Combatting the New Era of Theft & Fraud

By Michael Raine

The criminals were working from home, too. It’s something I hadn’t really thought about until doing the research and interviews for this article, but of course it’s true. With retailers closed to in-store shopping for much of the last 18 months, the door was also mostly shut on in-store theft. But as the Yuppie Nuremberg Defence dictates, there’s a mortgage and bills to pay — even for thieves.

“What a lot of people neglected to think about in 2020 was that for a lot of these organized criminals, theft and fraud is their business. It’s their source of revenue,” notes Stephen O’Keefe, who has earned the Retail Council of Canada’s Loss Prevention Lifetime Achievement Award for his three-decade career protecting Canadian retailers from criminals. He is now the principal at Bottom Line Matters, which works with small- and mid-sized retailers on theft and fraud prevention. “A thief or a fraudster … would obviously opt not to stop their revenue stream, and so they just looked for a different way to commit these offenses. And that’s why some of these frauds were on the rise because people who would normally steal in-store, that source was cut off and so they had to look for other ways to make money. But, don’t get me wrong, these criminals pay their hydro bill and their water bill and their mortgage with money they get from the frauds. You can’t just cut them off thinking, ‘Oh, well, obviously we’re in COVID-19 times so everybody’s going to adapt to the changing environment.’ But the thieves didn’t.”

It’s no surprise then that a study from LexisNexis Risk Solutions found that retail fraud went up in 2020 in the U.S. and Canada. In the report, entitled 2020 True Cost of Fraud Study: E-commerce/Retail Edition, there are these three key takeaways: 1) More fraud attacks translated to higher costs for merchants, with the average number of successful fraud attempts increasing for all sizes of retailers, though it was especially costly for mid- and large-sized retailers, who experienced up to 70% more fraud attempts in 2020; 2) A surge in online and mobile purchasing meant a parallel increase in online fraud; and 3) Distinguishing customers from malicious bots and fraudsters became more difficult, and it became especially hard for retailers to balance fraud prevention with providing a smooth ecommerce experience for legitimate customers.

And when stores have been open during the pandemic, that also provided new windows of opportunity for thieves.

“The bottom line is this — losses went up. The National Retail Federation in the U.S. reported the highest shrinkage rate in over 30 years in 2020. Yes, the controls were put to the test with limited resources, in many cases, for businesses to execute their standard operating practice, but there was also the health and safety aspect — how does a loss prevention professional, safely and at a socially-acceptable distance, stop somebody from getting away with a theft when the stores were open? The sad news is, many didn’t,” comments O’Keefe. “The loss wasn’t worth the risk, and the thieves knew so and took advantage of the vulnerability of the times. Things are changing now, but sadly shoplifters are lagging and still taking their chances.”

In terms of one of the types of fraud facing small- and mid-sized retailers, especially those with less experience in fraud prevention, credit card fraud has become sadly common. It’s pretty straightforward and involves thieves using stolen credit cards to purchase goods and then reselling them for cash. For retailers, if they don’t have the proper protocols and prevention measures in place, they get dinged with a chargeback from the bank and are now out both the stolen product and the cost of it. Sadly, the experiences of Sherwood Music in Kitchener, ON provide a good lesson in how this fraud can work and how retailers can get hit hard.

CTV News first reported in January 2021 that two fraudsters purchased six Gibson guitars from Sherwood Music in separate credit card transactions over the phone. The store took the card information, including the CVV, a postal code, and driver’s licence information. Days later they found out the credit cards were stolen and the driver’s licences were fake.

In total, Sherwood Music Sales and Procurement Manager Marcus Wanka tells CMT that the total value of the six guitars was about $23,000. And in addition to losing the guitars, the store got a chargeback from the card-issuing bank because the purchases were made over the phone.

“So, we had a fella call up that was looking to buy Les Pauls and, initially, he was just looking for information. So, he had a guitar in mind that he saw on our online store and he was asking questions about it,” Wanka tells CMT about how the fraud went down. “He called in, which was sort of par for the course at the time because this was around mid-January, so we were locked down.”

Sherwood Music, like most retailers, had a “no credit cards over the phone” policy, but because of the circumstances with the lockdown, Wanka acknowledges that they weren’t sticking to the policy like they should have. He says that now, having learned the hard way about this type of fraud, he sees that there were red flags in those phone conversations that the store didn’t recognize at the time. The first big red flag was that the man insisted on paying by credit card over the phone rather than purchase the guitar through the website.

