Account Takeovers Target Digital Ordering Systems
Fraudsters are increasingly hijacking customer accounts on restaurant apps and websites. And in 2023, the food and beverage industry, specifically, saw a 485% lift YoY in ATOs. This staggering increase means scammers are stealing login credentials and using them to place fake orders or steal payment information stored in customer accounts.
These attacks work because criminals use data breaches from other websites to try the same username and password combinations on restaurant apps. Once they’re in, they can order expensive meals and have them delivered elsewhere, leaving restaurant owners to deal with chargebacks and angry customers. The problem has gotten so bad that In 2022, there was a 71% increase in account takeovers across North America.
Credit Card Skimming Operations Inside Restaurants
Skimming is a form of credit card theft where criminals use electronic devices to steal credit card information. Criminal organizations often recruit the help of your employees who either knowingly want in on the action or unknowingly get duped into participating. Restaurants are particularly strong targets for skimming operations because guests hand over their cards and lose sight of them while payments are being processed.
Modern skimming has evolved beyond simple card readers. This scenario involves attaching a skimming device to the POS terminal, which captures card information when customers swipe their cards. The employee then uses this information to make fraudulent purchases or sell it to others. Ask any person to show you their phone today and it will undoubtedly have a camera included or have “wallet” software installed. With a couple clicks of the camera button, card information can be saved as photos or as a digital card within the wallet software allowing the employees to make fraudulent purchases later on.
Friendly Fraud Chargebacks Are Skyrocketing
In fact, friendly fraud rates rose 20-30% in 2022 across global markets. It occurs when a guest receives an order and then files a complaint to get a refund and keep the items. Since a cardholder dispute initiates the chargeback process, restaurants must spend more time manually overseeing and processing chargebacks, wasting valuable time and resources.
This scam particularly hurts delivery restaurants. Customers claim they never received their food or that it was unsatisfactory, even though they consumed the entire meal. Credit card companies nearly always side with customers in disputes with merchants. That’s the case even if they request a refund days, weeks or months after a guest dined with you. All the consumer has to say is the charge is fraudulent or you didn’t provide the service. The process leaves restaurant owners with little recourse and mounting losses.
Fake Vendor Payment Diversion
There has been a recent boom in fraud where back-office workers get emails from what appears to be a known vendor asking to change the payment details for invoices. There has been a recent boom in fraud where back-office workers get emails from what appears to be a known vendor asking to change the payment details for invoices. The money then gets sent to a criminal instead of the actual vendor.
These sophisticated scams use artificial intelligence to create convincing emails that look exactly like they came from legitimate suppliers. Fraudsters have become more sophisticated over time and now deploy some of the same tools used by legitimate businesses – such as chatbots and large language models – to produce scam emails and requests that look legitimate. A single successful diversion can cost restaurants thousands of dollars before they realize their actual supplier was never paid.
Employee Inventory Theft and Resale Networks
In a busy Chicago restaurant, an employee was caught stealing inventory – specifically, high-end liquor that the employee would resell to a nearby bar. Over several months, the employee had stolen thousands of dollars’ worth of stock. This loss only became evident during a detailed inventory audit when the discrepancies could no longer be attributed to regular spoilage or errors in ordering. The restaurant’s impact was severe. Not only did the business lose the value of the stolen goods, but it also had to conduct a thorough investigation to determine the scale of the theft.
High-value items like premium alcohol, steaks, and specialty ingredients are most commonly targeted. Thieves often have buyers lined up before they start stealing, creating organized networks that can strip restaurants of significant inventory over months.
Auto-Gratuity Double-Dipping Scams
Auto-gratuity is when a restaurant automatically adds a gratuity service charge to a bill. Typically, the auto-gratuity is 18% of the bill and is only applied to parties of six or more. Auto-gratuity scams occur when an employee takes advantage of customers who may not have noticed that the gratuity was already added, and allows them to add an additional tip. If there is a bill with a large tip in addition to a standard service fee, it is possible the customer wasn’t made aware of automatic gratuity and left an additional cash tip.
This scam exploits customer confusion and social pressure around tipping. Servers deliberately avoid mentioning the automatic gratuity has already been added, then accept additional cash tips from unsuspecting customers who think they haven’t tipped yet.
Gift Card Fraud Networks
Online Reselling Scams: This type of fraud involves scammers buying or obtaining gift cards through illegal means, such as using stolen credit card details. They then sell these gift cards at discounted rates on unofficial websites or online marketplaces. Buyers who purchase these cards risk losing money if the original theft is discovered, and the cards are deactivated.
Account Takeover: Fraudsters use malware to gain unauthorized access to a person’s accounts where their gift cards are registered. Once inside, they transfer the digital gift card balances to different accounts under their control and steal the money or gift card benefits. Phishing Scam: Scammers often use emails, texts, or phone calls pretending to be from reputable companies requesting gift card numbers and PINs for verification or account updates. Once the victim provides these details, scammers can easily steal the balance.
Fake Health Inspector Extortion
As an example, one common method that fraudsters have historically used to target restaurants is by impersonating a health inspector. These scammers can call, email, or show up in person with claims of a health code violation and usually attempt to collect a baseless fine or gather personal information to use for identity theft. Even when these scammers don’t have official business cards or paperwork, they can feed off restaurant owners’ fear and urgency to force them into compromising situations.
These scams have grown increasingly sophisticated, with fraudsters using believable pretexts to pressure their targets. They often demand immediate payment of fines or threaten to shut down the restaurant if payments aren’t made on the spot.
Fast Food Digital Payment Fraud
Fast food fraud has seen a 45-percent increase in the last year or so, largely driven by a digital transformation sea change that has made these restaurants more vulnerable. Employees issue refunds to their own accounts, either by directly swiping their personal card or using stored card information on their phones.
This emerging scam takes advantage of mobile payment systems and digital refund processes. Employees process fake refunds to their own payment methods or accounts, making it appear as though they’re helping customers while actually stealing money. The complexity of digital payment systems makes these frauds harder to detect than traditional cash theft.
The Hidden Cost of Restaurant Fraud
The National Restaurant Association estimates that employee theft accounts for 75% of restaurant loss. Internal employee theft accounts for 75% of restaurant inventory losses and 4% of restaurant sales. Employee theft in the restaurant industry costs businesses$3 to $6 billion annually.
Between March 2023 and February 2024, the average cost associated with a data breach in the hospitality industry – which includes hotels, cruise lines and restaurant chains – reached $3.82 million, up from $3.36 million during the same period in 2022–2023. The average cost of a hospitality industry data breach reached $3.82 million between March 2023 and February 2024. These numbers show that fraud isn’t just a minor inconvenience – it’s a business-threatening epidemic that’s getting worse every year.
The restaurant industry faces unique challenges that make fraud detection difficult. High turnover rates mean constantly training new employees who may not understand security protocols. The fast-paced environment makes it hard to spot suspicious behavior in real-time. With razor-thin profit margins, even small frauds can significantly impact a restaurant’s bottom line.
