The world of retail and protecting assets has changed dramatically over the years. No longer do retailers just need to worry about shoplifting.
With things like new payment methods and online shopping changing today’s retail landscape, loss prevention encompasses many elements for retailers and business owners to consider.
I recently had the opportunity to sit down with Staff Sergeant Chris Lawson of the Halton Police Service and discussed loss prevention in this evolving retail world.
During this conversation, we discussed the more common scams that police are seeing and how retailers and businesses can increase their awareness to help prevent them before they happen.
Here are his top five scams that you may not be aware of:
#1. “Forced Override”
A “forced override” is a way that criminals can use fraudulent or stolen cards to make purchases.
With the advent of chip and PIN payment cards, criminals have found it more difficult to make large purchases as they don’t always have the unique PIN number.
As S/Sgt. Lawson explains, “One clever way criminals will circumvent the need for a PIN number is to use the factory default password for the point of sale (POS) terminal which will put it into administrative mode. Once the machine is in administrative mode, it is easy for the offender to do a forced override approval for the transaction.”
Although it appears to the clerk the transaction was approved, it was never approved by the card provider and, ultimately, the retailer will receive a chargeback and suffer a loss.
S/Sgt. Lawson’s recommendations on preventing this are twofold.
“First, make sure you have changed your password on your POS terminals so it’s no longer the factory default. Second, train your staff to carefully watch what the customer is doing with the point of sale machine once it is handed to them.
It should be noted that this type of theft is often done by two or more criminals acting together. Once the terminal is handed to the first person, a second person will divert the clerk’s attention, so the perpetrator can enter the numbers to obtain the forced override approval.
Additionally, clerks should watch for people attempting to use multiple cards, as sometimes stolen or fraudulent cards are shut down by the card provider and are no longer valid which necessitates the offender having to try a different card.”
#2. High-Value Purchases
Everyone loves making a large sale, but sometimes the old adage, “If it seems too good to be true, it probably is,” holds true.
Often, organized crime rings will send “runners” with stolen credit cards into retailers to make significant purchases of items that are easy to re-sell, thereby converting the value of the stolen credit card into cash. Gift cards are a hot item with this scam because they can easily be monetized.
S/Sgt. Lawson gave me an example of this scam.
“A while ago a woman was arrested for possessing a stolen credit card at a big box retailer while trying to purchase four big screen TVs. In this case, the clerk found the purchase of four large TVs to be odd and asked a few questions. The clerk learned the woman was from out of town and the name on the card was different than her driver’s license, and so the police were called.”
Similarly, criminals will use stolen or fraudulent credit cards to purchase a high volume of gift cards, which will then be sold on any of the internet trading sites (eBay, Kijiji, etc) and be converted to cash.
When looking to prevent this, S/Sgt. Lawson has this advice,
“Consider having your staff verify and record the name, address, and phone number of the customer by viewing their driver’s license. Also note, these types of purchases are often made with credit cards from other parts of the world.”
#3. “Card Not Present”
Clever criminals know that they need a credit card and PIN to make an in-person purchase, but they also know that many retailers will allow for an over the phone sale with the credit card number provided verbally.
As S/Sgt. Lawson shared with me, “With just the credit card number, a fraudster can often order product from a retailer and then employ a “runner” or courier to pick the items up, and deliver it to the criminal at a safe location.”
In my local area, the police have had a number of reports of this type of fraud lately, including $3,000 in tires being picked up from a car dealership and $15,000 worth of electrical supplies from a local supplier.
Sadly, when the real account holder sees the fraudulent transaction on their account and calls their credit card provider, the transaction is charged back to the retailer because the “card was not present,” which is a requirement of the merchant agreement.
For this scam, S/Sgt. Lawson has one recommendation. “The key to not being a victim of this crime is to ensure the card is presented for all transactions. Anytime a customer is using a third party to pick up product, it should be a red flag.”
#4. The Executive Scam
This scam has been estimated to cost American businesses 2.3 billion dollars in 2016 and is a serious concern to businesses at all levels.
Here is how it works: Criminals take the time to learn about a business, including the names and email addresses of key people within the business. The scammers take the time to understand the target organization’s relationships, activities, interests, and travel and/or purchasing plans.
Once this information has been obtained, the fraudster will pretend to be the president, CEO, or owner of an organization, and send an email from a fake email account to the finance manager (or anyone with authority to send a wire transfer or make a payment), requesting a wire transfer.
The email will look nearly identical to a legitimate email — except for one small and hard to detect change.
For example, let’s say Carl Simpson is the owner of Happy Pet, a chain of five pet stores and has the email of firstname.lastname@example.org.
One day, Sally, who looks after the books and payments for Happy Pet, receives an email from “Carl Simpson” that says:
“Hi Sally, are you busy? I need you to wire me $50,000 ASAP. I am trying to buy another store and need the cash wired to complete the deal. Let me know when you can do this, and I’ll send you the account details. And please don’t mention this to anyone; this is a secret deal.”
Sally, wanting to be a good employee, quickly responds, receives the necessary details, and promptly wires the funds — typically to an offshore location.
Sadly, Sally didn’t notice the email was from email@example.com instead of the proper domain of “happypet.com” and now the $50,000 is gone.
See the subtle difference one character can make?
In Ontario and all of Canada, this is a very common scam, with millions of dollars being lost. To prevent this, ensure that you have policies in place to double check the veracity of emails.
S/Sgt. Lawson’s advice to retailers is this: “A simple policy of verbal confirmation of instructions can save you a lot of money. Talk with your staff about the policy and tell them that every time a request is made for a wire transfer or an unusual payment, that they call the requestor to confirm it.”
#5. Change of Bank Account Scam
This is very similar to the Executive Scam and has many of the same principles, but with a slight twist.
The criminal element will delve into a company to learn who the key people are in finance or accounting, and find out who some of the companies are that the victim company uses as suppliers.
Once they have this information, the fraudster will email the bookkeeper from what appears to be a legitimate supplier email, but it will be from a fake email account (just like the executive scam).
Typically, the email will say something like:
“Hi Pam, we have been having trouble with our general bank account, and the bank has requested we temporarily refrain from using that account until they sort it out. For the time being, can you kindly remit your payment for the last invoice to our account in Europe? Please get back to me, and I’ll send you the details of where to wire the funds.”
Again, Pam, wanting to be a good and efficient employee, quickly responds and “pays” the invoice by wiring the funds to the new account.
The fake email domain is only changed by one character making it VERY difficult to notice the change.
S/Sgt. Lawson cautions businesses that this scam is quickly gaining ground.
“This scam has targeted businesses small and large. Just last month, a national retailer fell victim to this scam and sent nearly $600,000 to an offshore account which will never be recovered.
Similarly, a medium sized retailer in Oakville, sent $250,000 to a bank in Prague after receiving an email from their supplier in China stating they had changed banks and requested invoice payment to a “new account.”
In each of the cases, the money was lost, and the real invoice still had to be paid.
The best way to prevent being a victim of this crime is to have a policy for your staff to speak directly to the supplier any time a change in payment is requested.”
Now that you know some of the scams that your company may be targeted with, it’s time to look at your internal processes and where they can be tightened up to help prevent this from happening. Knowledge is the key to minimizing the impact when it comes to loss prevention, so taking the time to educate your staff is an investment well worth making.