Diners at the luxury Ritz hotel in London were targeted by “extremely convincing” scammers who pretended to be hotel staff to steal payment card details.
The scammers phoned people with the exact details of their restaurant reservations, asking them to “confirm” the card details.
They then tried to spend thousands of pounds at the Argos catalog dealer.
The Ritz told the BBC it was investigating a “potential data breach” and said it had alerted the Information Commissioner’s Office (ICO).
However, the ICO told the BBC it had not yet received a report from the Ritz.
How did the scam work?
The scammers phoned people who had already booked a restaurant at the Ritz, pretending to be hotel staff.
A woman, who had made an online reservation for afternoon tea at the Ritz as part of a celebration, received a call the day before her reservation.
The scammers asked her to “confirm” the booking by providing her payment card details.
The call was convincing as it appeared to come from the hotel’s real phone number and the scammers knew exactly when and where her reservation was.
A cybersecurity expert told the BBC that caller ID spoofing in this way was “fairly easy”.
The scammers told the woman that her payment card was “declined” and asked for a second credit card.
After capturing the payment card details, the scammers tried to make several transactions over £ 1,000 at the Argos catalog retailer.
When his bank spotted the suspicious transactions, the scammer phoned again, this time pretending to be from his bank.
He told the victim that someone was trying to use his credit card and would have to read a security code sent to his cell phone to cancel the transaction.
In reality, this would have authorized the transaction.
A second woman, who made the original booking over the phone rather than online, told the BBC that the exact same tricks had been tried on her.
She later felt suspicious that the scammer was unable to correctly answer questions about the hotel facilities.
“People tend to trust caller ID, which is perfectly understandable because in theory it appears to authenticate the caller,” said Dr. Jessica Barker, co-founder of cyber security firm Cygenta.
“Plus, when a scam like this involves inside information, it adds an air of legitimacy and authority.”
What did the Ritz say?
The Ritz said it was notified of a potential data breach within its “food and beverage reservation system” on August 12.
It is continuing to investigate how the scammers gained access to customer information.
He said he sent an email to customers who may have been interested, warning them: “After a reservation has been made at the Ritz London, our team will never contact you by phone to request credit card details to confirm. your booking with us “.
It was not revealed how many people were affected.
How can I protect myself from scams like this?
Restaurants should never call you and ask for payment information to “confirm” your reservation. If you get a suspicious call, you can hang up and call the venue back using the phone number on their official website.
Dr. Barker cautions against giving your card details to someone who called you and suggests that you always call the company back yourself.
If a bank believes a transaction was fraudulent, they won’t ask you for security codes to cancel the transaction.
If you get a suspicious call that you think is pretending to be from your bank, hang up and call your bank using the number on the back of your payment card.
Do you have more information on this or any other tech story? You can contact Chris directly through chirping or via the Signal encrypted messaging app on: +44 7861 520418, over it