“So, we took the credit card over the phone, then he asked if he could have it shipped with a Purolator label that he provided. So basically, private shipping to an address in Toronto,” Wanka continues. “Right away, we did what we normally do; looked up the address and saw, yeah, there’s a house there. So, just got some information from him, got his driver’s licence, got the information on his credit card, did what we thought was our due diligence, typed in the number, and everything checked out. So, the guitar is sold and we shipped it off and away it goes and he’s a happy customer.”

Then, a couple days later the guy calls back and goes through the same routine with a different guitar. “He did this a number of times over a week or two, just sort of upping the ante each time and buying a more expensive guitar using the same method,” says Wanka. And then a second person calls, wanting to do the same thing, with the guitars being shipped to the same address as the first guy. That’s when the folks at Sherwood Music got worried and knew something fishy was going on.

“Obviously this shows how green we were to the online world, because most of the other stores that we talked to that also got scammed didn’t get scammed as many times as we did,” Wanka recognizes, saying the same thieves also hit nearby Guelph Music, as well as other stores in Orillia and Cornwall, ON, and one in Manitoba. They also tried to scam Mountain Music in Hamilton, ON, but the folks there wisely refused to do any transaction over the phone.

“We called Visa first and they said you have to call the bank that provided the card. So, okay, we call the bank and they were like, ‘Yeah, everything looks okay here — no big deal.’ Then we asked, ‘Well, can you verify the address?’ and when we asked them that, they said, ‘Yeah, that’s not the address that matches the credit card,’” Wanka remembers.

“So, we were like, ‘Is it fraudulent?’ and they said they didn’t know. You know, maybe he lives at his dad’s house or something. Who knows, right? Maybe he’s living wherever the address is related to. In the meantime, we then checked his driver’s licence with our regional police and they told us, ‘This is a fake driver’s licence and that number doesn’t exist.’ So, at that point we were on to him and we went from there trying to do whatever we could to either get our stuff back or get more information from him so that we could maybe have some recourse, which of course never happened.”

To add insult to injury, the Sherwood Music team could later see their guitars being sold on Kijiji by someone in Montreal. Frustratingly, they were told by Waterloo Regional Police that for jurisdictional reasons, there was nothing that could be done and that they shouldn’t engage with the fraudsters. Looking back at it, while they did try to push the man on the phone to purchase the guitars through the store’s website, when he insisted on doing it by phone, that should’ve been a major red flag and Sherwood Music should have ended the purchase there. Like most current point-of-sale (POS) systems, Sherwood’s does flag suspicious credit card purchases and, it also could have avoided the chargeback (or at least allowed Sherwood to fight it more successfully).

“What we learned was that we have to be super diligent. One, never take the cards over the phone for somebody you don’t know. That’s an obvious one, and we kind of already knew that, but given the circumstances, we didn’t really have a choice — or we felt we didn’t. And two, the big thing was just push everything through online, because that’s the only way we can filter things,” says Wanka.  “We’ve got all kinds of fraudulent transactions online all the time. But we’re able to see that, say, the CVV doesn’t match or the billing address doesn’t match and then we’re able to call the customer and say, ‘Sorry, this is weird but we’re going to call your bank, so can you give us some more information?’ and all we do is call their bank and just say, “I have this number from this customer who bought something in my store. Are you able to tell me if this billing address matches?’”

“When we first went online, I’m talking years ago, that is when it really came to light that there’s actually dishonest people out there. So, early on, we didn’t have any systems in place and we were just taking online orders and we would get hit 30 or 60 or 90 days later with a bank chargeback saying there was a fraudulent transaction,” remembers Rudi Brouwers, COO at Cosmo Music, the Richmond Hill, ON-based MI superstore. Over the years, Brouwers has (unfortunately) had a lot of experience dealing with thefts and fraudulent transactions, and in working with regional police to catch the criminals. Because of this, he’s eager to lend his experience and knowledge to help any fellow MI retailers improve their security. That is why he immediately arranged a meeting with Wanka and the Sherwood Music team after reading about their ordeal.

“When we first started out, we learned some really valuable lessons. You have to put things in place to combat that and we did some research and found some tools that we added to our website, specifically a program called Kount, and it assists with fraud detection. With it, there’s all kinds of different rules that you can set up for catching criminals when the orders are placed,” Brouwers notes.

