Disclosure: SpamShield is built by JMS Dev Lab, the publisher of this blog. The detection signals below work whether you use a tool or audit by hand.
If you've already read our pillar guide on fake review detection on Shopify, you'll know there are two flavours of fake reviews on a Shopify store — human-written ones from real-looking accounts, and bot-generated ones from automated farms. This article is about the second category. Bot reviews are noisier, faster, and easier to catch — if you know what you're looking at.
The first time JMS Dev Lab worked through a coordinated review attack with a Shopify retailer, the bridal-jewellery merchant had just been hit by a competitor: dozens of 1-star reviews landing inside 48 hours. Sorting by date, the bot ones became obvious within twenty minutes. The human-written ones took weeks to untangle. The difference comes down to the forensic fingerprints automation can't hide.
A human writing a fake review for £15 takes their time. They use natural language. They might have actually ordered something. None of the standard automation signals apply to them.
A bot, or a script driving a farm of seasoned accounts, does not. It submits faster than a human can type. It re-uses sentence templates. It runs from a small pool of IP ranges. It hits the form at times that don't match the timezone the account claims to be in. Each one of those is small on its own. Together they are a signature.
The five signals below are what to look for. None of them is conclusive in isolation. Two or more on the same review is enough to investigate. Three or more is almost always automation.
Real customers don't submit reviews in twelve seconds. They open the email, click the link, get distracted, come back, type a few sentences, change their mind about a star, hit submit. Even a quick reviewer takes a minute or two.
Bots fill the form in under five seconds. Some review apps log the time between page load and submit; if yours does, anything below thirty seconds is suspicious and anything below ten is almost always automated.
The other half of this signal is time-of-day clustering. A normal review distribution follows the timezone of your customer base — mostly evenings and weekends, very few overnight submissions. Bot farms run when the operator runs them, often overnight in the operator's own timezone. Six reviews submitted between 03:00 and 04:00 GMT, when your customers are British and Irish, is not a coincidence.
This is the signal most merchants miss because it requires reading several reviews side by side rather than one at a time.
Bot-written reviews share structural tells across supposedly independent accounts: identical sentence lengths, identical opening clauses ("I bought this for my..."), the same adjective in the same position ("the quality is amazing / the service is amazing / the delivery is amazing"). When you read three or four of them in a row, you can almost feel the template underneath.
Open your review dashboard, sort by date, and read the last ten reviews back to back. Real customers sound different from each other. Their sentences vary in length. They mention specific things only they would notice. Bot reviews start to rhyme.
Most Shopify review apps store the IP address the review was submitted from, even if they don't show it on the front-end. Judge.me and Stamped both expose this in the admin view; Loox shows it via support.
What you're looking for is two patterns. The first is multiple reviews from the same IP address in a short window — a clear sign of one operator submitting from one machine. The second is reviews from IPs that resolve to known VPN or data-centre ranges. A genuine customer is on a residential ISP. A submission from an AWS IP range or a commercial VPN endpoint is almost never a real shopper.
Free reverse-IP lookup tools (ipinfo.io, ipqualityscore.com) will tell you whether an IP is residential, mobile, or data-centre. Two minutes per suspicious review.
Browsers leak more information than people realise. Screen resolution, operating system version, language settings, installed fonts, time zone setting, browser plugin list. Together those make a fingerprint that's almost unique per real device.
Bot farms don't run on a thousand real devices. They run on automation frameworks (Puppeteer, Playwright, Selenium) that produce a far narrower set of fingerprints. You see the same screen resolution, the same headless browser markers, the same default time zone, repeated across accounts that claim to be different people.
You won't usually see this data in a standard review app dashboard, but a content-analysis layer that does see it will flag the duplicates. This is one of the signals that's hard to check manually but easy for an automated tool to catch — which is why bot detection benefits from a software layer that purchase verification doesn't replace.
The last signal is statistical rather than per-review. Real review distributions on Shopify follow a recognisable shape: most are 5-star, a long tail of 4-star, a small handful of 1- and 2-star, very few 3-star. The exact ratios vary by category, but the shape is consistent.
Bot-driven inflation campaigns flatten the top of that distribution. You go from a believable mix of 4 and 5 stars to an implausible run of pure 5-stars with no variance. Bot-driven defamation does the opposite — a sudden cluster of 1-stars with no 2- or 3-star transitions. Real human dissatisfaction is messy. Coordinated attacks are clean.
If your weekly distribution suddenly looks like a perfectly symmetric U-curve or a flat spike, that's not your customers changing their behaviour. That's somebody else writing your reviews for you.
If you suspect your store has been hit, here's the manual pass that catches most bot campaigns without any extra tools:
The five signals above catch obvious bot campaigns. They don't catch slow, distributed attacks — three reviews a week from different IP ranges, no clustering, no statistical anomaly large enough to spot in any single week. By the time the pattern is visible, your rating has already moved.
That's the gap content-analysis tooling fills. Machine-learning models trained on labelled review data look at populations rather than individual submissions: vocabulary overlap across supposedly unrelated accounts, sentence-structure distributions, submission-velocity histograms, and the cumulative rating drift over weeks. The model isn't reading each review one at a time; it's flagging statistical anomalies that are invisible to a human auditor.
SpamShield runs the same content-analysis layer on review submissions and contact forms. 14-day free trial, no card required. Install on the Shopify App Store →
Bot reviews are the easier half of the fake-review problem. The fingerprints are there if you know to look for them: sub-minute submission times, repeating sentence templates, data-centre IPs, narrow device fingerprints, and clean statistical anomalies. Fifteen minutes a week catches most of what's automated.
The harder problem is the human-written fake review from a real-looking account. For that, see the pillar guide on fake review detection — it covers the signals that need content analysis rather than forensic fingerprinting, and the legal options when a campaign crosses into defamation.
Related reading: 5 Types of Shopify Contact Form Spam That Aren't Bots (And How to Stop Them) · The Real Cost of Shopify Contact Form Spam (It's Not Just Your Inbox) · SpamShield vs reCAPTCHA: What Actually Stops Shopify Contact Form Spam · Why reCAPTCHA Doesn't Stop Shopify Contact Form Spam (And What Does) · SpamShield.