This article originally appeared in the April/May 2019 issue of WiFi HiFi Magazine.
You're sitting in your shop on a quiet Tuesday afternoon, when a phone call comes through. It's a seemingly well-heeled businessman who's looking to buy a number of expensive speakers to outfit his new condominium project.
He's hoping for a deal and heard that you're the guy to talk to in the area, having handled a number of projects that spec'd in these same speakers. Flattered and excited about the prospect of this apparently effortless large sale, you negotiate a fair but profitable price. You discuss the merits of the speaker as he shares how he heard them at an event he attended while on business out of town and was thoroughly impressed. He provides you with his credit card number, and, since he's still away on business, will send a courier to pick everything up to have it delivered once the order has come in.
You excitedly place the order with the vendor and the product is picked up. Everything happens flawlessly. Then a few days later, a call comes in from your payment processor. The payment did not go through. The card was fraudulent.
You pick up the phone to frantically call your newfound client with whom you've, by now, had multiple pleasant phone conversations with, bonding over a mutual love of fine wine, smooth jazz, and skiing in Whistler. You were confident he would become a repeat customer. Surely this is all just a misunderstanding. The number isn't in service. You contact the courier, having dutifully jotted down his name, number, and license plate as a security measure - you even took his photo. Turns out he's just a private courier whose services were procured on a one-off basis through a local ad on Kijiji. All he knows is he delivered a package to the required address, and someone met him outside to sign for it. The building, upon further investigation, is actually vacant.
Reality sets in. You've been scammed.
First, don't feel embarrassed or stupid. Fraud, in some way, shape, or form, has happened to every retailer at one point in time. Any retailer or integrator reading this is nodding his head in affirmation with his own tale of woe to share. After John Thomson, Publisher of WiFi HiFi and Owner of the WiFi HiFi Store in downtown Oakville shared his personal story in our weekly e-newsletter - one that closely resembles the hypothetical one noted above - he was flooded with e-mail replies from readers who assured him they've been through similar experiences. (We share a few of these at the end of this article.)
Retail theft is rampant and comes in a variety of forms - employee theft, returns fraud, brazen thievery, and even organized crime like was clearly the case in the aforementioned scenario.
The growth in online shopping has opened the floodgates for retail fraud and scams, but attacks on bricks-and-mortar retailers are getting increasingly sophisticated, too.
The Internet has presented new opportunities for scammers who make both customers and businesses their victims. Not only the vulnerable are targeted: scammers have become so sophisticated and strategically manipulative that even the most intelligent businessperson can become an unknowing victim.
Beyond e-commerce, small independent bricks-and-mortar retail businesses are facing challenges from scammers who find clever new ways to steal goods and funds right from under their noses. The rise in Organized Retail Crime (ORC) and the increasing level of sophistication of attacks means retailers must manage a delicate balance between serving local customers with a level of mutual trust and keeping their guards up to protect the business against fraud.
"ORC gang members are increasingly bold in their tactics," writes the National Retail Federation (NRF) in its 2018 Organized Retail Crime Survey. "It's a combustible combination - one that requires loss prevention professionals to stay one step ahead during a time in which budgets are tight and laws are less and less of a deterrent." Of those surveyed, a whopping 91.6% reported being a victim of ORC in the last 12 months, and 71.3% have seen an increase in ORC in the past year.
New technologies to combat retail fraud range from chip and PIN and contactless credit cards and readers that accept payments from smartphones, to dynamic CVV numbers that constantly change, and even biometric and facial recognition for verifying purchases and identities. But we still have a long way to go. Many small retailers (even some large) still don't accommodate contactless payments, and certainly don't yet have biometrics on their minds. Even with chip and PIN, fraudsters find ways around it. David Kurth, National Sales Manager for BC-based retail security company Halo Metrics Inc., says thieves sometimes quickly insert a chip and PIN card multiple times to purposely trigger the prompt to swipe instead.
As with any type of con, we're all human. No technology can eliminate the instance of human error. Fraudsters capitalize on the lag time between when a transaction is put through and when that authorization is discovered as fraudulent. They prey on human emotions, ego, and vulnerabilities, and have turned their work into a terrible artform. They're, quite simply, good at what they do. And they're getting better.