As O’Keefe also explains, fraudsters will often try to test a store’s security systems in smaller ways before trying to make a big purchase. “They try something small to see if the business is protected. This is the best red flag that could be there. It just takes experience to know that is what they’re doing. Online frauds are probably the most common that businesses should look out for. There are systems that can be used to identify red flag activity, but they can be pricey for sure,” says O’Keefe. “An understanding of all of the rules that apply to complete a transaction is the minimum standard. What I mean is this; if a card is not present [like when a card number is given over the phone], and a fraud takes place, the retailer is at risk of not complying with the Payment Card Industry (PCI) Data Security Standard rules. If there is a fraud and the business is charged back, there is not a lot they can do to argue that they followed the rules. This is where a business needs to partner with the right financial institution partners who have safeguards built in. Go it alone and the retailer is very vulnerable.”

One obvious red flag that any good POS system should detect is when there are different ship-to and bill-to addresses, especially if it’s an expensive item. “Also, multiple orders placed closer together for, typically, smaller amounts, like in the $200 to $300 range, where they’ve placed multiple orders within a couple hours or even over a couple of days. That is a flag, because they try to order first and if it succeeds, then they continue to keep doing it and keep doing it until you catch it,” explains Brouwers. “So, one of the rules we’ve set [in the Kount system] is if there’s more than two orders within a certain timeframe, it’s flagged for review. Then our team will take a look at it and vet it and make sure it’s okay.” Over the phone, a lot can be deduced from the tone of the conversation and the types of questions the person is asking. Are the types of products they’re asking about logical, or just a lot of seemingly-random expensive items?

“So, they’ll ask, ‘Is this Gibson guitar in stock? It isn’t? Okay, what about this keyboard, is that in stock?’ So, stuff that just doesn’t make any sense,” adds Brouwers, also saying to note if the person seems antsy or rushed on the phone. “Those kinds of things are usually sketchy. Customers that are asking to send a courier to pick up their new order? Yeah, that’s a problem. Also, orders that come from certain areas where fraud is known to be. There are specific provinces in the country where more fraud orders come from and you just get to know and flag those. Quebec is one that we’re really targeted from a lot. So, we’ve got a flag now for any Quebec orders over a certain dollar amount and watch for them. Basically, what it does is reviews those orders and it stops the orders from getting into our system before we can take a look at them to make sure they’re legit customers.”

When there is an attempted transaction that requires review, it’s a simple call to the customer to get more information. Typically, this is only necessary for first-time customers, as the POS system will remember if a person’s prior purchase was manually approved. The vast majority of legit customers will understand and even appreciate the caution you’re taking to ensure the store and customer is protected from criminals.

So, Cosmo staff will call the number provided on the order and say, “‘Hey, I’m calling from Cosmo Music. We got your first-time order — that’s great, thank you for doing business with us. Typically, for a first-time order with this dollar amount, we’d like to ensure that the credit card matches the address, because we do get hit with fraudulent orders. We just want to make sure we’re covering ourselves for your safety and ours,’” Brouwers explains. “They’ll give the credit card number, nothing else but credit card number – no CSV and no expiry date, you don’t need that. We’ll then call the bank that issued the credit card and do an address and phone verification…. If that matches what the customer has used for the order, then we just approve it.”

If things don’t match and they can’t be sure it’s a legitimate purchase, the order is cancelled and notice is sent saying, “Unfortunately your order has been canceled due to X reason. Please check with your bank.” At that point, the fraudster will just move on to their next target.

Now, of course it is preferable to deter every fraudulent transaction or in-store theft and avoid any hassles. But, even good systems and protocols can get beat sometimes. Frankly, it is tough for retailers get their money or goods back, but it is possible sometimes.

“The payment card industry has to have strict rules to stay in business. For chargebacks, retailers will know they are quick to decide the retailer is at fault. But there are times when you can successfully challenge a chargeback. Without going into too much detail whereby areas where vulnerabilities are broadly communicated, let’s look at a situation where signatures don’t match on some of those old-school transactions,” says O’Keefe. “Let’s says the retailer is charged back because the signature doesn’t match. But the transaction was four weeks prior! Who can defend themselves after the fact? The card is gone. The reason I use this case is because I was involved in this one on the receiving end as a loss preventer. I challenged the credit card company to tell me about the five transactions before and after the person bought from the company I represented. They wouldn’t, of course, but since my argument was that I thought the card might be counterfeit, which would mean that the signature of the fraudster would match because they made the card and signed the card at home, the credit card company backed off. There were multiple retailers victimized by the same person, so it had to be a duplicate card and the signatures must have matched. The retailer followed the rules and the chargeback was withdrawn. So, it takes work, but yes there are ways to get your money back.”

