A large NHS organisation was recently targeted by fraudsters, but any organisation that uses card payment terminals could similarly be targeted.
How the fraud operates
‘Worldpay’ terminals were in use at the organisation.
It was noted from the organisation’s bank statements that refunds totaling over £230K had been processed for Worldpay transactions, which immediately raised concerns.
Worldpay confirmed that the transactions were linked to one payment terminal with the account details for the refunds being physically keyed in.
Even though the office was locked where the payment terminal machine was kept, fraudsters were able to reach under the glass partition and access the terminal to process the fraudulent refunds.
The supervisor code for the payment terminal had not been changed from the default code, enabling the fraudsters to make the refunds.
- All payment terminals should be securely stored away when not in use.
- Only authorised individuals should access and use the payment terminals.
- All payment terminal ‘supervisor codes’ should be checked and must be changed from the default code. Consider changing these codes on a regular basis.
- When operating payment terminals, users should avoid being distracted.
- Regularly review payment terminal statements to identify any suspicious refund transactions.