The growth in online shopping has opened the floodgates for retail fraud and scams, but attacks on bricks-and-mortar retailers are getting increasingly sophisticated, too.

This article originally appeared in the April 2019 issue of WiFi HiFi Magazine. With stores now starting to re-open across Canada as well as online and remote purchasing on the rise, the article is more relevant now than ever. 

You’re sitting in your shop on a quiet Tuesday afternoon, when a phone call comes through. It’s a seemingly well-heeled businessman who’s looking to buy a number of expensive speakers to outfit his new condominium project. 

He’s hoping for a deal and heard that you’re the guy to talk to in the area, having handled a number of projects that spec’d in these same speakers. Flattered and excited about the prospect of this apparently effortless large sale, you negotiate a fair but profitable price. You discuss the merits of the speaker as he shares how he heard them at an event he attended while on business out of town and was thoroughly impressed. He provides you with his credit card number, and, since he’s still away on business, will send a courier to pick everything up to have it delivered once the order has come in. 

You excitedly place the order with the vendor and the product is picked up. Everything happens flawlessly. Then a few days later, a call comes in from your payment processor. The payment did not go through. The card was fraudulent. 

You pick up the phone to frantically call your newfound client with whom you’ve, by now, had multiple pleasant phone conversations with, bonding over a mutual love of fine wine, smooth jazz, and skiing in Whistler. You were confident he would become a repeat customer. Surely this is all just a misunderstanding. The number isn’t in service. You contact the courier, having dutifully jotted down his name, number, and license plate as a security measure – you even took his photo. Turns out he’s just a private courier whose services were procured on a one-off basis through a local ad on Kijiji. All he knows is he delivered a package to the required address, and someone met him outside to sign for it. The building, upon further investigation, is actually vacant. 

Reality sets in. You’ve been scammed.

First, don’t feel embarrassed or stupid. Fraud, in some way, shape, or form, has happened to every retailer at one point in time. Any retailer or integrator reading this is nodding his head in affirmation with his own tale of woe to share. After John Thomson, Publisher of WiFi HiFi and Owner of the WiFi HiFi Store in downtown Oakville shared his personal story in our weekly e-newsletter – one that closely resembles the hypothetical one noted above – he was flooded with e-mail replies from readers who assured him they’ve been through similar experiences. (We share a few of these at the end of this article.) 

Handing a credit card to salesperson.

Retail theft is rampant and comes in a variety of forms – employee theft, returns fraud, brazen thievery, and even organized crime like was clearly the case in the aforementioned scenario. 

The Internet has presented new opportunities for scammers who make both customers and businesses their victims. Not only the vulnerable are targeted: scammers have become so sophisticated and strategically manipulative that even the most intelligent businessperson can become an unknowing victim. 

Beyond e-commerce, small independent bricks-and-mortar retail businesses are facing challenges from scammers who find clever new ways to steal goods and funds right from under their noses. The rise in Organized Retail Crime (ORC) and the increasing level of sophistication of attacks means retailers must manage a delicate balance between serving local customers with a level of mutual trust and keeping their guards up to protect the business against fraud. 

“ORC gang members are increasingly bold in their tactics,” writes the National Retail Federation (NRF) in its 2018 Organized Retail Crime Survey. “It’s a combustible combination – one that requires loss prevention professionals to stay one step ahead during a time in which budgets are tight and laws are less and less of a deterrent.” Of those surveyed, a whopping 91.6% reported being a victim of ORC in the last 12 months, and 71.3% have seen an increase in ORC in the past year.

New technologies to combat retail fraud range from chip and PIN and contactless credit cards and readers that accept payments from smartphones, to dynamic CVV numbers that constantly change, and even biometric and facial recognition for verifying purchases and identities. But we still have a long way to go. Many small retailers (even some large) still don’t accommodate contactless payments, and certainly don’t yet have biometrics on their minds. Even with chip and PIN, fraudsters find ways around it. David Kurth, National Sales Manager for BC-based retail security company Halo Metrics Inc., says thieves sometimes quickly insert a chip and PIN card multiple times to purposely trigger the prompt to swipe instead. 

As with any type of con, we’re all human. No technology can eliminate the instance of human error. Fraudsters capitalize on the lag time between when a transaction is put through and when that authorization is discovered as fraudulent. They prey on human emotions, ego, and vulnerabilities, and have turned their work into a terrible artform. They’re, quite simply, good at what they do. And they’re getting better. 

