Protect Your Restaurant from Social Engineering Fraud This Tax Season

In today’s digital age, virtually every business relies on networks for daily operations, including restaurants and the hospitality industry. This often involves handling sensitive data, such as customer payment cards, W-2 forms, and employee social security numbers.

Unfortunately, securing this data remains a significant challenge for businesses of all sizes. These valuable assets are often targeted by cybercriminals who aim to monetize stolen information, particularly during the tax season.

With tax season upon us, hackers are especially focused on acquiring W-2 forms. Once in their hands, these forms can be used to file fraudulent tax returns and carry out additional identity theft schemes.

Social engineering fraud, an increasingly common tactic, is often the method used to steal such data. This involves a multi-stage process: criminals first gather information, then build relationships with key personnel, and finally execute their scheme, typically via email.

Unlike the poorly worded scams of the past, today’s social engineering attacks are highly sophisticated and can trick even the most experienced employees into disclosing sensitive information.

Here are some of the most common social engineering tactics used by cybercriminals:

• Business Email Compromise (BEC)/Email Phishing: Hackers may compromise the email accounts of top executives (CEO, CFO, etc.), mimicking their email addresses to request wire transfers, W-2 forms, or other confidential data. These requests are often urgent or time-sensitive, increasing the pressure to comply.
• Phone Phishing (Vishing): Using automated systems that mimic legitimate messages from banks or financial institutions, criminals trick recipients into providing confidential information to “verify” their account details.
• Fake Invoice Scam: A business is asked to wire funds to pay an invoice that appears to come from a trusted supplier, but the email request is actually sent from a fraudulent account. The email closely resembles the legitimate account, making it difficult to spot.

Steps to Prevent Falling Victim to Fraud

Given the rising frequency of social engineering attacks, it’s crucial for all businesses, including restaurants, to implement preventative measures:

1. Educate and Train Employees: Regular training helps employees identify suspicious behavior and potential fraud attempts.
2. Verify Requests: Any verbal or emailed request for funds or sensitive information should be verified in person or via phone with the requester.
3. Use Two-Factor Authentication: For IT and financial systems, enable two-factor authentication for added security, and implement dual signatures for wire transfers over a certain threshold.
4. Avoid Free Email Services: Use a private company domain for official communication instead of free, web-based email accounts.
5. Be Cautious with Social Media and Website Posts: Avoid sharing sensitive details such as employee roles, hierarchical information, or office hours that could assist fraudsters.
6. Avoid Clicking Suspicious Links: Never open unsolicited emails or click on links from unknown sources. These emails may contain malware that could compromise your system.
7. Use Caution with Financial Emails: Don’t use the “Reply” function to respond to emails requesting financial information. Always forward the email to the correct recipient using the correct address.
8. Watch for Unusual Changes: Be wary if a trusted business contact suddenly requests to be reached through their personal email, especially if they have always communicated through a company account.

Despite these efforts, no system is foolproof, and businesses can still fall victim to social engineering attacks. If this happens, report the incident to the FBI’s Internet Crime Complaint Center (IC3), a joint initiative with the National White Collar Crime Center.

The Broader Impact of Fraud

When funds are stolen through social engineering fraud, the immediate concern is typically the financial loss. However, a far greater risk lies in the exposure of personally identifiable information (PII), which can lead to identity theft for employees or customers. This may trigger legal obligations to investigate the breach, notify affected individuals, and report to regulators.

The consequences can include costly legal fees, fines, IT forensics, credit monitoring services for those impacted, public relations expenses, and damage to your reputation.

Fortunately, insurance options are available to help businesses manage the financial risks associated with social engineering fraud. Crime insurance policies can cover fraudulent transfers, while cyber insurance can help with the costs tied to unauthorized access to sensitive information.

However, it’s important to thoroughly review policy terms and exclusions. Some crime policies may exclude coverage for voluntary transfers of funds, even if they were unknowingly sent to criminals.

Other insurers may offer policies that specifically cover such incidents. Working with a knowledgeable insurance broker can help ensure that your business is adequately covered, providing both financial protection and peace of mind in the event of a breach.

As social engineering fraud evolves, it’s essential for businesses, especially those in the restaurant and hospitality sectors, to be vigilant. The most effective risk management strategy combines employee education with robust security practices.

By transforming your team from potential weak links into proactive defenders, you can significantly reduce your risk of falling victim to fraud. Collaborating with an experienced insurance broker who understands your unique risks will further strengthen your ability to protect both your bottom line and your reputation.

Learn more at Hub International Hospitality Insurance website.