Mark & Spencer Supervisor Took Down Customers’ Credit Card Details & Used Them to Order Food Delivery

The love of money can bring out the worst in people. Some resort to stealing from the dead (yes, really), while others exploit a loophole and steal repeatedly from their own customers and colleagues.

A Marks & Spencer Supervisor has been jailed for using customers’ credit card numbers to order food online.

He had discovered a security gap in the food delivery app’s payment function which enabled his activities to go largely unnoticed by his victims.

The Scam Operation

Teo Kai Seng, a 29-year-old male, was working at a beloved clothing store for all moms, AKA Marks & Spencer, between the years of 2016 to 2021.

In March of 2020, he was promoted to supervisor at the One Raffles Place outlet.

Clearly, the career advancement didn’t make Teo go “with great power comes great responsibility”, because soon after his promotion, he began writing down the credit card details of customers whenever he was attending to them at the cash register, intending to use them later.

During most of these instances, only two other staff members on duty were in the store working in the kitchen and the office.

He would snap a photo of the credit cards, and transfer them onto paper after, where he would then proceed to use the information to order food from an app called Waitrr.

Teo discovered that app did not require a one-time password for transactions when making payments to the food vendors on the app, so he decided to exploit this.

Oh, and the man also used his ex-girlfriend’s phone number to register an account too, probably in a not-exactly-smart attempt at revenge.

What’s more is that Teo proved one stream of fraudulent income clearly wasn’t enough for him as he would also use this opportunity to scam his fellow colleagues.

Teo would offer to buy food for them, under the guise that the Waitrr app gave him a special 10 percent discount.

After saying that he would extend his savings to them oh so generously, his colleagues would them pay him back using other method. While doing this, Teo would be using the credit card details he obtained from various customers to pay for the meals.

This went on for over a year, where almost S$9,000 worth of meals were paid for using the stolen credit cards.

Three to Five Months’ Jail

Between 13 July 2020 to his arrest on 24 August 2021, Teo performed 450 unauthorised transactions using the credit card information belonging to 11 of his victims, aged 46 to 82.

As most of his victims did not opt for the SMS notification banks offered when transactions were made on their credit or debit cards, this enabled his operations to go unnoticed for a long period of time.

It wasn’t until 27 October 2020, where investigations began, after the daughter of one of his victims noticed the suspicious transaction and decided to lodge a police report.

He was then traced and arrested.

Yesterday (29 August), Teo pled guilty to three out of the eight charges he faced for his crimes, under the Computer Misuse act, and was sentenced to three to five months in jail.

The court highlighted the level of premeditation and planning used in Teo’s case in making the decision.

For each charge, Teo could have been fined up to S$5,000, jailed for up to two years, or both.

I guess with all the spam messages we receive from random numbers nowadays, opting in to an additional SMS notification from your actual bank can’t hurt to protect against instances like these.

Banks like OCBC (after the infamous OCBC saga) have now made notifications compulsory, and even have a “kill switch”; you can watch this video to know more about it:

Read More:

Featured Image: Monkey Business Images / shutterstock.com