In the most sophisticated instances, criminals invest lots of time and effort into scoping out shops and picking the right targets. They hunt for personal details to help build a rapport, and research extensively to gain knowledge about the products and/or your past jobs or clients, or the company or industry they claim to be from – just enough to strike up a conversation, and appear legitimate for as long as it takes to scam you. 

Retail Fraud by the Numbers

Square’s Contactless Chip Reader being used in a retail environment

Retail fraud is a massive, billion-dollar issue worldwide. LexisNexis Risk Solutions reported at the end of 2017 that fraud as a percentage of retailer revenue was 1.58% that year, up from 1.47% in 2016. The organization estimates that merchants pay close to $3 for every $1 they lose via fraud.

According to the 2018 True Cost of Fraud: Retail Edition report, the success rate for fraudulent transactions is up nearly 30% over 2017; 36% when looking at larger, multi-channel merchants.

Retail theft in Canada overall is estimated to be around $5 billion, says Kurth. “And fraud is a growing segment of that, especially when more transactions are happening online.”

In Canada, the Retail Council of Canada (RCC) cites figures from the Canadian Anti-Fraud Centre (CAFC) that pegs the total value of fraud reported by Canadian businesses in 2017 at $30.4 million. That’s up a considerable 78% from 2016, and an all-time high over the previous four years. 

The retail industry is the fifth highest industry affected by fraud, says the Association of Certified Fraud Examiners (ACFE), susceptible for the simple reason of opportunity.

The products most at-risk fall into one of two categories. The first are low volume and high value. In the tech industry, that might include high-priced speakers or turntables. The second are high volume but low value, such as cell phone cases or charging cables. Typically, targeted products share some common characteristics. According to LPM Insider, they are valuable and in high demand; easily accessible to consumers; easily concealed to avoid detection when stolen; there’s expansive availability and demand; they are innovative and/or offer premium performance that is attractive to customers; and they can be easily sold and quickly converted to cash. Respondents to NRF’s aforementioned survey suggest that high-end electronics, such as Apple devices, are highly-desired because of the ease of selling them on the Internet, and on the black market. 

The good news? Guy Charpentier, Director, Customer Compliance and Fraud at Mastercard, says Canadian retailers have “one of the lowest fraud rates for payment cards, thanks to their adoption of EMV [chip cards].” But retail fraud is far from being nonexistent.

Different Types of Retail Fraud

Pin pad security products, including a mount, cradle, and hold down kit, prevent thieves from being able to tamper with a pin pad to steal credit card information. (Photo: Halo Metrics)

Retail fraud can run the gamut, from customers who falsely bring back returns, to cash register tampering. It can happen anywhere within the supply chain. 

Here’s a breakdown of some of the most common types of retail fraud, both in stores and online.

Chargebacks: This occurs when a customer falsely reports a product as not having been delivered. The cost of the product is charged back to the merchant by the credit card company, and the customer is credited. The retailer then incurs the costs not only for the “missing” item, but also of the logistics, payment processing fees, and the inventory cost to replace the presumably lost item. 

Card-tested: In this instance, a person acquires a list of stolen credit card numbers and tries all of them until one works. Then, they proceed to use that winning card to make other fraudulent purchases. Fraudsters typically start with a small purchase, like gas or fast food, then work their way up to larger stores and bigger ticket purchases once they’ve verified success with a card. They’ll often target locations they know accept card swipes versus chip and PIN. Kurth says some thieves even tamper with pin pads and steal information, as well as use printed credit cards and run them through the card swipe when associates are not paying attention.

Return fraud: This can come in many forms. A customer steals an item and tries to return it for gift cards. They might find a lost or stolen receipt and try and use that for a return. A practice called shoplisting is defined by a person who buys an item, walks back into the store on another occasion, picks up the same item, and tries to return that one (before paying) using the old receipt. Another tactic fraudsters use is to move a lower-priced label to an item, then try to return it at the original price. Wardrobing is when someone uses an item then attempts to return it as new. Kurth says Halo Metrics has also seen instances where thieves have receipt printers to create fraudulent receipts that look nearly identical to the real thing; as well as gift card fraud where fraudsters tamper with gift cards on the shelf. “[They have] legitimate customers buy and activate cards that are really in the hands of the thief.

“We are aware of multiple retailers,” adds Kurth, “that return more of certain products than they sell due to open return policies that allow criminals to turn stolen merchandise into cash.”

In the aforementioned NRF survey, retailers said they expect that of the 11% of annual sales that will be returned, 8.2% will be fraudulent. The Retail Equation (TRE), meanwhile, estimates that 4.2% of returns are fraudulent, costing Canadian retailers $1.7 billion annually. 

