Credit Card Fraud Targeting Shops That Accept Cards
If your shop accepts credit or debit cards, you’re a target. From stolen card pickups to chargeback schemes, fraud can cost you inventory, revenue, and your merchant account. Here’s what you and your employees need to know.
Credit card fraud doesn’t just happen to consumers — it hits shop owners hard. Merchants who accept cards face chargebacks, stolen inventory, and payment fraud that can cost thousands in a single transaction.
- Phone orders with stolen cards + in-person pickup = a chargeback you can’t fight
- Always refund to the original card — never to cash, check, or Venmo/Zelle
- Never wire money back to a customer after charging their card
- A signed repair order before every job is your only chargeback defense
- Inspect your payment terminal regularly for tampering or overlay devices
- Train every employee who touches the register on these red flags
How to protect your shop from card fraud
These practices reduce your exposure to the most common fraud schemes targeting auto repair and tire shops.
Signed repair order before every job
A signed work authorization is your only reliable defense in a chargeback dispute. Get it before you start work and before you run the card — no exceptions.
Refund to the original card only
Never issue a refund as cash, check, Venmo, or Zelle. If a customer claims their card is unavailable, contact your processor for guidance. Alternate refunds leave you exposed to a double-hit chargeback.
Verify identity on phone orders
Phone orders are card-not-present — your highest-risk transaction type. For high-value orders, require in-person pickup with matching ID. If something feels off, trust that instinct.
Never wire money after charging a card
Any request to wire a portion of funds back after a card charge is a fraud pattern. The original card is likely stolen. You will lose both the wired funds and face a chargeback on the original transaction.
Inspect your terminal daily
Check your payment terminal at open and close. Tug the card slot — it should not move. Press the keypad corners — it should be flush. Call your processor immediately if anything looks off.
Train every employee who touches the register
Fraud often succeeds because a front-desk employee didn’t recognize the red flags. Walk your whole team through these scenarios — phone order fraud, refund manipulation, phishing calls — before it happens to you.
Scams targeting shops that accept cards
These are the most financially damaging fraud schemes targeting auto repair shops, tire shops, and merchants who accept credit and debit card payments.
Card-Not-Present Pickup Fraud
A scammer pays over the phone with a stolen card, then sends a driver to pick up high-value goods — tires, wheels, parts — in person. The shop hands over the inventory. The next day, the real cardholder disputes the charge. The shop loses both the goods and the money through a chargeback, with no recourse. Documented losses range from $35,000 to $370,000 across multiple shops.
Source: Shopmonkey, Fullbay
Refund to a Different Payment Method
A customer makes a large purchase, then cancels and claims their card is “lost or expired” — requesting the refund as cash, a check, or via Venmo/Zelle. The shop refunds them. The customer then disputes the original charge with their bank. Because the refund didn’t go back to the original card, the bank sees nothing and sides with the customer. The shop is hit twice.
Source: Shopmonkey
Wire Transfer After Card Charge
A customer makes a large, enticing purchase and the card goes through. They then ask the shop to wire a portion of the funds back to them — for “shipping,” a “supplier,” or a “third party.” The original card was stolen. The shop wires real money out of pocket, and then also receives a chargeback on the original charge. Never wire funds at a customer’s request after charging their card.
Source: Shopmonkey
Intentional Chargeback (Friendly Fraud)
A customer authorizes work, receives the service, and then disputes the charge with their bank — claiming the work was never approved or wasn’t performed. Without a signed repair order and documented authorization on file, shops typically lose these disputes automatically. The customer keeps the service and gets their money back.
Source: Shop-Ware, Shopmonkey
Business Email Compromise
Scammers spoof or compromise a business email account — yours, a supplier’s, or a partner’s — to redirect payments, authorize fraudulent wire transfers, or trick employees into paying fake invoices. One of the most financially damaging fraud types for small businesses, with billions lost annually.
Spoofing & Phishing
Scammers impersonate your bank, payment processor, or parts supplier via email, text, or phone to trick you or your employees into revealing login credentials, card details, or authorizing a payment. A convincing fake email from your “processor” asking you to verify your account can hand over full access to your merchant account.
Phishing aimed at shop owners and employees
Scammers impersonate your payment processor, bank, or parts supplier to trick you or your staff into handing over login credentials, banking details, or authorizing a fraudulent payment. A convincing fake email from your “processor” can hand over full access to your merchant account in one click.
These attacks use urgency to short-circuit your judgment — “Your merchant account will be suspended unless you verify now.” Train every employee who handles payments never to click links in unsolicited emails or give credentials over the phone.
- Your processor will never email you asking for your password or banking details
- Call your processor directly using the number on their official website — not a number in the email
- Never enter merchant login credentials from a link in an email — go directly to the site
- Enable two-factor authentication on your merchant account and business banking
- Brief your front desk staff — they are the most common entry point for these attacks
Overpayment and bad check scams targeting shops
A “customer” contacts your shop, agrees to a price for parts or service, and pays by check or card — for more than the agreed amount. They claim it was a mistake and ask you to refund the difference by Zelle, Venmo, or wire transfer before the original payment clears.
The check bounces or the card is disputed days later. The shop is out both the goods or service and the cash they wired back. Banks can take 7–10 business days to confirm a check has cleared — and fraudsters know this window well.
- Never wire or Zelle a “difference” back to a customer — wait for full payment clearance first
- Checks can appear to clear in your account and still bounce days later
- Be especially cautious with large, unsolicited orders paid by check from new customers
- If you can’t verify a payment has fully settled, hold the goods or service until it does
Customer agrees to $800 in tires, pays by check for $1,800 and asks you to wire back the $1,000 difference.
Shop wires $1,000 back. Check appears in the account balance and everything looks normal.
