In a world where data is everything, restaurants are at the forefront of using data more effectively to enable more personalized guest experiences. More than 90 percent of restaurant operators agree or strongly agree that data integration and technology platform interoperability are key drivers of restaurant success, according to Starfleet Research. Yet, when data gets in the hands of the wrong people, it can have a devastating impact on a restaurant’s business and reputation.
Restaurants face various security and fraud challenges, from common and widespread phishing scams to disgruntled staff having access to diner data and even third-party data breaches. Importantly, restaurants are responsible for the data they hold and any administrative penalties and damages associated with mishandling data as well as any reporting obligations to diners and authorities.
Let’s dive deep into five common data threats the restaurant industry faces and the specific fraud prevention tactics that can help protect your business from each one.
1. Social engineering and phishing scams
Phishing is the most common scam restaurants face today. It involves social engineering by attempting to build trust or a sense of urgency and forcing you into taking some intended action. For instance, a bad actor calls or emails a restaurant posing as an employee of a trusted vendor or service provider. They ask for the login credentials or force you to undergo a password reset to gain access to the account. Once in, they access guest data or other valuable information and use that to further exploit the system.
These bad actors appear as if they’re a known entity, such as a vendor or health inspector. Phishing scams via email can usually be identified with one of the following: poor grammar and spelling, urgent language, threats of legal action or negative consequences, random characters in the sender’s email address, and/or links from unknown senders.
2. Credit card fraud
Credit card fraud can often go undetected. For instance, when a guest provides their credit card details to restaurant staff over the phone to hold a reservation or complete a takeout order, often the quickest and easiest way to record the credit card information is writing it on a piece of paper. Yet this information is extremely sensitive and shouldn’t be recorded anywhere physical that could be found by someone else. Similarly, train your staff never to repeat credit card information out loud, where anyone who can hear them can note down the information.
3. Insider threats
With staff turnover at an all-time high for the industry, you must recognize that sometimes bad actors come from the inside. A disgruntled employee, who may have left the restaurant, might change reservations, the restaurant’s availability, or modify the restaurant’s profile information. Or a phishing actor might target the right person who is unhappy with their job and open up the business to fraud.
Regular auditing can ensure that 1) only active employees have access to their accounts, and 2) each employee has the correct access level. When an employee leaves, immediately offboard them from their user access.
4. Third-party vendor fraud
Vendors have different levels of security and fraud detection in place. Properly evaluating third-party vendors is vital to ensure data is being stored in a secure, responsible way. When talking to vendors, consider asking them, “Can the restaurant delete data and what is the vendor’s retention policy?” and “Does the provider have a data security incident response plan?” Lo and behold, if the vendor doesn’t secure their data, this can open you up to fraud.
5. Misuse of guest data
Guest information is sensitive and must be treated in a secure manner to keep it out of the hands of bad actors. For instance, if a phishing actor gained account access, they could export guest data, if certain checks weren’t in place.
If you download guest and reservation information, store it in a secure manner. When guest data is on OpenTable servers, we handle it securely and with care. When you export it, it’s up to you to do the same (and we’ll provide you with information and guidance to handle it with care).
A good rule of thumb is to treat guest data as you would want your sensitive data to be treated: respect how guests want it shared, keep it secure, keep it only if you need it, and use it only as intended.
These are just a few of the most common data threats restaurants may face. In general, use good judgment and confirm the identity of any suspicious contacts. Talk to your staff and educate them on best practices when dealing with guest or restaurant data and potential risks.