Some payment processors have developed solutions to combat returns fraud. In 2015, Moneris launched its Verify service for large enterprises, which uses statistical modeling to analyze data along with predictive analytics to look for patterns in a customer’s return history. And companies like Halo Metrics offer products that can be attached to merchandise to help prevent items from travelling straight from the shelf to the return desk. 

Discount abuse: You might not mind if your employees occasionally share their discounts with close family and friends. But discount abuse is when they use this privilege to buy items, then re-sell them to friends at a profit (but still under the retail price) and pocket the difference. Or, they might purchase an item, and have a friend return it to another location without a receipt to make money. Putting a limit on the number of times an employee can use his discount, and/or keeping track of all purchases and serial numbers, might help eliminate instances of discount abuse. 

Sweethearting: Also known as under-ringing, this is when employees ring in a purchase – typically for a friend or family member – at a price that’s lower than the actual pricing. Larger retailers typically require a manager to authorize price overrides to prevent this. But for smaller shops, losses might just be labeled as a presumed mistake. Surveillance cameras, and detailed time and date transaction receipts, might help deter this.

Retail fraud can happen at any point in the supply chain, including inventory and vendor theft. (Photo: Square)

Inventory theft: Smaller independent shops might not have sophisticated inventory management systems in place, which leaves the door open for nefarious employees or vendors to take product and remove records from inventory, mis-price product, or be deceptive about deliveries. If this is, or has been, an issue in the past with temporary employees or the occasional bad apple, it might be worth investing in a solid inventory system. While it requires an upfront cost, the reduction of lost inventory could equate to savings, not to mention peace-of-mind, in the long run.

Vendor theft: This might consist of vendors failing to ship as much product as they’re invoicing for, particularly with items that come in bulk, such as confectionary products at convenience stores. With larger, high value products, vendor fraud can occur when vendors stock inventory in a store and shortchange the dealer. It would help to always have an employee do inventory counts and checks on deliveries, particularly if you’re dealing with a new vendor.

Organized retail crime (ORC): Groups of individuals work together to de-fraud retailers. According to the NRF’s 2018 Organized Retail Crime Survey, ORC costs retailers US$777,877 per US$1 billion dollars in sales, with nearly three in every four respondents saying they’ve seen an increase over the last 12 months. 

With ORC, there are individuals who each take on a specific role. The booster(s) physically steals the items. The fence sells it to a customer or a diverter. A diverter is a person or business that sells stolen property back to retailers at discounted prices, sometimes even through a legitimate wholesaler or distributor that may be unaware they’re part of a chain of fraud. The goods end up being sold online, through flea markets, or even back to legitimate bricks-and-mortar shops that are none the wiser. Kurth says some of those too-good-to-be-true work-from-home e-mail pitches relate to retail fraud. Scammers hire unsuspecting (or suspecting) individuals to accept deliveries of stolen goods and slap new labels on them. The scammers use the person’s mailing address in exchange for a small fee for minimal work, and they remain blissfully ignorant of their role in retail crime.

A decade ago, a ring of thieves was caught stealing from various chain stores in Lakeland, FL. After taking the items, they’d resell them through a discount store that operated on eBay as well as in local flea markets. The group of 18 criminals hit up to 15 stores per day, stealing up to US$3,500 worth of goods each time. Over a period of five years, it was estimated that they stole anywhere from US$60-US$100 million worth of goods. 

Halo Metrics is looking at technologies that track the location of individuals within a bricks-and-mortar store to help identify people who are present during multiple fraud events, and alert retailers when they return. Such a system could have prevented that crime ring from persisting for so long.

How to Combat Retail Fraud

A contactless retail transaction using Square and a mobile device

There are simple yet effective steps you can take to safeguard your business against fraud.

Consider only accepting payments in a bricks-and-mortar store when a physical card is present, or not sending goods for purchases over a certain amount until a credit card payment has officially cleared. “Card not present” transactions could leave you in hot water if there’s an issue. If an unknown customer insists on paying over the phone for a seemingly logical reason (e.g. ordering from out of province to be shipped), don’t just ask for the name, card number, expiry date, and CVV code. Also ask them to e-mail you a photo of the front and back of the card. If you’re particularly worried, let them know that your policy indicates that for all high-value purchases that don’t involve a physical card swipe, you must wait until the amount has fully cleared before you can ship the product. A legitimate customer of a small retailer should understand. If product is going to be shipped to a customer, only use verified shipping companies, or your own private courier. Make sure there’s a tracking number, and signature for the delivery, which must be made at the specified location. 

