGenius slow down my checkout?

No. CustomerGenius processes orders post-checkout via Shopify's webhooks, so your storefront performance is completely unaffected.

Is there a free trial for CustomerGenius?

Yes, there is a 14-day free trial for all pricing tiers. CustomerGenius does not currently offer a permanent free tier, but you can use the trial period to determine whether there is enough discount fraud in your store to justify the subscription cost.

How do I get help if something looks wrong?

Email the CustomerGenius support team at support@customergenius.io.

Case Study: Catching Klaviyo Newsletter Code Abuse With Wildcard Prefix Matching

Mass-Generated Codes: Modern Marketing's Newest Fraud Gap

Discount code fraud detection was originally designed around a simple model. A merchant creates one code. Customers use the code. The system watches that specific code for duplicate redemptions.

Modern email marketing has quietly broken that model. Platforms like Klaviyo, Omnisend, and Attentive now generate unique discount codes at scale — one code per subscriber, delivered in the welcome email, guaranteed to be redeemable only once. This is better for personalization and better for analytics. It has also created a new attack surface that traditional per-code fraud monitoring cannot see.

The merchant in this case study was running exactly this kind of setup. They used Klaviyo to mass-generate individual discount codes for every newsletter signup. Each code was a unique string with a shared prefix — something like LAR-XXXXXXXX, where LAR identified the code as coming from the newsletter flow and the random suffix made each code unique to the subscriber who received it.

On paper, the system was tight. Each code had a one-use limit. Each code was tied to a specific email address. Shopify's own redemption tracking prevented any single code from being used twice. On paper, there was no abuse surface.

In practice, the surface was enormous.

How the Abuse Worked

The pattern customers discovered was simple and obvious once you see it. The merchant's newsletter signup was open to anyone. Anyone could enter an email address, receive a unique discount code in return, and use that code on a single order.

From an abuser's perspective, this is a vending machine for discount codes. Enter a throwaway email address. Receive a code. Use it. Enter a new throwaway email. Receive a new code. Use that one. Repeat.

Every individual code was used exactly once, which is the rule the system was designed to enforce. Every redemption passed Shopify's built-in checks, because each code was a different code, not a repeat of a prior one. The per-code "one use per customer" limit was technically honored — the limit just did not mean what it seemed to mean when the codes were being generated at scale.

The merchant had no visibility into this pattern through their existing fraud tooling. Their fraud monitoring was code-specific, and each code was new. By the time they realized what was happening, the data showed repeated shipments to the same addresses, using a rotating set of freshly-generated newsletter codes, across a large and growing number of throwaway email accounts.

This is the structural shape of modern promo abuse. When a marketing platform can generate a functionally unlimited supply of unique codes, per-code fraud detection stops working. The abuser is not fighting the code limit. They are operating at a layer above it — at the code-generation layer — where no per-code rule can reach them.

Why Per-Code Monitoring Does Not Scale

Fraud detection tools that monitor individual discount codes assume the code is the unit of detection. For every code in the monitored list, the tool watches redemptions and scores for abuse. Add a new code, add it to the list. Simple enough, when codes are minted by hand.

This model collapses when the code count is effectively infinite. A merchant generating thousands of unique codes per month via Klaviyo cannot realistically maintain a list of monitored codes. Even if they could, the detection logic would be meaningless — each code only has a single legitimate redemption by design, so the signal of "this code was used twice" never fires.

The abuse is not across any individual code. It is across the family of codes — all the codes generated by the same flow, all sharing the same prefix, all effectively functioning as instances of the same underlying promotion.

The detection has to operate at the level of the family, not the individual code.

The Feature: Wildcard Prefix Matching

CustomerGenius's wildcard matching lets merchants monitor not a specific code, but a pattern. Instead of specifying LAR-ABC123, LAR-DEF456, and LAR-GHI789 as individual monitored codes, the merchant specifies the pattern LAR followed by a wildcard — and CustomerGenius monitors every code starting with that prefix as if they were all part of the same promotional family.

