Checkout Tactics

How I Restrict Coupon Abuse

Using coupons and discounts to entice purchases is a cornerstone of retail and ecommerce.

Today’s email automation platforms — Klaviyo, Listrak, many more — make it easier than ever to deliver coupons to consumers at different points in their journey. A simple example is the classic “10% off your first order” when a visitor subscribes to an email list.

Other examples target lapsed customers, shoppers who abandon carts, and upsells based on previous purchases.

Screenshot from a Chirp email with a coupon code for first time buyers.

Acquiring customers is one of many uses of coupon codes. This example from Chirp, a seller of discount audio books, is for first-time buyers.

Bargain Hunters

Consumers’ love of a good deal can unfortunately result in illicit attempts to stack as many discounts and coupons as possible.

Moreover, browser extensions — Honey, Fetch, Capital One Shopping, many others — automatically apply coupons to an order, lowering the price. A merchant might have created a coupon for first-time purchases, but the extensions can allow repeat buyers to use it.

Sometimes shoppers collaborate to discover and share coupons. It’s a tiny fraction of customers, but the repercussions affect everyone.

My own ecommerce business has encountered coupon abuse for years. We develop and sell music software directly to consumers. Though our margins are high, the behavior requires us to take extensive precautions when rolling out coupon-driven promos.


Merchants often create a single code for an entire segment of customers. “WELCOME10” might be a coupon for first-time buyers. But such generic codes virtually guarantee widespread discovery and use, likely including browser extensions addressed above.

Some merchants create codes with random characters that appear to be customer-specific, such as “WELCOME10GH76BND.” The hope is a shopper receiving the code believes it’s for him alone and will not share it. My experience is consumers are far too savvy and will quickly learn and share.

Hence our only reasonable option is to create one-time coupons distributed individually and never on a public page. Many tools and platforms can help. Omnisend, for example, provides one-time coupons for WooCommerce and Shopify. Klaviyo offers it natively with Shopify and extended with WooCommerce.


Yet person-specific, single-use coupons will not prevent abuse. Experienced shoppers may discover the method of generating the coupons — e.g., adding an item to the cart and waiting two days — and exploit it.

We therefore add “guardrails” for coupon use and generation. A baseline precaution is preventing the same type of coupons from being stacked. For example, multiple cart abandonment coupons cannot be used in a single checkout. Or, limit coupon use globally to one per order.

Always add parameters to a coupon, such as an expiration date and time, and internal notes on how and why it was created. Those notes will help identify the origin if the coupon shows up in an unexpected place.

Limit coupon generation by adding filters to automated email flows. All modern email service providers allow restrictions on how often a visitor can enter a flow, such as once daily, weekly, monthly, or ever.


Incredibly, even with all the tactics above, we’ve experienced malicious behavior, such as the same user creating multiple accounts under different email addresses to obtain the same coupons. At that point, we shift to general security measures that prevent deceptive or illegal activity.

Cloudflare, the content delivery network, offers a free “Web Application Firewall” with “Rules” that detect and restrict suspicious activity. The general idea is to limit how often users from the same IP can access the same page.

For example, a user accessing an account creation page multiple times per hour could be blocked for 24 hours. Ditto for reset password pages.

The downside of these measures is occasionally snaring innocent customers. Thus tuning the number of attempts and duration is essential.

Beyond Coupons

Besides the abuse issues, coupons can degrade the shopping experience. Some shoppers will leave a checkout containing a coupon field to search for a code. Others become frustrated that they’re missing out on a deal. The result either way is an abandoned cart.

The answer for my business is to transition away from coupons almost entirely and instead apply individual discounts and promotions automatically when customers log in and shop as usual. It has the dual benefit of being the most secure for my business and the most pleasant for our customers.

It’s seemingly the ideal scenario. although it requires development and testing.

Essential Questions

Coupon abuse follows ecommerce success. When launching a coupon, especially for a segment of buyers, ask yourself:

  • What happens if all customers access this promotion?
  • Should the promotion stack with other coupons? If not, have you taken steps to prevent it?
  • Is the coupon for individuals only? It will likely be shared otherwise.
  • Have you placed coupon guardrails to prevent stacking, hoarding, and overuse?

Swathes of consumers eager to buy your products are a good problem. Spending time and money protecting against coupon abuse is painful but necessary.

Andrew Aversa
Andrew Aversa
Bio   •   RSS Feed