Key takeaways
- COD fraud includes prank orders, competitor sabotage, and automated bot floods that never intend to pay.
- Key signals: order and address velocity, fake or repeated phone numbers, gibberish names, disposable emails, and device/IP fingerprints.
- Blocklists and a cross-store RTO network stop repeat offenders you have never seen before.
- Risk-based COD gating applies friction only to suspicious orders, protecting genuine buyers.
- Kwikfy's Fraud Shield combines these signals with a per-store model to flag fake orders at checkout.
COD fraud detection is the practice of identifying orders that were never placed by a genuine buyer intending to pay — before you spend money shipping them. Cash-on-delivery removes the one thing that filters intent: an upfront payment. That makes COD the default channel for prank orders, competitor sabotage, and automated bot floods, all of which end the same way — an undelivered parcel, two-way freight, and blocked inventory. For Indian D2C brands where COD can be the majority of orders, fraud detection is not optional; it is margin protection.
The good news is that fraudulent and low-intent orders leave fingerprints. They cluster in time, reuse fake identities, and come from the same devices. This guide breaks down the fraud types, the specific signals that expose them, and how blocklists, a cross-store network, and risk-based gating turn those signals into automatic protection.
The types of COD fraud
- Prank orders: individuals placing COD orders they never intend to accept, often on impulse or as a joke.
- Competitor sabotage: rivals placing bulk fake COD orders to drain your shipping budget and clog inventory.
- Bot floods: automated scripts placing many orders in minutes with fabricated details.
- Serial RTO abusers: real people who habitually order COD, refuse delivery, and move to the next store.
- Address stuffing: the same buyer using slightly varied fake addresses to evade simple blocks.
Each type shares a tell: the order is cheap to place and costly for you to fulfil. Detection is about spotting the tells before the parcel moves.
Signal 1: Velocity
Legitimate customers place one order at a time. Fraud comes in bursts. Velocity checks look for an abnormal number of orders sharing an attribute in a short window — the same device fingerprint, IP address, phone number, or delivery address placing multiple COD orders in minutes. A single address receiving ten COD orders in an hour is almost never ten real customers.
- Order velocity per device or IP within a time window.
- Address velocity — many orders to one address, or one buyer across many near-identical addresses.
- Phone velocity — the same number attached to a suspicious cluster of orders.
- Checkout speed — bot orders often complete faster than a human physically can.
Signal 2: Fake and repeated phone numbers
The phone number is the spine of COD, because it is how the courier confirms delivery. Fraudulent orders routinely use invalid numbers (wrong length, impossible patterns), obviously fake sequences (repeated or sequential digits), or numbers with a history of RTO. A number that has never taken a successful delivery, or one flagged across the network, is a strong risk signal. This is exactly why OTP-based COD verification is so effective — a fake number cannot receive the code.
Signal 3: Gibberish names and addresses
Fraud and low-intent orders are placed carelessly. Names like asdf, test, or random keyboard mashing, and addresses that are placeholders or nonsense, are reliable indicators. Gibberish detection scans the name and address fields for entropy patterns that do not resemble real Indian names or addresses and flags them for the risk engine. It pairs naturally with the address completeness scoring covered in our address verification guide.
Signal 4: Disposable and low-quality email
When email is collected, its quality is informative. Disposable or temporary email domains — the throwaway inboxes designed to expire — correlate with orders placed by people who do not want to be contacted or traced. A disposable email on a high-value COD order is a meaningful risk flag, especially combined with a fresh device and a weak address.
Signal 5: Device and IP fingerprinting
A device fingerprint is a stable identifier derived from the browser and device characteristics. It lets you recognise that ten different customers are actually one device, or that an order comes from a device previously tied to RTO. Combined with IP reputation (data-centre IPs, mismatched geolocation, known abusive ranges), fingerprinting is what unmasks bot floods and competitor sabotage that otherwise disguise themselves with varied names and addresses.
| Signal | Fraud it catches | Strength |
|---|---|---|
| Order/address velocity | Bot floods, competitor sabotage | High |
| Fake / repeated phone | Prank orders, fake identities | High |
| Gibberish name/address | Careless prank & bot orders | Medium |
| Disposable email | Untraceable buyers | Medium |
| Device / IP fingerprint | Bots, repeat abusers in disguise | High |
| Cross-store history | Serial RTO abusers | Very high |
Block fake COD orders before they cost you freight
Kwikfy's Fraud Shield scores velocity, fake numbers, disposable emails, and device fingerprints on every order — automatically.
Start Free →Blocklists and the cross-store RTO network
Signals catch fraud you can infer from a single order. Two more layers catch fraud you would otherwise only learn about after being burned.
Blocklists
A blocklist stops orders from phone numbers, addresses, devices, or emails you have already identified as fraudulent. Once a serial abuser is caught, they should never cost you again. Kwikfy maintains per-store blocklists and lets you add offenders manually or automatically as their orders resolve to RTO.
The cross-store network
The most powerful signal is behaviour on other stores. A serial RTO abuser who is brand new to your store is not new to the ecosystem. Kwikfy's cross-store RTO network shares hashed, privacy-safe repeat-RTO signals across stores, so a phone or address with a pattern of refusing deliveries elsewhere is flagged the first time it reaches you. This is how you catch a first-time fraudster before their first parcel ships — something no single-store system can do.
Turning signals into action: risk-based COD gating
Detection is only half the job; the response must protect genuine buyers. Risk-based COD gating applies friction proportional to risk, using the same green/yellow/orange/red tiers as the wider RTO score:
- Low risk: allow COD with no friction — the vast majority of real customers.
- Moderate: require an OTP to confirm the phone and order.
- Elevated: disincentivise COD; push the prepaid option with a discount.
- High: block COD and offer only prepaid via a hosted pay link.
The prepaid pay link is elegant because it is self-filtering: a genuine buyer will pay and you keep the sale, while a fraudster simply disappears — and either way you never ship at a loss. Applying friction only to flagged orders means your good customers keep the fast, frictionless checkout experience that drives conversion.
How Kwikfy's Fraud Shield ties it together
Kwikfy's Fraud Shield runs all of these checks at the point of checkout: velocity across order, address, and device; fake-number and gibberish-name detection; disposable-email screening; device and IP fingerprinting; per-store blocklists; and the cross-store network. The output feeds the unified risk score alongside the AI RTO prediction model, so fraud and general RTO risk are handled in one decision. No single signal blocks an order on its own — the strength is in combining them.
The takeaway: every fake COD order you catch at checkout is pure saved margin, because you never paid to ship it. Fraud detection is not about being suspicious of customers — it is about making sure the orders you do fulfil are the ones that will actually pay. For the complete strategy, see our guide to reducing COD RTO in India.