Check bounces 7 days later. Shop is out $1,000 cash plus the tires. Wire transfers are not reversible.
How to document every job so you can win a chargeback
Chargebacks are decided on documentation. If a customer disputes a charge, your processor gives you 7–10 days to respond. These habits ensure you always have what you need.
Before the job starts
Get a signed repair order or estimate with the customer’s name, date, scope of work, and agreed cost — before you touch the vehicle and before you run the card. Photograph the vehicle’s VIN tag and license plate at drop-off. Offer to copy their driver’s license. Use chip or tap — card-present transactions are far easier to win than keyed-in phone charges.
During the job
Take timestamped before-and-after photos of the specific work area — old tires vs. new, brake components removed vs. installed. Photograph removed parts to prove they came out. For larger jobs, document each stage. These photos show the work was performed exactly as authorized.
At pickup and payment
Have the customer sign the final invoice separately from the repair order. Add a “vehicle inspected and accepted” line with their signature. Your shop cameras should cover the counter where customers sign and pay. If the customer test drives the vehicle, note that they returned satisfied — or capture a quick video walk-around at pickup.
Phone and text authorizations
After any phone authorization, immediately follow up by text: “To confirm: you’ve authorized [Shop] to perform [work] for $[amount]. Reply YES.” Screenshot their reply with the timestamp visible. Save the full thread — never delete customer conversations. If you record calls, check your state’s law first: most states require only one-party consent, but some (including California and Washington) require both parties to be notified.
Video and surveillance
Position shop cameras to cover the front counter where customers sign paperwork — this footage alone has resolved disputes. Run a dashcam during any test drive to document vehicle condition before and after. If a customer does a walk-around inspection at pickup, record it. Your lot entrance camera should capture timestamped vehicle arrivals and departures.
Keep records for at least 18 months
Some card networks allow chargebacks up to 540 days after the transaction — keep all documentation for at least 18 months. Shop management systems like Shopmonkey or Shop-Ware timestamp every approval and customer interaction; those logs are valid evidence. Store digital copies of signed repair orders, receipts, photos, and text threads in a location you can access quickly when a dispute lands.
What to do if your shop is hit
Acting quickly limits the damage. Follow these steps as soon as you identify a fraud incident at your shop.
Contact your payment processor immediately
Call your processor’s merchant support line to report the incident, initiate a chargeback dispute if applicable, and ask about any additional fraud protections on your account. Act within the dispute window — most processors give you 7–10 days.
Gather all documentation
Pull together every piece of paper and digital record related to the transaction: signed repair orders, receipts, card authorization records, text messages, and any communication with the customer. This is your evidence package for the dispute.
Report to ic3.gov
File a complaint with the Internet Crime Complaint Center. Reports help federal investigators identify active fraud networks targeting local businesses. Include transaction details, dollar amounts, and any contact information you have for the scammer.
Tighten your intake process
After any fraud incident, review how the scam got through. Update your phone order policy, make sure every job has a signed authorization before work starts, and brief your team on exactly what happened so it doesn’t happen again.
Frequently asked questions
A customer wants a refund to a different payment method — what should I do?
Decline and explain that your policy requires refunds to go back to the original payment method only. If the customer says their card is lost or expired, contact your payment processor for guidance on processing the return correctly. Never issue a refund as cash, check, Venmo, or Zelle — doing so leaves you exposed to a double-hit: the customer disputes the original charge with their bank while keeping the alternative refund you issued.
How do I fight a chargeback from a customer who already received service?
Your evidence package is everything. When you respond to the dispute through your processor’s portal, include:
1. Signed repair order or work authorization showing the customer approved the work and the cost.
2. Signed receipt from when the card was charged.
3. Any written communication — texts, emails — where the customer confirmed the work or acknowledged the charge.
Submit within your processor’s dispute window (usually 7–10 days). Without a signed authorization, banks almost always side with the cardholder regardless of what actually happened.
What documentation do I need before charging a customer’s card?
At minimum: a signed repair order or written work authorization that includes a description of the work, the estimated or agreed cost, and the customer’s signature. Get this before you start work and before you run the card. For phone or remote authorizations, a written confirmation via text or email — with the customer explicitly approving the amount — is better than nothing, though in-person signatures are stronger for disputes.
Is it safe to take phone orders for tires or parts?
Phone orders are your highest-risk transaction type because they are card-not-present — the cardholder is not physically present to verify the purchase. If the card turns out to be stolen, you lose the goods and receive a chargeback with no recourse. For high-value phone orders, require in-person pickup with a matching photo ID, ask for a copy of the cardholder’s ID before pulling inventory, or take a smaller deposit to confirm the card before ordering parts. Trust your gut — if a phone order for a large set of tires feels off, it probably is.
How do I know if my payment terminal has been tampered with?
Check your terminal at open and close every day. Tug the card slot — it should be firmly fixed and not wiggle or pull away. Press the corners of the keypad — a legitimate keypad is flush against the terminal body and does not flex. Look for anything that looks overlaid, misaligned, or different compared to yesterday. A skimmer can be installed in seconds by someone posing as a customer or technician. If anything looks wrong, take the terminal out of service immediately and call your payment processor — do not continue using it.
Do I have the right to refuse a suspicious card transaction?
Yes. Merchants have the right to decline a transaction when something doesn’t add up — a card that won’t chip-read or swipe, a customer who is unusually anxious or rushed, a mismatch between the card and ID presented, or an order that is unusually large from a first-time walk-in. You can also require ID for card transactions as a shop policy. Refusing a transaction is far less costly than taking a chargeback on a set of stolen tires with no recourse.
Protect your business at the point of payment
Payment Bridge keeps card data on your terminal — never touching our servers. Built with the same discipline that should apply everywhere payments happen.