When a new order comes in using any code matching the wildcard pattern, CustomerGenius scores it against prior orders using any other code matching the same pattern. The scoring runs across the same multi-signal logic that powers discount code and order tag matching:

Email address (exact and fuzzy)

Phone number (exact and near-exact)

Shipping address (exact and normalized fuzzy)

Billing address (independent of shipping)

Customer name (fuzzy matched)

The abuser's pattern — same address, similar names, cycling emails, rotating codes — now has a place to show up in the detection. The codes are different, but the customer is not. The wildcard tells CustomerGenius to compare across all of them as a single promotional group.

How the Merchant Deployed It

The merchant added the LAR* wildcard pattern to their CustomerGenius configuration and set a two-signal threshold for auto-cancellation. Orders matching on two or more identifiers against a prior newsletter-code order were automatically refunded. Orders matching on a single signal were sent to a review queue for manual confirmation.

The first days after deployment surfaced a clearer picture of the abuse pattern than the merchant had previously been able to assemble. Orders that had seemed isolated when viewed code-by-code turned out to be part of a connected set once the wildcard matching grouped them by customer identity instead of by code. In some cases, a single household address had accumulated ten or more newsletter-code orders across different email addresses over a period of weeks.

The review queue caught household cases — two actual subscribers at the same address using different newsletter flows — and the team cleared them individually. The auto-cancel threshold caught the abuse pattern and processed refunds within seconds of the orders being placed.

After a few weeks, the volume of monitored-pattern orders dropped back to what looked like a legitimate baseline. The abusers who had been cycling through emails to harvest codes moved on when the codes stopped converting into actual shipments.

Why Modern Fraud Detection Needs Pattern-Level Monitoring

The Klaviyo newsletter pattern is a specific example of a much broader shift. Any marketing automation that generates unique codes at scale creates the same exposure:

Welcome series with per-subscriber codes

Referral programs that issue unique codes per referrer

Cart abandonment flows with unique recovery codes

Win-back campaigns with individually-generated reactivation codes

SMS subscribe flows with codes tied to each phone number

Every one of these mechanisms shares a common marketing structure. Unique codes, shared prefix or naming convention, functionally unlimited supply. Every one of them is invisible to fraud detection that operates on individual code identifiers.

Wildcard matching is the mechanism for bringing these flows back into the fraud detection model. The merchant names the pattern — a prefix, a string match, a family identifier — and all codes matching the pattern are scored as a single promotional family against customer identity signals. The abuse that would otherwise slip through the per-code gap gets caught at the pattern level.

Results: Newsletter Flow Protected, Acquisition Preserved

The merchant's newsletter signup continued to run exactly as designed. New subscribers entered their emails, received unique codes, and redeemed them on first orders. The experience for legitimate customers did not change at all.

What changed was the outcome for abusers. Orders that had been passing through the system previously — because no individual code was ever used twice — were now being scored against the customer-identity history across all codes in the newsletter flow. When the abuse pattern showed up, the order was refunded.

The dollar impact tracked the volume of the abuse. The newsletter flow had been generating a measurable share of orders that were effectively extracted from the business, with no legitimate acquisition value attached. Closing that exposure returned that spend to the budget for legitimate subscriber conversion.

The Takeaway

Ecommerce fraud detection is not a solved problem. It is a moving problem that follows the evolution of marketing tooling. Every new mechanism for generating promotional incentives — unique codes, free products, automatic bundles, tagged promotional orders — creates a new surface for abuse. Detection tools that stay locked to the old model (one code, one merchant-managed redemption limit) fall further behind every time marketing platforms add capability.

CustomerGenius's wildcard matching is built for the current generation of marketing automation, where codes are mass-generated, unique, and loosely grouped by prefix or naming convention. Instead of monitoring each code individually, it monitors the pattern — and scores customer identity across the full family of codes that share it.

If your store runs any flow that generates individual codes from a template — Klaviyo welcome series, referral program codes, cart abandonment recovery, SMS flows — wildcard matching is the feature built for that shape of promotion. See how it fits alongside the rest of CustomerGenius's fraud detection on the CustomerGenius pricing page, or install from the Shopify App Store to try it on a 14-day free trial.