The Restaurant Prepayment Scam: Don’t Be The Next Victim
By Robert McGarvey
The news out of the Ritz London has to fry you: scammers have been calling customers with restaurant reservations and prying out of them credit card details that the scammers quickly put to use making online purchases.
The problem is that this may threaten all of us who dine out, even if we have never set foot in the Ritz and have no plans to. That’s because these scammers have shined a spotlight on a failing that may entrap us all.
The Ritz said this in an August 15 tweet: “We can confirm that on 12th August 2020, we were aware of a potential data breach within our food and beverage reservation system, which may have compromised some of our clients’ personal data. This does not include any credit card details or payment information.”
Where did the credit card info get into this? Apparently the scammers called diners with reservations and said, “Sorry, there’s a problem validating your credit card info to secure the reservation. Can we have it again?” Or words to that effect.
To use the language of the trade, the crooks – who apparently had access to the hotel’s restaurant reservations – used social engineering to pry the valuable info out of the cardholders.
According to the BBC, “One woman, who had made an online booking for afternoon tea at the Ritz as part of a celebration, received a call the day before her reservation.
“The scammers asked her to ‘confirm’ the booking by providing her payment card details.
“The call was convincing because it appeared to have come from the hotel’s real phone number, and the scammers knew exactly when and where her reservation was.”
The last bit is important. What it means is that the crooks gamed caller id to spoof the Ritz’s real phone number.
Number spoofing is so easy even a caveman could do it. Details here.
Never believe a phone number that pops up on your screen. It may be real, it may be spoofed.
So, where do you come into this frame? If there is a theme song among restauranteurs in this pandemic it is complaints about dining no shows. The Washingtonian headline tells the story: Don’t be the jerk who no shows on a restaurant reservation during a pandemic.
Even across the pond in England a celebrated chef won applause from his peers for calling no shows “disgraceful.”
As restaurateurs explain, in much of the US, restaurants are required to operate at a reduced capacity. In Phoenix, for instance, they are required by an order of the governor to operate at no more than 50% capacity. It’s 50% also in Seattle. Ditto Texas.
Many restaurant struggled to turn a profit pre Covid. Capacity limits have put more stress on them. And every diner matters in reaching break even.
A solution: restaurant gurus are advocating what amounts to a no show fee be slapped on diners who don’t turn up. In some cases it might be $25 for a two-top – but some restaurants are charging multiple hundreds of dollars, that is, essentially requiring diners to pre-pay for their meal in order to secure a reservation.
Here is where the news gets worse: restaurants are among the most common victims of data breaches and you can be victimized two ways. A crafty scammer who grabbed only a reservations log – which almost always includes a phone number – could recycle the Ritz London scam and call the diners asking for a credit card number to secure the reservation. Know that scammers are copy cats and when they saw that Ritz scam, they knew their next move.
At restaurants that require a prepayment there already is a credit card number in the file.
A round up of food service businesses that suffered breaches is here.
Big names are in the mix such as DoorDash and Landry’s which operates some 60 national chains including Joe’s Crab Shack and Morton’s.
But I ask, are you more confident that small restaurants won’t be breached? I am not. Indeed, I wonder how many already are breached and don’t know it (and, sadly, often the only way they learn about it is when an energetic fraud researcher at one of the big credit card issuers follows the bouncing balls and traces back a fraud outbreak to a small restaurant. I know one very large credit union that actually traced it back to a particular server at a restaurant).
Not surprisingly, a poll found 62% of consumers already fear restaurant data breaches. The only surprise is that the number isn’t higher.
How can you protect yourself?
Get a call from a restaurant asking you to confirm a credit card number and standard advice is to say you will call them back – and make very sure you are calling a publicly listed number for the restaurant or hotel. Don’t call a number given you by the caller. They may just hang up and move on to the next fish in the net.
What about restaurant prepayments? I understand the restaurateur angst. My standard suggestion is use a credit card with a very low credit limit. If necessary, apply for one with, say, a $500 limit. Do not use a debit card for this, never. You probably can claw back money stolen on a credit card. Your rights are less with a debit card.
Last to-do – if you make a reservation, show up – or at least have the decency to cancel a day in advance. I know that’s asking a lot in the Covid-19 era. But it’s not to much for a restaurant to ask when their survival is at stake.
Perhaps, if a restaurant is going to use an advance-paid res guarantee against no-shows, the payment could be held in an escrow-like system, separate from restaurant’s own website and (hopefully) more secure. A 1% fee for the service to be deducted by the escrow service might pay handsomely considering relative ease of most of this business being conducted electronically. Scam attempts would be inevitable, but a central site with resources to maintain security as its central focus might work better than individual restaurants attempting to keep up with latest security patches. Clearly, customers would need to be aware that calls purporting to originate from the restaurant inquiring about CC details were, by definition, bogus, so the educational aspect might make this difficult.
For one thing, I don’t “no show”. If I make a reservation, I’m there. If I can’t make it, I call to cancel. But the other thing is the restaurant is not going to get my credit card number. I am fortunately in a country where chip and pin is common, and I don’t go to places that don’t have chip and pin. I hope that the USA has caught up in that regard. There’s no reason for a bricks and mortar merchant or a restaurant to ever get a credit card number, period. Update your systems.