Guest Writer: Richard Ainsworth

42690452 - payment using chip plastic card in pos terminal

Sales suppression, also known as skimming, is an old retail fraud. A businessman simply keeps two tills. He rings up some sales for the record, and other sales are either not rung up at all or handled through an open cash drawer.

Technology has changed the efficiency with which businesses skim cash receipts. The agents of change are software applications – Phantom-ware and Zappers. Phantom-ware is a ”hidden,” pre-installed programming option(s) embedded within the operating system of a modern electronic cash register (ECR). It creates a virtual second till.

Zappers are more advanced. Zappers are special programming options added to ECRs or point of sale (POS) networks. They are carried on memory sticks, removable CDs or can be accessed through an Internet link. Because Zappers are not integrated into operating systems their use is more difficult to detect. Zappers liberate owners from the need to personally operate the cash register to skim receipts. Remote skimming of cash transactions is now possible without the knowing participation of the cashier who physically rings up each sale.

The problem is global in scale. Canada recently completed a three-year study that found suppression devices in 30 percent of the POS systems nationwide. Because the most common use of skimmed funds is to pay employees ”under the table,” Zappers produce tax losses in sales tax, business taxes, personal income tax of the employees paid in cash and employment taxes.

In a paper for the Finnish Tax Administration, I estimated losses in their restaurant industry to be €296 million (annually). The Finnish Parliament Audit Committee reviewed these findings and based on October 2010 through August 2012 data determined that my estimates should be ”considered very cautious.’? Their study was producing results several multiples higher than mine, according to paper by the Finnish Tax Administration (Vero Skatt, Kassalaitteet ja tulonsalaukset, June 6, 2013).

The following story might provide some insight into what we are looking at with Zappers. Last month a woman called me from a small restaurant in a Mid-Atlantic state. She said she suspected that her business partner had installed a Zapper with the help of her ECR salesman. She was right. We found the Zapper. It was installed in the hand-held scanner used for inventory control. When the scanner was plugged into the restaurant’s inventory control system – and after pressing specific keys – the holder was granted access to the restaurant’s POS system. From there they could remotely manipulate sales data while ostensibly doing inventory. Inventory records were made to conform to the manipulated sales figures by the program.

Perhaps the most interesting aspect of this case was that all data was stored in the cloud. Further manipulation could occur once the records were transmitted to the cloud (we could not tell). The scanner made cloud transmissions automatically after each manipulation. This is the first use of the cloud I have seen directly in the United States, although I know of six cases in Portugal, the UK and Norway, where something very similar seems to have occurred.

A tip off to the fraud-in-the-cloud aspect of this case was fact that the system installer moved this restaurant’s storage to a different cloud – not the free cloud service provided by the POS system manufacturer. This was a curious move by the salesman, and a hint that something odd was happening.