When you see a number or name show up on your phone’s “Caller ID”, the call may not actually be from that number. People who made reservations for “Afternoon Tea” at The Ritz Hotel in London recently started receiving calls to “confirm their reservation” from what looked like the hotel’s phone number. In fact, it was a scam that was trying to obtain credit card information to commit fraud.
Attackers with a little inside knowledge can cause a lot of damage
The only information currently available about this scam is in a BBC story HERE. It indicates that after booking a reservation for Afternoon Tea at the hotel, some customers received a call a day before their appointment. The callers had enough information about their reservation that, together with the “spoofed” caller ID number displayed on their phone, they believed the calls were legitimate. Some people said they were a little suspicious because the callers couldn’t answer some basic questions about the hotel’s facilities. But that is still a plausible situation, as reservations systems are often outsourced, and have nothing to do with the primary venue you are booking with.
Checking for supply chain vulnerabilities
Although the BBC article doesn’t really mention this possibility, and in speculating, I am not pointing the finger at anyone, the first place to look in tracking down what happened should be whether or not an external reservation system was in use. By going to the hotel’s website I did discover that The Ritz now uses a service (which doesn’t hide its URL at all) at “bookatable.com”. It isn’t clear if this is the same service in use at the time of the attacks, but it illustrates how much establishments like hotels and restaurants rely on outsourced reservation services.
Those services, having direct access to booking information at the time a reservation is made, can be a target for attackers. It shows that the security measures put in place by a business’s suppliers or partners can impact the risks to which the organization and its customer data are exposed.
To protect yourself from becoming a victim of these attacks, you should never rely on the “Caller ID” displayed on your phone as a way of authenticating a caller. There are services for which anyone can pay a small fee, and a call can be initiated to any phone number, with the “Caller ID” displayed as a number, or sometimes a name, of your choosing. It is illegal to abuse these services in some jurisdictions, and there are actually some legitimate purposes for changing Caller ID information when calling (e.g. professionals like doctors or lawyers who want their office number to show up). But all you need to know is that the name or number on your phone is not guaranteed to be accurate or reliable.
While you might tend to trust a caller who has some information about you (like the time of your reservation), if you are aware of this kind of scam, you should be suspicious of anyone asking you for credit card information. The best thing to do is to end the call and contact the primary business that you made the booking for.
Educating staff, suppliers and even customers is a good idea
If you have a business where you rely on outsourced services to handle customer information, you should make sure that not only your own staff are trained on proper security and privacy practices, but that your suppliers are as well. If you have concerns in this area, Click Armor’s Active Awareness gamified learning platform may be a good way to engage anyone in your organization, or your supply chain, to work securely with customer information. It’s a great way to make sure everyone is aware of how to handle your business’s customer information according to your unique requirements.
And as a way of showing your customers how seriously you take their information security and privacy, you can use Click Armor to create gamified customer education programs to teach them how to recognize scams that might be impersonating your business.