Businesses in Toronto’s Beaches neighbourhood are reporting thousands of dollars lost to card machine scams, prompting officials to warn others about the thefts.
Pippins Tea Owner Barbara DeAngelis told Now Toronto that she recently lost $4,900 to scammers who targeted her point-of-sale (POS) machine.
According to her, a scammer managed to override the machine’s refunding system, after claiming they were at the shop to buy a gift for a grandparent.
The scammer allegedly pretended to have difficulties with the machine and said he would come back with cash, but eventually the shop owner discovered the unauthorized refund.
“For a little [business owner] like me with a tea shop, it’s substantial, you know, it’s a big thing,” she said.
But DeAngelis’ store was not the only one. The Beach Business Improvement Area (BIA) tells Now Toronto that three other businesses in Toronto’s Queen St. E. area have also recently been targeted in a series of similar POS scams.
After hearing from DeAngelis, the BIA says it has sent out email warnings to more than 300 contacts in its newsletter recipients’ list about the issue.
“There may be more [incidents] we don’t know about as all three owners were shocked and embarrassed it happened,” a BIA spokesperson told Now Toronto.
“It’s heartbreaking for small business owners who work so hard for every dollar. We encourage everyone to support those who have been targeted.”
Meanwhile, DeAngelis says she believes the standard settings on POS machines are to blame for the incidents.
She explains that her POS provider, Moneris, like most POS brands, has settings that allow users to issue a refund without needing to put in their chosen security password by putting in a default PIN.
“They know that this is a default setting, and they know the keys to hit to activate it and put through a refund. Because when they come into my shop and take my pin pad and pretend to be putting in their card and pretend to be hitting their PIN number, they’re actually putting through an independent refund,” she said.
The tea shop owner says that she contacted Moneris right after the incident, and the company agreed to take the loss and refund her the $4,900, as well as helping her change her machine’s settings.
“They’ve absolutely totally taken care of me, and I’ve gone in and had all of my settings changed,” she added.
But DeAngelis hopes the companies change the default settings moving forward to exclusively require a password to issue refunds and consider putting a limit on how much can be refunded.
“People trust companies to give them [the] equipment. I don’t understand the technology of a PIN pad. Do you know what I mean? But so [I] trust that [I’m] getting equipment that’s set up with the highest security levels,” she said.
HOW CAN BUSINESSES AVOID THIS SCAM?
A spokesperson for Moneris says the best way for business owners to avoid similar scams is to change their settings and stay vigilant.
According to them, the machines allow owners to require passwords for refunding transactions or even limit these kinds of transactions to a “managers only” option.
“They can assess the optimal process for their business from a user role perspective and ensure that all employees are informed. At a minimum, they should establish a password requirement for refunds, regardless of employee level,” they told Now Toronto in an email statement.
They’re also warning businesses to pay attention to customers upon payment, especially if they are taking more than a few seconds to complete the transaction, and offer assistance if needed.
“In most interactions, customers only need to tap their card or smart device or insert a card for a chip and PIN transaction. Taps take a moment, and entering a PIN and choosing an account should only require a few simple screen presses to complete,” the spokesperson added.
Moneris also advises businesses to always check the receipt, which should show the type of transaction that was made.
Toronto Police Services (TPS) also says owners “should take a pro-active approach and protect themselves from POS theft and fraudulent transactions.”
Besides changing their settings, businesses should also keep the machines out of reach of customers and hide them away when shops are closed, police advised.
The Beaches BIA recommends that any business owner who falls victim to the scam contact TPS to file a report, as well as their POS provider.
“Our BIA has a good working relationship with our businesses and are here for them as well to help communicate it so other businesses don’t fall victim to it,” it said.