In the most sophisticated instances, criminals invest lots of time and effort into scoping out shops and picking the right targets. They hunt for personal details to help build a rapport, and research extensively to gain knowledge about the products and/or your past jobs or clients, or the company or industry they claim to be from - just enough to strike up a conversation, and appear legitimate for as long as it takes to scam you.
Retail fraud can happen right under your nose, whether it's the false return of a product, the use of a stolen credit card, or discount abuse at the cash.
Retail Fraud by the Numbers
Retail fraud is a massive, billion-dollar issue worldwide. LexisNexis Risk Solutions reported at the end of 2017 that fraud as a percentage of retailer revenue was 1.58% that year, up from 1.47% in 2016. The organization estimates that merchants pay close to $3 for every $1 they lose via fraud.
According to the 2018 True Cost of Fraud: Retail Edition report, the success rate for fraudulent transactions is up nearly 30% over 2017; 36% when looking at larger, multi-channel merchants.
Retail theft in Canada overall is estimated to be around $5 billion, says Kurth. "And fraud is a growing segment of that, especially when more transactions are happening online."
In Canada, the Retail Council of Canada (RCC) cites figures from the Canadian Anti-Fraud Centre (CAFC) that pegs the total value of fraud reported by Canadian businesses in 2017 at $30.4 million. That's up a considerable 78% from 2016, and an all-time high over the previous four years.
The retail industry is the fifth highest industry affected by fraud, says the Association of Certified Fraud Examiners (ACFE), susceptible for the simple reason of opportunity.
The products most at-risk fall into one of two categories. The first are low volume and high value. In the tech industry, that might include high-priced speakers or turntables. The second are high volume but low value, such as cell phone cases or charging cables. Typically, targeted products share some common characteristics. According to LPM Insider, they are valuable and in high demand; easily accessible to consumers; easily concealed to avoid detection when stolen; there's expansive availability and demand; they are innovative and/or offer premium performance that is attractive to customers; and they can be easily sold and quickly converted to cash. Respondents to NRF's aforementioned survey suggest that high-end electronics, such as Apple devices, are highly-desired because of the ease of selling them on the Internet, and on the black market.
The good news? Guy Charpentier, Director, Customer Compliance and Fraud at Mastercard, says Canadian retailers have "one of the lowest fraud rates for payment cards, thanks to their adoption of EMV [chip cards]." But retail fraud is far from being nonexistent.
Chip and PIN EMV cards, and mobile payments, have helped reduce fraud rates for payment cards, but fraudsters still find ways around it, and we're still far from every retail accepting payments via mobile device.
Different Types of Retail Fraud
Retail fraud can run the gamut, from customers who falsely bring back returns, to cash register tampering. It can happen anywhere within the supply chain.
Here's a breakdown of some of the most common types of retail fraud, both in stores and online.
Chargebacks: This occurs when a customer falsely reports a product as not having been delivered. The cost of the product is charged back to the merchant by the credit card company, and the customer is credited. The retailer then incurs the costs not only for the "missing" item, but also of the logistics, payment processing fees, and the inventory cost to replace the presumably lost item.
Card-tested: In this instance, a person acquires a list of stolen credit card numbers and tries all of them until one works. Then, they proceed to use that winning card to make other fraudulent purchases. Fraudsters typically start with a small purchase, like gas or fast food, then work their way up to larger stores and bigger ticket purchases once they've verified success with a card. They'll often target locations they know accept card swipes versus chip and PIN. Kurth says some thieves even tamper with pin pads and steal information, as well as use printed credit cards and run them through the card swipe when associates are not paying attention.
Return fraud: This can come in many forms. A customer steals an item and tries to return it for gift cards. They might find a lost or stolen receipt and try and use that for a return. A practice called shoplisting is defined by a person who buys an item, walks back into the store on another occasion, picks up the same item, and tries to return that one (before paying) using the old receipt. Another tactic fraudsters use is to move a lower-priced label to an item, then try to return it at the original price. Wardrobing is when someone uses an item then attempts to return it as new. Kurth says Halo Metrics has also seen instances where thieves have receipt printers to create fraudulent receipts that look nearly identical to the real thing; as well as gift card fraud where fraudsters tamper with gift cards on the shelf. "[They have] legitimate customers buy and activate cards that are really in the hands of the thief.