If a caller or visitor seems suspicious, or a large sale too good to be true, trust your gut and validate as much as you can before moving forward. Look into the company and individual online. Google can be a wonderful resource! For the business or delivery address, do a Google Maps search to see an image of what’s at that location. Does it look like a real business, or a dilapidated building? Kurth suggests making sure that a customer’s billing address matches a shipping address. If it doesn’t, find out why. 

While allowing customers to buy items online and pick them up in stores is becoming a popular set-up, you might want to reconsider the option for high-value items, or products purchased in large quantities. This method is convenient for customers, but it can also make you vulnerable to thieves. 

Consider adopting some of the latest technology that can protect you against fraudsters. Mastercard has implemented EMV technical standards at the point-of-sale that can help protect retailers from counterfeit, lost, or stolen payment cards that might be used at the cash. And as basic as it might sound, Charpentier claims that chip and PIN technology has “virtually eliminated fraud in bricks-and-mortar locations in Canada.” There are also innovations that involve biometrics, machine learning, artificial intelligence, and other authentication tools, like Mastercard Identity Check that allows retailers to verify that a customer is who he says he is. Charpentier says Mastercard’s investment in artificial intelligence to enhance its ability to detect sophisticated attacks has helped stop up to 200 threats per minute and prevent “billions of fraud every day.” 

Tokenization, meanwhile, replaces a traditional card number with a unique code instead. For online purchases, customers can store their credit credentials with a merchant, notes Charpentier, without the risk of exposing the actual card account details. While this protects the customer, it also protects the retailer by association: fewer card numbers that can be stolen means fewer of them can be fraudulently used.

It’s essential that retailers offer returns so customers know they can get a refund if the product is defective, or they aren’t happy with it. But don’t have loose policies. Ask the person for ID, and check the payment type against the receipt they provide. Instead of providing a full cash or credit refund, offer only store credit that can be used toward something else in store. Home Depot, for example, only accepts returns for a store credit that can be used online. 

Employee training is crucial. Share stories with your team about other retailers and how they were de-frauded, and set up hypothetical scenarios to demonstrate how clever and cunning a fraudster can be. “We are seeing advances on the payment terminal side that can help prevent fraud from happening,” says Kurth, “but most require a certain level of training for staff as well.”

At the simplest level, have a security camera system set up in the store, along with anti-theft and tracking devices attached to products. Carve out a portion of the budget to invest in a good inventory tracking system, especially if you’ve been hit before and want to prevent future losses. 

In summary, keep an eye out for red flags, or anything that seems fishy, like a customer who needs to use multiple credit cards for a large order. It’s possible that a legitimate business might have to do this for a variety of reasons. But when dealing with a person you’ve never met, it could mean something’s up.

Bottom Line

The industry is moving towards new and seemingly more secure methods of payment, like smartphones and biometrics, that may, at some point in the future, eliminate physical cards altogether.

You don’t want to approach every customer as though he is a potential thief. But you also need to protect your business. And any customer will understand and appreciate this, especially if he’s buying a high-value item, or product in large quantities. 

“Create processes that put fraudsters at risk while still focusing on keeping a positive customer experience,” says Kurth. “If I am told as a customer that I need to show ID on a no receipt return to help keep costs low due to fraud, I wouldn’t be offended, and neither would most customers.”

And most importantly, understand that retail fraud doesn’t always involve theft from a teenager with sticky fingers, or a thug who’s gotten his hands on a fake credit card. There are highly intelligent individuals who make money off the backs of legitimate businesses by preying on vulnerabilities, ego, and trust.

“Never underestimate the intelligence, ingenuity, motivation, and ruthlessness of those involved,” writes LPM Insiderabout fraudsters and ORC. 

“Understanding your systems and keeping your infrastructure current are all best practices in combating fraud,” says Charpentier. “For retailers that have been targeted, it’s important to understand the vulnerabilities of their business and take the necessary steps to address the situation.”

No matter what measures you take to prevent retail fraud, thieves and scammers try to remain one step ahead. The best defense is to be diligent, keep your guard up, and explain to new customers why you need to take extra measures to verify purchases of high-value items or items bought in large quantities. If a customer is insulted, you might unfortunately lose the business. But the aftermath would be far more damaging if you allowed a fraudulent transaction in the thousands of dollars to go through because you didn’t trust your gut. 

It’s never a good idea to operate a business in a way that all new customers are treated as suspect. But with so many intelligent individuals using their smarts and talents to defraud others, exercising prudence has become a necessity. 

