This article is part of our collection on Cyber Security
Requesting repayment in exchange for goods or services is a cornerstone of consumer law, but it’s increasingly being exploited by criminals. In the latest in a series to increase awareness among businesses of the potential threats they face from fraudsters, we look at refund scams.
Last updated: 02 Dec 2020 6 min read
Most people, at some time, have exercised their consumer rights and sought a refund for a product or service. But while most requests for refunds are from honest customers, thousands more are from criminals who never bought anything in the first place. Welcome to the world of refund fraud.
“There are two main types of refund fraud,” says Sandeep Vegad, fraud manager at Tyl by NatWest, the bank’s intelligent payments tool for SMEs. “One is a customer trying to get money back for something they never paid for, and the other is a dishonest employee who ‘refunds’ money into accounts belonging to themselves, family or friends.
“A fair refund policy is good customer service, but it’s imperative to make sure the refund is warranted before handing money back,” adds Vegad. “Businesses need to be aware of the risks, many of which can be minimised just by taking a few simple steps.”
We’ve compiled a guide to the types of scams used by customers and employees to defraud businesses, and how SME owners can thwart them.
How it works: “A common type of face-to-face refund fraud is done by distraction,” says Vegad. “Two or three customers enter a shop and one goes to the counter to buy something. As the assistant hands over the card machine so he or she can enter the PIN, the others create a distraction. Because the first person is now holding a machine with all the security cleared by the assistant, they press a few buttons and, instead of paying, give themselves a refund – in a recent case we dealt with, the fraudsters tried to con a business out of £2,000.”
Prevent it: Educate staff about the details of this scam. When any kind of distraction occurs, immediately take the card machine back and don’t hand it over again until the situation is resolved.
How it works: “Some customers ask to return goods and give all the appearance of doing so – while actually returning something different,” says Reece Maunder, fraud analyst at Tyl by NatWest.
This can be as straightforward as buying an item, then returning to the same store later, picking up an identical item and taking it to the counter with the original receipt to get a refund.
“Other fraudsters take a purchase out of its box, then replace it with either an older, broken item or something completely different of exactly the same weight. Then they send/hand it back in the original box so the vendor believes it’s the genuine item,” says Maunder. “Many companies – even some very big high street names – don’t check the contents for days, even weeks afterwards, by which time it can be too late.”
High street fashion retailer Zara hit the headlines for this very reason in October 2019, after it emerged a shopper named only as Tania MA had been taking the tags off new purchases, putting them on old clothes, and returning the used items to stores to get refunds. She targeted numerous Zara stores in Spain over an 18-month period and was eventually jailed for six months.
“A fair refund policy is good customer service, but it’s imperative to make sure the refund is warranted before handing money back”Sandeep Vegad, fraud manager, NatWest Tyl
Prevent it: Try to tag each item with an individual code. Check the contents of any returned packaging immediately, and certainly before you hand over a refund. Amazon now routinely screens every returned package before refunding.
Maunder adds: “For high-value items such as TVs, both Argos and Currys PC World have one generic code for the product but then another individual item code hidden inside the box.”
How it works: Some fraudsters will find a receipt for goods from a business and then, in a practice called shoplisting, cherry-pick items that match those on the receipt, take them to the counter and ask for a refund.
Prevent it: Check the receipt for anomalous dates: some barcode systems give even identical items their own individual number.
How it works: As the heading says, the fraudster orders a product online, it’s duly dispatched – but they claim they never received it and ask for a refund.
Prevent it: Use tracked courier services that prove the goods were delivered and signed for.
How it works: There’s a booming underworld industry in printing forged receipts. Very convincing fake receipts for very high-value items can change hands on the dark web for hundreds of pounds before being presented to an unsuspecting business.
Prevent it: Issuing digital receipts by email can help reduce the risk of accidentally accepting a fake printed one.
Says Maunder: “In all of these cases you can build in extra security by limiting the number of staff who are authorised to give refunds, so that each claim can be double-checked. On many card systems, the merchant can set permission levels so only certain employees can give money back. It’s also a good idea if the authorised person has two user profiles – one with permissions enabled and the other without. In the event of a refund request, having to log into their enabled profile will give them time to assess and think about whether it’s the right thing to do.”
How it works: “In many employee fraud cases, a staff member will authorise a refund to the card of a family member or someone else they know,” says Vegad. “This is particularly easy for them if there are no checks or no formalised system of recording purchases. We had a recent scenario in which one of our clients had authorised £1,000 of refunds but there weren’t any corresponding sales.”
Prevent it: “Proper recording, auditing and checking of transactions both in and out is absolutely vital in reducing the risk exposure,” says Vegad. “And make the refund process a rigorous one with strict limits. If everyone can give refunds, it makes your business more vulnerable to employee fraud – and even those who are authorised should have caps and limits.
“We would always urge a ‘four-eyes’ approach – make sure refunds can only be authorised if they are cross-checked by another trusted employee first.”