How to stop in-person scammers in their tracks

Bad actors are constantly finding new ways to target merchants. Stop them cold with this handy guide to in-person scams and fraud.

Till Payments

Six common in-person scams and what to look out for

Many merchants think it'll never happen to them. But fraud is real. Scams happen. And they're ever-evolving. Adopting a defensive mindset and introducing best practices can reduce your exposure, plug any potential 'revenue leakage', and protect your reputation.

When it comes to in-person scams, forewarned is forearmed. So Till has put together this handy guide to many common scams – a great tool to train your staff and business on how to protect. And prevent.

1. Manual Entry Terminal Transaction Scams

Manual entry terminal transaction scams occur when a customer (scammer!) goes to insert their PIN on the EFTPOS machine. As the merchant glances politely away, the scammer cancels the prompt and inputs the long card number from a stolen or cloned card without the merchant realising what's happening. The transaction goes through as a card-not-present payment, making the merchant liable for a Fraudulent Chargeback.

What to look out for:

  • The customer takes longer than it would typically take to input a 4-digit PIN (3-6 seconds).
  • The customer reads numbers from their phone or a piece of paper.

How to beat these scams:

  • Refrain from allowing customers to have control over the EFTPOS machine.
  • Be sure to supervise the customer while they input their PIN.
  • It should arouse suspicion if a customer is keying in a number for 15-20 seconds or more. In this event, verify the capture method to ensure it is ICC contactless.
  • The correct payment procedure should be tapping the card on the EFTPOS reader. If this fails, the customer should swipe the card. If this also fails, the customer should insert the card into the EFTPOS machine. MOTO (Mail Order Telephone Order), if enabled, should only be used if all three previous methods have failed.
  • To remove manual entry from your terminals or if you have concerns about the risk of fraudulent activity, we will be happy to assist you in disabling this functionality on your terminals.

2. Donation Scams

Your business may receive cold calls or unsolicited emails from persons claiming to represent a charity and asking for donations in return for supporting your business. “Donations” may be as requested as money transfers or goods & services.

The same chargeback liabilities will fall onto the merchant should the payment be reported as fraud.

What to look out for:

  • Receiving a call from a charity that you have never heard of before or the email, website or letterhead appear fake.
  • The person collecting doesn’t have any identification or is unwilling to provide you with any when asked.
  • A scammer may try to trick you into giving by thanking your business for a donation it never made, either claiming the payment has not gone through or asking you to make good on a "promised" gift.
  • The person collecting is unable or unwilling to provide you with a receipt.

How to beat these scams :

  • Before you consider giving to a specific charity, search its name plus “complaint,” “review,” “rating,” or “scam.”
  • Be especially alert to these kinds of scams in the wake of natural disasters or major events.
  • Approach charity organisations directly to make a donation or offer support.

3. Terminal Swaps

These scams occur when a customer (scammer!) swaps your physical POS device with their own – and your daily sales are processed to the scammer’s account.

What to look out for

  • Be alert to any attempted interference with any of your POS devices.
  • Your POS device suddenly stops working, requires a reset or is showing a different business name.

How to beat these scams:

  • Ensure your POS devices are well secured and regularly check for any signs of tampering.
  • Do not leave your POS device unattended
  • Personalise your device with company logos or stickers to make it easy to identify.

4. Refund Scams

The scammer will use a compromised credit card to make a purchase. They will then request a refund, requesting that you refund the money by cash or to a different debit card via EFTPOS (for various reasons).

What to look out for:

  • Any request to refund in cash, or to a card other than the original one used for payment.
  • Scammers taking control of the terminal and inputting a different sales amount, then asking to refund the difference
  • Be cautious if you are asked to refund or transfer money for an overpayment or freight charges.
  • It also pays to monitor all refunds processed. An increasingly common form of fraud involves employees using your EFTPOS solution to process refunds to their personal cards. Ensure only authorised staff can process refunds and be aware of your refund limits.

How to beat these scams:

  • Never refund a transaction to a card other than the one used to make the original purchase.
  • To counter employee refund abuse, keep your refund password in a safe place and regularly change it. Never use a generic password such as 0000.
  • Limit the number of people who can process a refund.
  • Have dual signing authority before processing refunds over a certain amount.

5. Pick & Collect Scams

The scammer enters your store carrying a list of compromised credit card numbers, which may include the full card number, expiry date, and CVV/CVC details. The scammer will ask you to manually enter card numbers, claiming they've "misplaced" their card or do not have it on their person. Once a sale has been approved, the scammer will collect the goods and walk out.

What to look out for:

  • Scammers will often attempt to purchase expensive items using a series of different card numbers that end up declining.
  • Scammers will usually enter the store near closing time and pretend to be in a rush.

How to beat these scams:

  • Insist cards are swiped or inserted into the terminal for in-store transactions.
  • Never manually enter card numbers in-store from cards that are not physically present.
  • Ask the cardholder for another form of payment if their card is rejected for multiple errors, is damaged or tampered with and their signature doesn’t match that on the back of the card.
  • Never split transactions into smaller amounts or over multiple cards.

6. Freight Shipping Scams

A scammer may email or cold-call your physical store and ask to place an order. They often ask to purchase high-value items, email you their credit card details, or provide them over the phone.

What to look out for:

  • The scammer will ask that you pay a “third-party shipping company” on their behalf by asking you to charge the cost of shipping to the credit card details provided.
  • The scammer will then ask you to transfer the shipping costs to the “private shipping company” – in reality, the scammer’s own personal account.
  • The scammer will also ask you to complete this via direct transfer, or sometimes via an international money transfer.

How to beat these scams:

  • Never transfer funds to a “private shipping company” or any other third party per the scammer's request.

More tips to better protect yourself

  • It’s better to err on the side of caution, so if you’re suspicious of an order, then it’s better to reject it
  • Use 3D secure 2 (3DS2) for all card not present transactions where available
  • Create a culture of security in the business that allows employees to question payment instructions
  • Properly configure your gateway’s fraud rules (e.g. velocity checks, IP address blocking)
  • Avoid delivering to PO Boxes for customers you have never dealt with before
  • Periodically review your anti-fraud processes to determine any gaps and especially after a breach
  • Create a process where credit card and customer identification details are checked and matched at time of collection of goods
  • Use access controls to limit who can do things such as refunds or use multi authority to confirm a payment
  • Always use strong and unique passwords for each application
  • Do not accept declined transactions. If a card is declined multiple times from MOTO processing, don't try to process it further
  • Do not split a declined transaction into smaller amounts
If you'd like to discuss anything covered in this blog, or speak to someone about disabling certain features such as MOTO (mail order/telephone order) transactions please reach out to our support team via email.