Having said that, O’Keefe reiterates that the easiest way to get goods back is to catch the bad actor. For small businesses, this means working closely with the local police or engaging the services of a third party. And working with regional police is something that has proven successful for Brouwers and Cosmo Music. There are a couple notable instances of theft he shares where the person was caught and the store was able to get its products or money back by engaging local police, as well as Crime Stoppers in one instance and a local City News reporter in another.

In the first case, a man stashed a $900 guitar pedal and $4,500 trumpet into his backpack and walked out the front door. The security alarm at the door was triggered but the man kept going. A staff member went after him but when the man didn’t stop, there wasn’t much they could do. Like most businesses, for safety’s sake, Cosmo Music’s policy is to not physically engage any suspected thief.

In another case, a stolen credit card was used to buy a $950 Roland DJ controller and a young woman arrived to get it via curbside pickup. Typically for curbside pickup, the store checks the ID of the person picking up the products and either writes down or takes a picture of their car’s licence plate. The woman said she took public transit, and so instead she agreed to take a picture with the DJ controller (though she was wearing a mask because of COVID).

“I got a hold of this and when I have enough information, I go after them,” says Brouwers. “So, I filed a police report with York Regional Police and the detective that I work with quite often, she is amazing. She tracked it down, put it on Crime Stoppers and somebody reported it and she has since had a court appearance and had to pay restitution. So, we’re getting our money back and she’s got a criminal record now. So yes, I would say for sure, pursue the ones you can.”

That said, before anyone gets any ideas about vigilante justice and social media manhunts, it’s important to know this fact; it’s illegal to share images of anyone online without the consent of the person or the police. Importantly, Brouwers and Cosmo Music were working with regional police before any photos and information about the thieves was shared online.

“It’s not advisable because people make mistakes, but it’s also not advisable because there is an element of privacy that is legally attached to a photo,” O’Keefe says about distributing photos or video of suspected thieves. “In order to share private information, you need to have explicit or implied consent from the individual. And because you’ll never get consent from a bad guy to share their photo, it becomes a situation where, yes, they stole from you, but you also committed an offense by posting personal information without consent.”

In the end, Wanka says the lessons they’ve learned aren’t complicated, but just come down to vigilance. “I would just say, ask a lot of questions. Always be wary of online, especially out-of-province, sales. Do your homework and be a bit of a detective on the phone. I think there’s a way to be personable and polite and get the information that you need. You don’t have to be aggressive and rude and weird. I think we’ve gotten pretty good at that,” he says. “And we’re really honest with people. If there is an out-of-province sale, we just say, ‘Listen, we were in a situation where things got really bad for us, we got scammed, and we need as much info from you as possible,’ and everyone who’s legit has been totally willing to offer it up right away with no problems and it’s usually a match. There’s been a couple times where it’s not and we just say, “Sorry, we can’t sell you this’ and they just say ‘okay.’ So, just be honest with the customer, I think, is the best thing you can do.”

Alan Friedman’s Top Facts & Tips on Internal Theft & Fraud Prevention

Alan Friedman, senior partner with the accounting firm Friedman, Kannenberg & Co., calls internal fraud “the dirty little secret of retailing.” So, here are his tips for identifying the problem.

INDICATIONS OF FRAUD IN YOUR STORE
1. Store owner who insists no fraud exists in his or her store
2. Vendor payments are made without proper documentation
3. Vendor payments are sent to unknown and/or unusual places
4. No reconciliation of key financial (general ledger) accounts
5. One bookkeeper with incompatible duties who rarely takes a vacation
6. Constant out-of-stock status or confusion in a particular department
7. Manager with complete control who resents intrusion and displays erratic behaviour
8. No control over exceptions (i.e. customer returns, backorders, etc.)
9. Employees whose lifestyles are inconsistent with their earnings
10. Store with minimal owner and/or management oversight.

HOW TO MINIMIZE INTERNAL FRAUD
1. Segregate incompatible bookkeeping duties
2. Maintain perpetual inventory records and safeguard inventory
3. All shipping, receiving, transfer, and sale documents are signed and dated to assign and fix responsibility to an employee
4. Never purchase inventory by cash
5. Take frequent inventory counts in teams of two, and reconcile all discrepancies
6. Owners MUST be active in their business and show employees they care about the safeguarding of assets.
‍