How to stop scammers in their tracks.

Bad actors are constantly finding new ways to target merchants. Stop them cold with this handy guide to merchant scams and fraud.

Till Payments

Common scams and what to look out for

Many merchants think it’ll never happen to them. But fraud is real. Scams happen. And they’re ever evolving. By adopting a protective mindset and introducing best practice, you can reduce your exposure, plug any potential ‘revenue leakage’, and protect your reputation too.

Forewarned is forearmed. So Till has put together this handy guide to many common scams - a great tool to train your staff and business on how to protect. And prevent.

Freight Shipping Scams

A scammer may email or cold-call your physical store and ask to place an order. They will often ask to purchase high-valued items and email you their credit card details or provide it over the phone.

What to look out for:

  • The scammer will ask that you pay a “third-party shipping company” on their behalf by asking you to charge the cost of shipping to the credit card details provided.
  • The scammer will then ask you to transfer the shipping costs to the “private shipping company” – in reality, the scammer’s own personal account.
  • The scammer will also ask you to complete this via direct transfer, or sometimes via an international money transfer.

How to beat these scams:

  • Never transfer funds to a “private shipping company” or any other third party per the scammer's request.

Pick & Collect Scams

The scammer enters your store carrying a list of compromised credit card numbers which may include the full card number, expiry date, and CVV/CVC details. The scammer will ask you to manually enter card numbers, claiming they've "misplaced” their card or do not have it on their person. Once a sale has been approved, the scammer will simply collect the goods and walk out.

What to look out for:

  • Scammers will often attempt to purchase expensive items using a series of different card numbers that end up declining.
  • Scammers will usually enter the store near closing time and pretend to be in a rush.

How to beat these scams:

  • Insist cards are swiped or inserted into the terminal for in-store transactions.
  • Never manually enter card numbers in-store from cards that are not physically present.
  • Ask the cardholder for another form of payment if their card is rejected for multiple errors, is damaged or tampered with and their signature doesn’t match that on the back of the card.
  • Never split transactions into smaller amounts or over multiple cards.

Donation Scams

Your business may receive cold calls or unsolicited emails from persons claiming to represent a charity and asking for donations in return for supporting your business. “Donations” may be as requested as money transfers or goods & services.

The same chargeback liabilities will fall onto the merchant should the payment be reported as fraud.

What to look out for:

  • Receiving a call from a charity that you have never heard of before or the email, website or letterhead appear fake.
  • The person collecting doesn’t have any identification or is unwilling to provide you with any when asked.
  • A scammer may try to trick you into giving by thanking your business for a donation it never made, either claiming the payment has not gone through or asking you to make good on a "promised" gift.
  • The person collecting is unable or unwilling to provide you with a receipt.

How to beat these scams :

  • Before you consider giving to a specific charity, search its name plus “complaint,” “review,” “rating,” or “scam.”
  • Be especially alert to these kinds of scams in the wake of natural disasters or major events.
  • Approach charity organisations directly to make a donation or offer support.

Refund Scams

The scammer will use a compromised credit card to make a purchase. They will then ask for a refund, requesting that you refund the money by cash or to a different debit card via EFTPOS (for various reasons).

What to look out for:

  • Any request to refund in cash, or to a card other than the original one used for payment.
  • Scammers taking control of the terminal and inputting a different sales amount, then asking to refund the difference
  • Be cautious if you are asked to refund or transfer money for an overpayment or freight charges.
  • It also pays to monitor all refunds processed. An increasingly common form of fraud involves employees using your EFTPOS solution to process refunds to their personal cards. Ensure only authorised staff can process refunds and be aware of your refund limits.

How to beat these scams:

  • Never refund a transaction to a card other than the one used to make the original purchase.
  • To counter employee refund abuse, keep your refund password in a safe place and regularly change it. Never use a generic password such as 0000.
  • Limit the number of people who can process a refund.
  • Have dual signing authority before processing refunds over a certain amount.

Terminal Swaps

These scams occur when a customer (scammer!) swaps your physical POS device with their own – and your daily sales are processed to the scammer’s account.

What to look out for

  • Be alert to any attempted interference with any of your POS devices.
  • Your POS device suddenly stops working, requires a reset or is showing a different business name.

How to beat these scams:

  • Ensure your POS devices are well secured and regularly check for any signs of tampering.
  • Do not leave your POS device unattended
  • Personalise your device with company logos or stickers to make it easy to identify.

