The Threat of Phone & E-mail Attacks on Restaurants
By Hunter McCurry
This week’s article will cover attacks and scams executed on restaurants by cybercriminals and scammers. These types of attack range in degrees of severity, from scamming your restaurant out of free food and product to compromising store systems or scamming for thousands of dollars. These types of attacks and scams can be regulated and prevented by your restaurant management team with proper training and communication.
E-mail fraud is very prevalent in the service and retail industry. Cyber criminals will attack using various techniques to try and access your systems and sensitive data. They may also use scare tactics or pose as owners to scam employees into sending money or gift cards to a fraudulent source. The following are examples of these types of attacks:
Spoofing – Spoofing is one of the most common Phishing e-mail techniques used. Emails are delivered posing as a company employee or owner attempting to retrieve data, funds, and gift cards. E-mails sent from an attacker will mimic addresses and names of trusted company personnel to fool staff. An unknowing employee can be tricked into providing sensitive data, transferring money, or issuing gift cards to the imposter, all the while thinking they are following the direction of upper-level management or a business owner.
Malicious Downloads – Many cyber criminals will attempt to get business managers to download malicious software that can help the attacker gain access to the POS systems. They can trick the manager into doing so by disguising this software as many different types of downloads such as: calendar invites, pictures, business documents, and marketing material. If the malicious software is downloaded, the attacker can easily deploy malware, ransomware, spyware and more. If this happens, all sensitive data within the POS system of the business can be compromised or held hostage.
Fake Website Credential Capture – In an attempt to capture login credentials for business email, cyber criminals will attempt to fool managers into submitting their email credentials to a fake capture website. A good example of this is when an attacker will send a link to a website asking the manager to join a calendar invite, or video conference, or online collaboration. Once the link is visited, it will appear as a login screen of a legitimate trusted vendor (Office, Zoom, Skype, etc.). If the manager submits their credentials, the attacker will immediately capture that data and compromise the account and possibly other accounts associated with those same credentials. Once a cyber-criminal has access to a business email, they can speed throughout the business and retrieve any business communication, trade secrets, and personal employee data sent over email.
Phone scams are an ongoing battle with many restaurants and retail businesses. They are commonly executed by individuals to swindle funds or product for their own personal gain. Here are some common scams store managers should be wary of:
Executive/Owner Fraud – Phone scammers will contact a store posing as an executive, owner, or upper-level management. This tactic is used to fool an employee or manager into handing over company information or company funds that they can then re-sell or use for their own personal gain. Here are some common tactics:
Scare Tactics – the scammer will make threats of losing employment or corporate punishment when posing as an owner/executive if the business employee does not provide them with what they are requesting. This can scare employees into handing over sensitive information or funds to the scammer.
Gift Card Scam – a scammer will try to convince the employee to issue company gift cards and provide the numbers over the phone. The scammer may say it is for networking or gifts to business vendors. The unknowing manager can issue hundreds of dollars in gift cards to the scammer thinking they are being helpful.
Money Transfer Scam – some scammers will attempt to have managers transfer digital funds to a fraudulent account. A common way this is done is that the scammer will pose as the business owner or a utilities vendor (ISP, power company, city water, etc.). They will call and threaten services to be suspended unless payment is retrieved during that call. Unknowing managers will submit fraudulent payments to prevent their utilities from being “shut-off”.
Customer Order Fraud – Unfortunately, one of the most common scams executed on restaurants and retail businesses are acted out by everyday customers to get free food or product. A customer will call in with an order or product complaint of an order they placed with the business. These complaints can be for fake transactions that never occurred or legitimate purchases made by the guest. This is an attempt to get a second meal or product for free. In restaurants, to-go food cannot be retrieved by the restaurant due to health code restrictions. The scammer could fool managers into thinking a meal was prepared incorrectly even if the food were perfect. Most restaurants have an honor system of replacing a meal for free if the customer is unhappy with the product. Scammers take great advantage of this system to get free meals out of hospitable restaurant managers. Over time this can result in hundreds, even thousands, of dollars in product loss.
Both e-mail and telephone fraud can be prevented with the proper tools and training. To avoid product loss, data compromises and even financial loss, all staff should exercise the following preparation measures.
Training – Social engineering and Phishing training are slowly becoming an industry standard. Online courses come highly recommended, as they can teach the skills needed by the every-day employee to recognize a phishing e-mail attempt. Listed are some key pieces to look for when identifying a phishing email:
Spotting the Spoof – Make sure that the email address in the ‘from’ box matches the official company email address and domain of the sender. Phishing e-mails will likely use a domain that is similar to the real business domain. For example, ‘paypall.com’ rather than ‘paypal.com’. Be wary of any unusual verbiage or request from the sender.
Do not Click the Link – Do not click on links that look suspicious. If you hover over the link the full web address will be displayed. This will provide you with enough information to research the link or forward it to an IT Security Provider.
Never Give Sensitive Data – Be suspicious of requests for sensitive data over e-mail. Account passwords, sensitive personal data, and banking information should NEVER be sent over email.
Images and Layout – Take notice of emails that do not match the company theme and layout of usual e-mails. Attackers and scammers do not always get the layout and images correct. If an image or layout seems off or suspicious, avoid that e-mail and report it.
Watch Out for Attachments – Do not open email attachments that come from outside your domain or a trusted source. Downloading suspicious attachments could result in downloading malicious software to your device or network.
Spam Filters – Implementing a firewall with e-mail filters can greatly reduce the number of fraudulent scam e-mails reaching your inbox. A Firewall E-mail filter can identify, block, and quarantine suspicious e-mails attempting to reach your business’s inbox.
Open Lines of Communication – Having open lines of communication and building relationships between owners/corporate bodies and the store employees/managers can help these store employees identify fraudulent phone calls and emails that come from various threat actors.