Prevent discount-code abuse

Stop coupon farmers, stack-spammers, and one-account-many-emails customers from draining your margin.

Last updated 2026-05-10

Public codes get scraped. Private codes get shared. Here's how to stop the worst behaviour without making legit shoppers angry.

Settings → Discounts → Anti-abuse

Three controls worth turning on:

  • Email matching. Block if the same email or normalised email (jane+1@gmail.com == jane@gmail.com) has used this code before
  • Device matching. Block if the same browser fingerprint (HWID + UA + canvas hash) has used this code before, even with different emails
  • IP matching. Block if same /24 network has used the code more than N times in 24 hours

Layer all three for high-value codes. Use only email matching for low-stakes codes (signup discounts).

Coupon-aggregator scraping

Sites like DealCatcher, RetailMeNot, and Honey scrape your storefront for active codes. Within 24 hours of going live, every public code is on their lists. Mitigations:

  • Don't put codes in URL params (BOGO checkout redirects with ?code=XXX get scraped)
  • Use Hidden codes for non-mass-market campaigns
  • Rotate generic codes monthly so old scraped codes are dead
  • Set lower max-uses caps (1000 instead of 10000)

One-account-many-emails

A common abuse: shopper makes many email aliases, each gets the WELCOME10 first-purchase discount. Email matching with normalisation (the +tag stripping) catches Gmail and Outlook. Custom-domain emails (jane@her-own-domain.com, multiple aliases) are harder.

For these, fingerprint matching is the answer. The same browser claiming five WELCOME10s gets blocked on the second.

False positives

Real shoppers do share computers (family, library, office). Settings → Discounts → Anti-abuse → Loose mode flips fingerprint matching from "block" to "flag for review". The order goes through, you get a notification, and you decide manually whether to refund.

The trade-off:

  • Strict mode. Zero abuse, occasional pissed-off legitimate customer
  • Loose mode. Some leakage, no false-positive complaints

Most stores run Loose for first-time codes and Strict for high-value (>€100 off) codes.

Audit trail

Reports → Discounts → Abuse log shows attempts that were blocked and why. Useful for proving to a customer that you didn't unfairly reject them. If their device fingerprint really did try the code five times, you have the timestamp.

Related guides

Still need help?

Real humans, real answers. We respond fast and we never use chatbots as the front line.

Email Support