Readers and Store Owners Share Their Retail Fraud Stories

After John Thomson, Publisher of WiFi HiFi Magazine shared his personal story of retail fraud in the WiFi HiFi Store that was once set up in Oakville, ON in our weekly e-newsletter, he received many reader comments of support and empathy. One retailer even advised that the story prompted him to think twice about a pending order of multiple speakers. Upon further inspection, he discovered that the order was indeed fraudulent. Luckily, he was able to cancel it in time, and report the incident to the authorities. 

Below is some of the commentary we received. (Note: Names and specifics have been removed).

We had a bank account set up in our name by a scammer. They transferred $3 in from our real account, then a few days later, $2,000. The bank actually mailed us a bank card during the week for our “new” account. That’s when we inquired and found the fraud. Fortunately, we were refunded.

[A local retailer] was scammed for $30,000, and the guy was crafty just like that. He started off with a pair of speakers, and came back for more, working out a deal along the way. If these people put their talents to things above board, I’m sure they would be fine.

There are good lessons here for all of us. I recently got an e-mail that a money transfer was to be put into my account. Having just recently had a bad experience with an airline (our flight had 13 changes!) I initially thought they were coming through with some compensation. But then again, I thought why transfer me the money? The sender’s address did not seem to be from the airline, so I never opened that e-mail. I, too, have been duped, but of less than $100. It still affects your trust in people.

We have been scammed twice, both times in our ecommerce cart. The first time was for a pre-amp worth $6,300. The client purchased the device, which was not in stock at our store. In fact, we had to order it from [another country] to fill the order. The client communicated through a Hotmail account, and we explained to him that we had to order it before we could deliver it. The ‘buyer’ was very patient, waiting almost six weeks for the pre amp to arrive in Canada. And we had multiple e-mails back and forth. He asked us for a tracking number and gave an address in Quebec. We shipped by Purolator. The goods were collected at the Purolator depot in Laval, and the next day, we received a call from our payment processor that the transaction was fraudulent. It’s amazing that once the goods were delivered, then we got the call about the fraud – not one day before, despite the process taking six weeks to conclude! As the payment processor shields the credit card holder from questions and/or responsibility for keeping their credit information secure, we the merchant take all online risks. Despite being “protected” by the payment processor’s secure online ordering system, we received no refund nor compensation. The second fraud was for $1,050 for a digital audio player. Again, the goods were shipped to Quebec. The ‘buyer’ provided a Calgary address for the credit card, but wanted the goods shipped to a person with the same last name in Montreal. This was all done electronically in our ecommerce cart and again, once the goods were delivered, the payment processor called with the sad news of another fraud. Sad for us, no problem for them. The merchant takes all the risks, despite millions and millions of dollars of business we have done with them over 20 years. Why is PayPal so much more secure for retailers than multi-billion dollar companies? It is the little retailer that gets hit, not the banks. 

It has happened to all of us. Last year, we had someone pretend to be [a university] and also lost on an order. You always think that you are a step ahead and would recognize the scammers, but as you have discovered, it’s not always that easy. 

[When it happened to us], we couldn’t get the actual credit card, as the guy was supposedly in LA. But he did give us the three digits on the back of the card, and all went through fine. It happened during Halloween week, and it was only Christmas Eve that we got the notification that the credit card was rejected. Those laptops could have made several journeys to the moon and back in that almost two months! We did everything we could do and still, the credit card company went along with it. That’s the part that baffles me. And I will always be PTSD over it! 

I’ve been scammed myself back in the days when we took cheques. We get e-mails every day from seemingly legitimate companies asking for a quote on 15 units of a camera. That would be a $45,000 order! I don’t even respond. 

We had a situation with a dealer who was scammed for a very large amount. The only way of safeguarding is to have a photo of the front and back of the credit card. That way, you know they are the rightful owner of the card. If they won’t provide that, it probably means that the card information was scammed somewhere off a dark Website. No customer who willingly provides you with the card number, expiration date, and personalized number off the back would have an issue providing you with photos of the front and back of the card. In all likeliness, if they called you out and you explained why you need to do it, you would get one of two responses. Either “Okay, I get it,” or the sounds of silence followed by a hang up. 

A few years back, I received a fax. I spotted immediately that it was a scam, as there were many red flags. I started a banter with the scammer and contacted various authorities with the information I gained. I turned over five stolen card numbers to VISA fraud, and maintained the banter with them. I traced the fraudster through his several shipping addresses, and found he was using a re-shipper in Vaughan, ON to send goods to Africa. The shipper got burned with the first card I turned over to VISA. VISA, and any other credit card provider, is not motivated to find the fraudsters, as the investigation is a cost to them – to the point that they claw back the disputed purchase from the merchant and credit the customer. The file closes without investigation in order to keep their costs down.