Small businesses along Queen Street East in Toronto are reeling after a string of brazen thefts in which scammers used the very point-of-sale (POS) machines meant to process customer payments — to steal money instead.
At Souvlaki Hut, a family-run restaurant in The Beaches, security footage captured a man discreetly picking up the payment terminal and issuing himself a $2,000 manual refund. The scam happened so quickly, the staff didn’t notice until it was too late.
“It was shocking,” said Artie Jorgaqi, whose mother owns the restaurant. “My mom works very hard, and it was just taken from her — in seconds. He lifted the machine so we couldn’t see what he was doing. That’s all it took.”
A similar story unfolded at Pippins Tea Company, where owner Barbara Deangelis says a young man came in claiming he wanted to buy a teapot for his grandmother — but instead refunded himself $4,900.
“It was just sick,” Deangelis said. “That’s a devastating amount for a small independent store.”
Both cases reveal a troubling vulnerability in POS systems that many business owners didn’t know existed. Cybersecurity expert Claudiu Popa calls the threat “severe” and says these machines are often left in a default configuration that leaves them open to exploitation.
“These terminals are often shipped with default passcodes or wide-open administrative settings,” Popa explained. “It’s like leaving your iPhone locked — but someone still managing to make purchases because the payment app was never secured.”
Toronto police have not formally connected the incidents, but they appear similar to a wave of thefts last year that targeted businesses across Bathurst, Eglinton, Lawrence, and St. Clair. Concerned by the trend, Deputy Mayor Mike Colle took matters into his own hands.
“I walked door to door explaining how businesses were being hit,” said Colle, who also initiated a public awareness campaign with window stickers warning would-be thieves that terminals were locked down.
His advice to businesses:
- Store terminals away from counters when not in use
- Treat them like cash
- Change administrative PIN codes weekly
- Limit refund permissions with secure user profiles
The Beach BIA recently alerted its members by email, warning of the new tactics being used by fraudsters. “I think we’re hitting a new level,” said BIA Manager Lori Van Soelen. “Be very aware of your machines and what people can and cannot do.”
In Pippins’ case, POS vendor Moneris issued a full refund and offered support. “Our machines don’t have a default ‘unauthorized refund’ code,” said Moneris spokesperson Darren Leroux. “We always recommend merchants secure terminals, set up passwords, and manage refund permissions.”
At Souvlaki Hut, however, the vendor Clover had not responded to inquiries by press time. Jorgaqi believes vendors should bear more responsibility.
“They should build safer systems from the start,” he said. “There should be refund limits, two-step verification—anything to prevent this. It’s a big loss for us.”
As these scams continue to spread, experts urge small businesses to immediately review their POS terminal settings, enable refund restrictions, and store machines securely.
“It’s a lesson we learned the hard way,” Jorgaqi said. “I just hope other businesses don’t have to.”