Ritz Roasted

Published on August 20, 2020

Some diners with bookings at the Ritz Hotel were reportedly targeted by phone scammers who posed as hotel staff to steal credit card details.

What Happened?

The ID spoofing attack involved the fraudsters pretending to be hotel staff, phoning people who already had a dining reservation at the Ritz and asking them to confirm their credit card details, or saying that their card had been declined and asking for a second bank card.

It has been reported that the telephone calls from the scammers were made to appear to come from the Ritz telephone number and that the scammers knew the correct booking details of diners.

It remains unknown exactly how the scammers obtained the details, and the incident and possible data breach was reported by the Ritz to the Information Commissioner’s Office (ICO).

Tried To Spend At Argos

It has been reported that the scammers used the details stolen from a Ritz diner’s card to attempt to buy over £1,000 of goods at the catalogue retailer Argos. When the victim’s bank noticed the transaction, the scammers then phoned the victim, pretending to be the bank, asking for a security code that had been sent to her mobile phone that would enable the cancellation of the Argos transaction.  In fact, the code would have enabled the authorisation of the transaction and the subsequent theft.

The Ritz

The Ritz has reported that the scam took place on 12 August and has emphasised that its team would never contact diners with reservations by telephone to request credit card details to confirm a booking.

Protection

ID scams and social engineering attacks are becoming more popular and there are measures that can be taken to avoid being scammed.  To avoid being scammed in this way, assume that restaurants (certainly banks) and other businesses will not call to confirm payment details or request authorisation codes. If such a call is received, don’t give any information, end the call and call the company back through the official numbers that you have on any official bills/statements (or the back of your payment card for the bank) or on the company’s main, official number that you have obtained yourself.  Report the call to the company, Action Fraud and the ICO.

What Does This Mean For Your Business?

In this case, the victims were influenced by the apparent legitimacy of the calls due to the correct details of their booking, the same/similar phone number, the convincing nature of the caller, and perhaps the fact that dining at the Ritz is not a regular occurrence and, therefore, booking processes are unfamiliar.  The scammers also had the benefit of the influence of the brand and the need of victims to avoid the discomfort of embarrassment after being told their card had been declined.

This story shows how scammers can quickly, ruthlessly and effectively exploit and leverage a data breach, and is a lesson to customers to always be suspicious of calls from companies about payment details, and to businesses to give data protection a high priority, even with fluid systems that are in regular daily use. This story illustrates how data breaches can damage brands through bad publicity and a potential loss of customer confidence.