Diners at the luxury Ritz hotel in London have been targeted by “extremely convincing” scammers who posed as hotel staff to steal payment card details.
The scammers phoned people with exact details of their restaurant bookings, asking them to “confirm” card details.
They then tried to spend thousands of pounds at the catalogue retailer Argos.
The Ritz told the BBC it was investigating a “potential data breach” and said it had alerted the Information Commissioner’s Office (ICO).
How did the scam work?
The fraudsters phoned people who had already made a restaurant reservation at the Ritz, pretending to be hotel staff.
How they got this information is still unknown.
One woman, who had made an online booking for afternoon tea at the Ritz as part of a celebration, received a call the day before her reservation.
The scammers asked her to “confirm” the booking by providing her payment card details.
The call was convincing because it appeared to have come from the hotel’s real phone number, and the scammers knew exactly when and where her reservation was.
One cyber-security expert told the BBC that caller ID spoofing in this way was “quite easy”.
The scammers told the woman that her payment card had been “declined”, and asked her for a second bank card.
After they had taken the payment card details, the scammers tried to make several transactions in excess of £1,000 at the catalogue retailer Argos.
When her bank spotted the suspicious transactions, the scammer phoned again – this time pretending to be from her bank.
He told the victim that somebody was trying to use her credit card, and in order to cancel the transaction she should read out a security code sent to her mobile phone.
In reality, this would have authorised the transaction.
A second woman, who made her original booking over the telephone rather than online, told the BBC that the exact same tricks had been tried on her.
She later felt suspicious that the scammer had not been able to correctly answer questions about the hotel’s facilities.
“People tend to trust caller ID, which is perfectly understandable because in theory it appears to authenticate the caller,” said Dr Jessica Barker, co-founder of the cyber-security company Cygenta.
“On top of that, when a scam like this involves insider information it adds an air of legitimacy and authority.”
What has the Ritz said?
The Ritz said it had been made aware of a potential data breach within its “food and beverage reservation system” on 12 August.
It is continuing to investigate how the scammers accessed customer information.
It said it had emailed customers that may have been affected, warning them: “After a reservation has been made at the Ritz London, our team will never contact you by telephone to request credit card details to confirm your booking with us.”
It has not revealed how many people were affected.
How can I protect myself from scams like this?
Restaurants should never phone you asking for payment information to “confirm” your booking. If you receive a suspicious call, you could hang up and call the venue back later – or from a different phone – using the number on their official website.
Dr Barker warns against giving card details to somebody who had called you, and suggests always calling the company back yourself.
If a bank believes a transaction has been fraudulent, they will not ask you for security codes in order to cancel the transaction.
If you receive a suspicious call you think is pretending to be from your bank, hang up and call your bank back later – or from a different phone – using the number on the back of your payment card.