In honour of fraud prevention month, JCWG has reworked this piece originally from an interview with then-Staff Sergeant Chris Lawson of the Halton Police Service on common retail fraud and prevention tips.
In this new retail age of technology, store capacity maximums, and click-and-collect, the risk of shoplifting has diminished greatly. However, the trade-off is that the risk of other forms of loss are on the rise. This has only been compounded by the effects of working from home, one tap payments, and online shopping. Here are three common retail scams that you should be aware of.
The Executive Scam
This scam has been estimated to cost American businesses 2.3 billion dollars in 2016 and is a serious concern to businesses at all levels.
Here is how it works: Criminals take the time to learn about a business, including the names and email addresses of key people within the business. The scammers take the time to understand the target organization’s relationships, activities, interests, and travel and/or purchasing plans. Once this information has been obtained, the fraudster will pretend to be the president, CEO, or owner of an organization, and send an email from a fake email account to the finance manager (or anyone with authority to send a wire transfer or make a payment), requesting a wire transfer. The email will look nearly identical to a legitimate email — except for one small and hard to detect change.
For example, let’s say Carl Simpson is the owner of Happy Pet, a chain of five pet stores and has the email of email@example.com.
One day, Sally, who looks after the books and payments for Happy Pet, receives an email from “Carl Simpson” that says:
“Hi Sally, are you busy? I need you to wire me $50,000 ASAP. I am trying to buy another store and need the cash wired to complete the deal. Let me know when you can do this, and I’ll send you the account details. And please don’t mention this to anyone; this is a secret deal.”
Sally, wanting to be a good employee, quickly responds, receives the necessary details, and promptly wires the funds — typically to an offshore location.
Sadly, Sally didn’t notice the email was from firstname.lastname@example.org instead of the proper domain of “happypet.com” and now the $50,000 is gone.
See the subtle difference one character can make?
In Ontario and all of Canada, this is a very common scam, with millions of dollars being lost. To prevent this, ensure that you have policies in place to double check the veracity of emails.
S/Sgt. Lawson’s advice to retailers is this:
“A simple policy of verbal confirmation of instructions can save you a lot of money. Talk with your staff about the policy and tell them that every time a request is made for a wire transfer or an unusual payment, that they call the requestor to confirm it.”
Change of Bank Account Scam
This is very similar to the Executive Scam and has many of the same principles, but with a slight twist.
The criminal element will delve into a company to learn who the key people are in finance or accounting and find out who some of the companies are that the victim company uses as suppliers. Once they have this information, the fraudster will email the bookkeeper from what appears to be a legitimate supplier email, but it will be from a fake email account (just like the executive scam).
Typically, the email will say something like:
“Hi Pam, we have been having trouble with our general bank account, and the bank has requested we temporarily refrain from using that account until they sort it out. For the time being, can you kindly remit your payment for the last invoice to our account in Europe? Please get back to me, and I’ll send you the details of where to wire the funds.”
Again, Pam, wanting to be a good and efficient employee, quickly responds and “pays” the invoice by wiring the funds to the new account. The fake email domain is only changed by one character making it exceedingly difficult to notice the change. S/Sgt. Lawson cautions businesses that this scam is quickly gaining ground.
“This scam has targeted businesses small and large: a national retailer fell victim to this scam and sent nearly $600,000 to an offshore account which will never be recovered.
Similarly, a medium sized retailer, sent $250,000 to a bank in Prague after receiving an email from whom they thought was their supplier in China stating they had changed banks and requested invoice payment to a “new account.”
In each of the cases, the money was lost, and the real invoice still had to be paid. The best way to prevent being a victim of this crime is to have a policy for your staff to speak directly to the supplier any time a change in payment is requested.”
With e-commerce at an all-time high, businesses are more at risk for chargeback or “did not receive” scams. Typically targeted more at small businesses, customers will order a product, wait for it to arrive, and then either demand a refund claiming they did not receive the item or simply apply for a chargeback. Other claims they will apply for a chargeback include that the item was not as described or arrived damaged. This not only results in loss of income, but some services will penalize the seller for too many chargebacks. Here are some of the ways that businesses can protect themselves against this scam:
- Pay for product tracking. This is one of the simplest ways that businesses can protect themselves. It’s more expensive, but worth it.
- Ensure that the product description includes a photo and as much detail as possible. This is especially important for electronic parts that only work for specific models.
- Pack products carefully and, if possible, take a picture of every package sent out. Or establish and make public a packing policy.
- Make your return policy transparent and easy to understand and include it in all customer correspondence.
Now that you know some of the scams that your company may be targeted with, it’s time to look at your internal processes and where they can be tightened up to help prevent this from happening. Knowledge is the key to minimizing the impact when it comes to loss prevention, so taking the time to educate your staff is an investment well worth making.