Fraud is a perennial concern for quick-service restaurants (QSRs), and digital channels open ample new avenues for cybercrime, with hackers targeting restaurants for their cash, data and even customers’ loyalty points. High-tech schemes like credential stuffing and account takeover (ATOs) have become commonplace, but many fraudsters still rely on a technique that requires comparatively little technical know-how.
Social engineering fraud, also known as impersonation or deception fraud, sees hackers assuming fake identities and tricking employees into giving up valuable data. Such schemes have many forms and QSRs thus need a variety of methods to stop it. The following Deep Dive explores the different types of social engineering fraud and how restaurants can combat them.
How Social Engineering Fraud Targets QSRs
Restaurants’ extensive vendor and supplier networks make them especially vulnerable to social engineering as fraudsters can impersonate any of their partners. Bad actors may research restaurants’ inbound shipments and send fake invoices, prompting restaurants to pay fraudsters before they receive real bills and become aware of their mistakes.
Some cybercriminals are more interested in personal data than cash, however. A common scheme involves fraudsters posing as tax officials — a particularly effective tactic during the first quarter, when restaurants are preparing employee W2s and corporate tax documents. Fraudsters request that these documents be emailed to an official-sounding address, enabling them to harvest a trove of valuable data including Social Security numbers and addresses. One hacker even posed as a company’s HR department and made off with more than 20,000 company records.
Other fraudsters may go directly after restaurant employees with phishing schemes, a popular method for gaining access to data. Bad actors send innocuous-looking emails to workers, directing them to websites which download malware onto their computers or prompt employees for their passwords. Impacted employees unwittingly give hackers access to their personal login information, which can then be used as they wish.
“Vishing” and “smishing” are two phishing variants that have become more popular as QSR employees and consumers grow wise to the suspicious emails associated with phishing. These schemes rely on other means of communication: telephone calls for vishing and text messages for smishing. Both involve fraudsters convincing employees to reveal sensitive information or install malware.
Social engineering fraud can have dire consequences, too, with one 2016 incident causing pizza buffet chain Cicis to suffer a data breach that revealed customer credit card data from more than 135 locations. Fraudsters posing as tech support for the company’s point of sale (POS) system installed card-skimming malware and harvested credit card data over several months. The scheme was only noticed when employees found that their POS systems were malfunctioning, but the damage had already been done. The total number of victims is unknown, but the fact that it went completely unnoticed for months underscores this fraud’s dangers. Cicis could have avoided this expensive and embarrassing incident if proper social engineering fraud prevention efforts had been in place, and other QSRs would do well to employ various techniques and ensure they do not become victims.
Digital And Analog Fraud Prevention
Protection against social engineering fraud generally falls into one of two categories: technical solutions that can provide automated defenses against fraud attempts and education initiatives that can train employees to spot suspicious interactions. The best defense systems use a combination of both.
Two-factor authentication (2FA) is one of the most effective social engineering fraud protection methods as it requires employees to verify their identities with a second aspect in addition to their passwords, such as a code sent to their smartphones or a fingerprint scan. It is notably more difficult for fraudsters to obtain two different authentication methods and studies have shown that 2FA blocks 99 percent of bulk phishing attacks and 66 percent of targeted attacks, drastically reducing social engineering fraud’s effectiveness.
Intrusion detection systems, which can flag suspicious email extensions and warn employees before they enter and send personal data, are another technological solution. Employees with an email address ending in the domain “QSR123.com,” for example, would see emails from similar domains, such as “QSR-123.com” flagged.
QSR cybersecurity teams can also deploy extensive employee training efforts to fight social engineering fraud, teaching workers how to verify email addresses, spot suspicious vendor requests and develop best practices for password security. The most effective employee training programs incorporate regular phishing drills to test employees’ detection skills, sending out fake phishing emails and seeing which staff members fall for them. Those that do can then be identified for further training, eliminating weak links in the security chain.
Social engineering fraud has evolved with the rest of the world, and it shows no signs of slowing in the QSR industry. Preventative measures like 2FA and intrusion detection systems may be time consuming or expensive to implement and keep up to date, but those efforts and financial costs are small compared to a successful data breach’s fallout.