Impersonation scams are now one of the fastest ways to lose money: fake bank changes, fake vendor invoices, fake POS support calls. This practical playbook gives your team a verification ladder, staff scripts, and POS-first controls that stop damage fast.
The modern scam is not a masked person. It is a believable message.
For a lot of small businesses, the new "break-in" looks like this:
- An email that looks like your payment provider: "We need to update your settlement account today."
- A phone call: "This is POS support - we see suspicious activity. Read me the code you just received."
- A text that looks like a vendor: "New bank details. Please pay this invoice right now so we can ship."
These are impersonation scams. They rely on urgency, authority, and the fact that operators are busy. The fix is not "be more careful" (that is vague and fails under pressure). The fix is a verification ladder: a small set of mandatory steps that make it hard to do something dangerous quickly.
Operational note: your POS is part of your defense. A POS with clean permissions, audit trails, and predictable workflows gives you fewer "everyone has the keys" moments. If you want a POS built to run tight operations, start with M&M POS. You can download M&M POS and set up roles, manager approvals, and basic controls the same day.
What scams look like in real life (so your team recognizes them)
Most impersonation attempts share patterns:
- Urgency: "Today". "Right now". "In the next 10 minutes".
- Secrecy: "Do not tell anyone". "This is confidential".
- Authority: "Compliance". "Security". "Legal".
- Credential fishing: passwords, MFA codes, one-time links.
- Money movement: bank changes, gift cards, refunds, wire transfers.
If you train only one instinct, train this: legitimate organizations do not need you to move money immediately under secrecy.
The Verification Ladder: your non-negotiable steps
Think of this like a fire drill. You do not debate it in the moment. You follow it.
Step 1: Slow down (buy time)
Staff script:
- "Thanks - I cannot do account changes during a call. I will call back through our official contact method."
- "We have a verification policy. I will review and respond after I verify the request."
Your goal is to stop the scammer from controlling the tempo. Speed is their advantage.
Step 2: Disengage (do not click, do not reply, do not keep chatting)
Do not negotiate. Do not prove you are smart. Do not "just see" what is on the link.
Basic rules:
- Do not click links in unexpected messages.
- Do not open attachments from unknown senders.
- Do not read back codes, ever.
Step 3: Verify using a trusted channel you control
This is the core of the ladder.
Verification means: you find the phone number or login URL yourself (from a saved bookmark, official paperwork, the back office portal you already use), and you initiate contact. Never use the phone number or link provided in the suspicious message.
We recommend a "two-source" rule for high-risk actions:
- Source A: a known-good bookmark / vendor portal / stored contract contact.
- Source B: a second independent confirmation (another manager, or a second known-good channel).
Step 4: Require two-person approval for high-risk actions
Some actions should simply be impossible for a single stressed person to perform in a hurry. Examples:
- Changing payout/settlement bank account information
- Issuing large refunds
- Creating new admin users
- Exporting customer lists
Even in a tiny business, "two people" can be manager + owner, or manager + another shift lead. The point is: a scammer now has to compromise two humans, not one.
POS-first controls that reduce blast radius
Security is not just a password problem. It is a workflow design problem.
1) Role-based access (least privilege)
Do not run daily operations on an admin account. Create roles like:
- Cashier: ring sales, accept payments, print receipts
- Shift lead: voids, small refunds, discount overrides
- Manager: large refunds, user management, report exports
If an impersonation attempt targets a cashier, the cashier should not even have the permissions that matter.
2) Refund and discount guardrails
Common scam pattern: "Process a refund to this card" or "run a test refund". Your policy should be:
- Refunds go back to the original tender when possible.
- Large refunds require manager approval.
- Refunds require a reason code (customer complaint, duplicate charge, returned item).
3) Audit trails you actually look at
An audit log that nobody checks is theater. Keep it simple:
- Daily: review large refunds/voids/discounts.
- Weekly: review new users and permission changes.
- Monthly: review payout account changes (should be rare).
The "support call" trap: what your staff must know
Attackers love pretending to be "support" because it gives them permission to ask for weird things.
Train this rule word-for-word:
- No one gets passwords or MFA codes. Not support. Not the bank. Not the owner. Not anyone.
If a caller asks for a code, the call ends immediately. If the caller uses threats ("your account will be shut down"), that is a bigger reason to end the call.
Make it easy to do the right thing: your "Security Placemat"
Print a one-page sheet and tape it near the manager station.
It should contain:
- The verification ladder steps
- Official vendor contact methods (your saved numbers, not the internet)
- Who must approve bank changes and large refunds
- The staff scripts (slow down, disengage, call back)
This matters because in a real incident, people do not "remember training". They follow the paper in front of them.
If you think you already got hit: first 30 minutes
Move fast, but not chaotic:
- Stop replying to the scammer.
- Change passwords for the affected account(s) and the email account tied to them.
- Revoke active sessions / logged-in devices if the service supports it.
- Check for new users, payout changes, and unusual refunds.
- Document what happened (timestamps, screenshots) for your bank/provider.
Then work down the chain: email, POS, payment portal, accounting, any integrations.
Where M&M POS fits (without turning your day into IT)
You do not need a security team to run safer operations. You need:
- Clear roles
- Manager approvals
- Clean audit trails
- Predictable workflows
That is exactly the kind of discipline a good POS should support. If you want to start tightening controls today, use M&M POS and set up roles and permissions as part of your onboarding. You can download M&M POS and build your "least privilege" setup before your next busy shift.
