5 Best Practices to Prevent Phishing Scams in Your Restaurant

Feb 16 2017

Fraud Management Restaurant Management Phishing Scams

Phishing scams are usually fraudulent emails that look legitimate to try to trick you into giving away personal information. Phishing scams aimed at restaurants are often trying to gain access to your POS which has valuable customer information, including credit cards.


These scams may come in the form of an email, phone call or even social media and often appear authentic and contain the logo or company information with a vendor that you work with or may even copy the name of someone that you have worked with. If your restaurant does suffer this type of attack, you could be faced with lost customer trust, negative PR and more.

So, how do you prevent this type of attack?

  1. Talk to your team. Ensure everyone is aware what phishing scams are and some common practices to spot them. It is also a best practice to institute a communication policy for providing sensitive information to outside sources.
  2. Verify who you are talking to. Verify the name and number of the person that you are talking to and call them back on a valid number. Anyone legitimate will understand that you have the right to call them back on a verified phone number (one that you can look up, which may not be the one that they provided to you).
  3. Trust your gut. If something seems suspicious take the time to verify that the call is authentic. If someone uses threatening language, asks personal questions or is unprofessional, disconnect with them and verify the call to ensure you are protected.
  4. Don’t give out sensitive information. Never provide any of the requested information. Never give out financial information or computer access to anyone that you are not certain about.
  5. Don’t open suspicious links in emails. If you are not certain of the sender, do not open any links or attachments until reaching out to your IT team or verifying the sender.

It is common practice for these scammers to use Social Engineering to modify people’s behavior so that they are more likely to provide information. This includes knowing names and positions within your organization and utilizing a coworker or boss’s name in an intimidating way, such as “Your boss, John, said he’d fire you if you don’t get this installed today!”**

Even if you already have proper IT security education in place with your restaurants, it doesn’t hurt to remind them that they should not accept inbound calls requesting POS access, even if an announcement has been made beforehand.  At minimum, they can help protect themselves from this sort of attack by taking a name and phone number, then verifying that phone number against a website or trusted contact list before they call back.

**Ctuit prides ourselves in our customer service and professionalism. Our team members will never use hostile language, threaten your job, ask personal or financial questions or become enraged or unprofessional in our communication. If any of these occur, disconnect with the caller immediately and reach out to Ctuit on a verified phone number or email address.

David Orr

David Orr

Joining Ctuit in 2015, David brings a breadth of Information Technology experience ranging from the small organization to the large enterprise. David’s 24 year career in IT includes the last 15 years focused on Software as a Service (SaaS) solutions and ensuring systems availability on a 24x7x365 basis. He has worked in a variety of industries including software development, data centers, manufacturing, and telecommunications.