The industry is moving towards new and seemingly more secure methods of payment, like smartphones and biometrics, that may, at some point in the future, eliminate physical cards altogether.
"We are aware of multiple retailers," adds Kurth, "that return more of certain products than they sell due to open return policies that allow criminals to turn stolen merchandise into cash."
In the aforementioned NRF survey, retailers said they expect that of the 11% of annual sales that will be returned, 8.2% will be fraudulent. The Retail Equation (TRE), meanwhile, estimates that 4.2% of returns are fraudulent, costing Canadian retailers $1.7 billion annually.
Some payment processors have developed solutions to combat returns fraud. In 2015, Moneris launched its Verify service for large enterprises, which uses statistical modeling to analyze data along with predictive analytics to look for patterns in a customer's return history. And companies like Halo Metrics offer products that can be attached to merchandise to help prevent items from travelling straight from the shelf to the return desk.
Discount abuse: You might not mind if your employees occasionally share their discounts with close family and friends. But discount abuse is when they use this privilege to buy items, then re-sell them to friends at a profit (but still under the retail price) and pocket the difference. Or, they might purchase an item, and have a friend return it to another location without a receipt to make money. Putting a limit on the number of times an employee can use his discount, and/or keeping track of all purchases and serial numbers, might help eliminate instances of discount abuse.
Sweethearting: Also known as under-ringing, this is when employees ring in a purchase - typically for a friend or family member - at a price that's lower than the actual pricing. Larger retailers typically require a manager to authorize price overrides to prevent this. But for smaller shops, losses might just be labeled as a presumed mistake. Surveillance cameras, and detailed time and date transaction receipts, might help deter this.
Inventory theft: Smaller independent shops might not have sophisticated inventory management systems in place, which leaves the door open for nefarious employees or vendors to take product and remove records from inventory, mis-price product, or be deceptive about deliveries. If this is, or has been, an issue in the past with temporary employees or the occasional bad apple, it might be worth investing in a solid inventory system. While it requires an upfront cost, the reduction of lost inventory could equate to savings, not to mention peace-of-mind, in the long run.
Retail fraud can happen at any point in the supply chain, including inventory and vendor theft. (Photo: Square)
Vendor theft: This might consist of vendors failing to ship as much product as they're invoicing for, particularly with items that come in bulk, such as confectionary products at convenience stores. With larger, high value products, vendor fraud can occur when vendors stock inventory in a store and shortchange the dealer. It would help to always have an employee do inventory counts and checks on deliveries, particularly if you're dealing with a new vendor.
Organized retail crime (ORC): Groups of individuals work together to de-fraud retailers. According to the NRF's 2018 Organized Retail Crime Survey, ORC costs retailers US$777,877 per US$1 billion dollars in sales, with nearly three in every four respondents saying they've seen an increase over the last 12 months.
With ORC, there are individuals who each take on a specific role. The booster(s) physically steals the items. The fence sells it to a customer or a diverter. A diverter is a person or business that sells stolen property back to retailers at discounted prices, sometimes even through a legitimate wholesaler or distributor that may be unaware they're part of a chain of fraud. The goods end up being sold online, through flea markets, or even back to legitimate bricks-and-mortar shops that are none the wiser. Kurth says some of those too-good-to-be-true work-from-home e-mail pitches relate to retail fraud. Scammers hire unsuspecting (or suspecting) individuals to accept deliveries of stolen goods and slap new labels on them. The scammers use the person's mailing address in exchange for a small fee for minimal work, and they remain blissfully ignorant of their role in retail crime.
A decade ago, a ring of thieves was caught stealing from various chain stores in Lakeland, FL. After taking the items, they'd resell them through a discount store that operated on eBay as well as in local flea markets. The group of 18 criminals hit up to 15 stores per day, stealing up to US$3,500 worth of goods each time. Over a period of five years, it was estimated that they stole anywhere from US$60-US$100 million worth of goods.
Halo Metrics is looking at technologies that track the location of individuals within a bricks-and-mortar store to help identify people who are present during multiple fraud events, and alert retailers when they return. Such a system could have prevented that crime ring from persisting for so long.
Pin pad security products, including a mount, cradle, and hold down kit, prevent thieves from being able to tamper with a pin pad to steal credit card information. (Photo: Halo Metrics)
Read on for tips on how to combat retail fraud...