When you see a number or name show up on your phone’s “Caller ID”, the call may not actually be from that number. People who made reservations for “Afternoon Tea” at The Ritz Hotel in London recently started receiving calls to “confirm their reservation” from what looked like the hotel’s phone number. In fact, it was a scam that was trying to obtain credit card information to commit fraud.

Attackers with a little inside knowledge can cause a lot of damage

The only information currently available about this scam is in a BBC story HERE. It indicates that after booking a reservation for Afternoon Tea at the hotel, some customers received a call a day before their appointment. The callers had enough information about their reservation that, together with the “spoofed” caller ID number displayed on their phone, they believed the calls were legitimate. Some people said they were a little suspicious because the callers couldn’t answer some basic questions about the hotel’s facilities. But that is still a plausible situation, as reservations systems are often outsourced, and have nothing to do with the primary venue you are booking with.


Checking for supply chain vulnerabilities

Although the BBC article doesn’t really mention this possibility, and in speculating, I am not pointing the finger at anyone, the first place to look in tracking down what happened should be whether or not an external reservation system was in use. By going to the hotel’s website I did discover that The Ritz now uses a service (which doesn’t hide its URL at all) at “bookatable.com”. It isn’t clear if this is the same service in use at the time of the attacks, but it illustrates how much establishments like hotels and restaurants rely on outsourced reservation services.

Those services, having direct access to booking information at the time a reservation is made, can be a target for attackers. It shows that the security measures put in place by a business’s suppliers or partners can impact the risks to which the organization and its customer data are exposed.

To protect yourself from becoming a victim of these attacks, you should never rely on the “Caller ID” displayed on your phone as a way of authenticating a caller. There are services for which anyone can pay a small fee, and a call can be initiated to any phone number, with the “Caller ID” displayed as a number, or sometimes a name, of your choosing. It is illegal to abuse these services in some jurisdictions, and there are actually some legitimate purposes for changing Caller ID information when calling (e.g. professionals like doctors or lawyers who want their office number to show up). But all you need to know is that the name or number on your phone is not guaranteed to be accurate or reliable.

While you might tend to trust a caller who has some information about you (like the time of your reservation), if you are aware of this kind of scam, you should be suspicious of anyone asking you for credit card information. The best thing to do is to end the call and contact the primary business that you made the booking for.

Educating staff, suppliers and even customers is a good idea

If you have a business where you rely on outsourced services to handle customer information, you should make sure that not only your own staff are trained on proper security and privacy practices, but that your suppliers are as well. If you have concerns in this area, Click Armor’s Active Awareness gamified learning platform may be a good way to engage anyone in your organization, or your supply chain, to work securely with customer information. It’s a great way to make sure everyone is aware of how to handle your business’s customer information according to your unique requirements.

And as a way of showing your customers how seriously you take their information security and privacy, you can use Click Armor to create gamified customer education programs to teach them how to recognize scams that might be impersonating your business.

Cyber Security

Phishing Defense

Phishing threatens businesses and opens the door to ransomware. Fight phishing and spear phishing attacks with gamified learning.

Social Engineering Defense

Social engineering scams are a serious hazard to businesses. Fight back with Click Armor.

Cyber Security Awareness for Remote Workers

Home-based workers are vulnerable to cyber attacks. Build team immunity today.


PCI Compliance Awareness

When team members work in an environment where they may encounter cardholder data, they need to know what to do to protect it.

Gamified HIPAA Compliance Awareness

If your business is a supplier to a healthcare provider in the USA or Canada, your team needs to know what to do to protect Protected Health information (PHI).

Gamified Learning Platform

Active Awareness Platform

Experience the power of tailored gamified learning with Click Armor. Take your security awareness training to the next level.

Blog / View All


What is gamification?

What is gamification?

While some people assert that there is a single definition (in their mind) of what gamification is, I’ve actually...