Don't Get Scammed: How to Spot and Stop Fraudsters in the Automotive Aftermarket

What's the most common type of fraud that auto parts counters face?

Kathy Marchetti: Retail is really getting hit with social engineering, which is calling on the phone (with credit cards). The people who have storefronts are the people who get hit the hardest; it makes you more vulnerable.

What is social engineering, exactly?

Marchetti: Social engineering is when you encourage a person to do something that they wouldn't do normally that's going to benefit the fraudster. It happens when somebody calls you, and they are so convincing that they are who they say they are. Sometimes, they say they're an employee, sometimes they say they're from the NAPA group or one of these other big places. And they're not, but they know enough about it. They must do really good research because they sound very convincing when you hear them on the phone.

How do those calls sound?

Marchetti: They call the store and say, "Hey, we've noticed there's been a problem with one of your pin pads doing returns. Let's do this test where we sell this thing, and it's only a couple of bucks, so it won't matter." So (the counter person) does it. "Oh, it declined. OK, that's what I was expecting. So well, then let's try a return." And the fraudster knows the stock numbers of items. And they go, "Oh, it went through. Let me look at the results over here, and I'll give you guys a call back in about 30 minutes." And that money's on the card that they put in there. It's usually a one-time use gift card, or something like a Visa gift card. Now that the money's on there, they can go use that money or get it off the card.

How long does it take for a retail store to recognize they've been scammed?

Marchetti: Sometimes it's the minute (the counter person) hangs up, and sometimes it's not until the back office decides to reconcile that day's sales. Sometimes that's this afternoon, and sometimes that's once a week. Then we get a call, and they're like, "Hey, this happened."

What security measures does Epicor put in place for its customers?

Marchetti: We have done so much stuff to our software to help people not fall into the trap. We have a lot of training. We have a customer care portal where people post logs, and we post that especially because when we get hit a lot is during the holiday season when everybody has gift cards. It's just busy in that business, and then you see (fraud) go up.

We've put a patch in place so that you can only do a transaction over a certain amount of money, or return specifically to you. There's security so that not everybody can do manual returns. The other thing that happens, which is sad to say, is that sometimes it's their employees. They know what's been sold, they know that they can return it, and if they return it to their card, then they don't have to make a payment. So fraud is really widespread.

We have our support team that supports software, we have merchant services that support the merchant, and then we have our whole back-end risk team. You would never get that with a different processor or even a different software.

How do these fraudulent transactions affect the store's bottom line? Is the money permanently lost?

Marchetti: Yeah. The money is permanently lost if the parts store doesn't recover it within about 24 hours. Usually, if you haven't recovered it within 30 minutes, it's gone. You have to file a police report. We can stop a batch from happening, and after everything gets settled the next day, we'll be able to say, “Yeah, we got it, or no, we didn’t.” That's why I said 24 hours. But for the most part, it's gone. I mean, it's like if you lost your wallet; you had $3,000 in your wallet, and you lost it.

What vulnerabilities should parts stores be aware of as fraudsters become more sophisticated?

Marchetti: Do you remember before we had chip cards, and there was just a swipe? Well, the chip was developed because of fraud. The chip keeps track—it knows that you just spent $1.92 at that grocery store in your town. Then, if all of a sudden the next transaction is you spending something in the Caribbean, you'll get a notification from your bank that says, "Did you just do this?" because it's not feasible that you would buy something for $1.17 and then be way over there buying something for $50. That's what the chip does.

Now people can still swipe the card, but it's sort of a fallback situation, which means the chip didn't work. If a card doesn't work, be suspicious. Or, if somebody's calling you on the phone to make a purchase—let's say $1,500 over the phone—they give you the credit card, the card goes through, and they go pick up the merchandise. The next day, you could get a chargeback because that was a stolen card. You need to do the best you can to validate who's on the other end of the phone. Any phone transaction—if they're not there, it's called card not present. If they're not there, you need to be very wary and try your best to validate that the person is who they say they are.

How can stores validate that a phone customer is who they claim to be?

Marchetti: When you order something on a website, they ask you for your address, which is your card address. If you don't know that, what happens? You can't buy it. Well, people call up stores, and they give them card numbers on the phone all day long, and they don't put in the address. The software is set up to take address verification. That's just another way to validate that the person is who they are on the other end of the phone, because a lot of times, they can have a card number and maybe the expiration date, maybe even the security code, but they probably don't know what the address is.

How did they get these cards? On the dark web, but there are no addresses that go with that, because where they collected that data was from some machine.

Get address verification for sure if they're not there. And if it doesn't match (and you get suspicious), they will do something to make you react and play on your emotions.

Is accepting cards over the phone something stores should avoid?

Marchetti: Well, it depends. The problem is now in this day and age, after the pandemic, people order stuff like DoorDash, Instacart. Not taking cards over the phone—it's going to harm their business. But it's also what they're comfortable with.

Try to validate who it is. Tel”l them, “OK, when you come in to pick up that $1,500 item, we're going to need to see your ID and your credit card." And they can validate that person because fraudsters on the phone don't real cards. If you put some things in place like that to validate who's on the phone, you'll catch it.

What guidance would you offer parts store owners to safeguard themselves from fraud?

Marchetti: My dad always said this: "In our business, expect what you inspect." If you don't check them out, don't have high expectations. If you saw their driver's license, if you looked at their card, if you saw the person in real life, have good expectations. But if you don't validate, you're probably going to get taken.

Also, use the stuff that's in your software. There's user security, all kinds of stuff that you could set up to help you or your employees not fall into the trap. Only let certain people do returns—people who have been trained enough to pick up on, "I don't think that sounds right." Employees are hard to come by right now, but if you train them and reward them for being diligent, it pays off.