BOPIS (Buy Online, Pick Up Instore) scams

The option to buy online, pick up in-store (BOPIS) or curbside exploded during the pandemic. In this scenario a fraudster with a stolen credit card makes a big purchase online, choosing the BOPIS option to collect the goods.

What to look out for:

  • Multiple orders citing the same payment credential, billing address, or email in short periods of time or requesting BOPIS at different store locations.

How to beat these scams:

  • Employ manual review process for high-risk or high dollar transactions.
  • Deploy protections on your e-commerce site, mixing automated and human analytics to identify customers without adding friction to the purchase process.
  • Ask for identification at time of pickup and ensure it matches the billing identity.
  • Train dedicated staff members to work on BOPIS, verify customer identity and to spot red flags at pickup.

Third-Party Scams

Third-party processing is where you process a transaction on behalf of another company or person. For example, an unknown merchant asks to use your terminal to process a transaction because their facility is “broken”. They will then ask you to transfer the money to their nominated bank account after settling the funds. If any transactions are deemed fraudulent, you will be responsible for the chargeback of that transaction.

What to look out for

  • Beware of anyone who says things like: “If you process these transactions, I will give you 20% of the total sales” or “My terminal is broken, and the bank can’t fix it till next week. Can you please process these transactions for me as I will lose the sales”?

How to beat these scams

  • Never process transactions for a third party.

Business email compromises - phishing scams

‘Phishing’ scams are social engineering attacks designed to steal a user’s or business’ data such as log in details, bank account, or credit card details. These attacks use dodgy emails (and sometimes SMS) pretending to be from a company that you recognise, inviting you to confirm, update or verify your details.

What to look out for:

  • Emails requesting you to ‘confirm’ or renew account, personal or business details.
  • The email asks you to immediately initiate a wire transfer or make an unexpected purchase.
  • Unexpected and urgent emails from a C-suite executive asking for an immediate payment.

How to beat these scams:

  • Try not to “take the bait” by clicking on links or attachments that will take you to a phishing website.
  • If you receive a phishing email from your bank, or a business, or government department you deal with, always ring the party to check if it is valid or go to their official website. Scammers go to great lengths to fool you and the invoices can seem quite genuine.
  • Beware of ‘spear phishing’ too where an email impersonates an individual you already know and trust.
  • Provide employee training and awareness.

Cyber Extortion

Cyber extortion is an online crime where attackers demand something (usually money) in return for ceasing a cyber-attack or allowing access back to your systems. Cyber extortion also occurs when attackers have successfully stolen personal information or intellectual property and threaten to release it if their demands are not met.

Below is a list of some common Cyber extortion types:

1. Cyber Blackmail: an attacker penetrates your network and steals customer data or Intellectual Property (IP), which they threaten to publish unless you pay a ransom.

2. Ransomware: used to infect your network, encrypt the files on it and block access to them until you pay the ransom.

3. Database Ransom: attackers steal data from your database and demand a ransom for its safe return.

4. Distributed denial-of-service (DDoS): Attackers use botnets to flood your server with traffic and jam up your website, demanding a payment to cease the assault.

What to look out for:

  • Most cyber extortion attacks begin with phishing or spear phishing (see above).
  • An increased number of unexpected “pop-ups” in browser windows.
  • Inability to update antivirus or other software.

How to beat these scams:

  • Keep all software up to date, especially your anti-virus.
  • Create backups and store them offline.
  • Be cautious of opening files and downloading programs.
  • Use multifactor authentication.
  • Employee training and education.
  • Use a Virtual Private Network (VPN) when working remotely.

More tips to protect merchants

    • It’s better to err on the side of caution so if you’re suspicious of an order, then it’s better to reject it.
    • Use 3D secure 2 (3DS2) for all card not present transactions where available.
    • Create a culture of security in the business that allows employees to question payment instructions
    • Properly configure your gateway’s fraud rules (e.g. velocity checks, IP address blocking).
    • Avoid delivering to PO Boxes for customers you have never dealt with before.
    • Periodically review your anti-fraud processes to determine any gaps and especially after a breach
    • Create a process where credit card and customer identification details are checked and matched at time of collection of goods.
    • Use access controls to limit who can do things such as refunds or use multi authority to confirm a payment
    • Always use strong and unique passwords for each application.
    • Do not accept declined transactions. If a card is declined multiple times from MOTO processing, don't try to process it further.
    • Do not split a declined transaction into smaller amounts.

Forewarned is Forearmed

Train your staff and protect your business from falling into traps of scammers.