Fraud on Restaurant Reservation Apps: How Bad Actors Are Ruining Dinner Plans & Stealing a Seat at the Table

Everyone loves the experience of going out for a nice lunch or dinner at a high-quality restaurant. Dates, business meetings, outings with friends, a new experience for enterprising foodies—the appeal of dining in is widespread, and it’s also in high demand. Like everything else in our lives, the act of reserving a table or joining a restaurant waitlist has also gotten a digital facelift over the past two decades. 

Third-party apps and websites for making reservations have become commonplace, but unfortunately, along with the convenience they provide also comes an increased risk of abuse. Without adequate fraud prevention measures, the same tools diners use to plan a night out at a nice restaurant could end pulling their seats out from under them.

What kinds of abuse problems face reservation apps today?

Reservation apps and websites typically work by having a side for restaurant owners to manage reservations running parallel to a diner side where diners can make, reschedule, and cancel reservations. Fraudsters take advantage of these services—and of the high demand for some restaurants—to make a buck at the restaurant, diner, and reservation service’s expense.

In one scam, fraudsters take advantage of a legal practice, the reselling of reservation spots for in-demand restaurants, and sell the same reservation spot to multiple people. When those people all show up to dinner at the same time, most of them lose out on an actual table, and the restaurant staff has to manage the negative emotions of people who were planning to have a nice, smooth dining experience but now arrive to find there’s no space for them.

Fake reservations can also be a problem. Someone with an axe to grind against a particular restaurant might try to fill their reservation slots with fluff—reservations under fake names and numbers—at peak times, costing the restaurant serious money and capacity when none of the fake reservees show up.

Two of the most major types of abuse facing reservation services, however, are the problem of reservation scalpers and the problem of social engineering schemes.

Reservation scalping & card-not-present fraud

So, what is a reservation scalper? In the dining reservation space, these are bad actors who make reservations for highly sought-out restaurants which they then sell for hundreds of dollars to actual diners. It rises to the level of fraud when scalpers use stolen credit cards as their card of file for the reservation, to protect their own funds from no-show fees or prepayment holds (some popular restaurants require a minimum deposit for reservations). After they receive payment from the resale of their fraudulent reservation, they cancel that reservation before the stolen card is charged.

The fraudster makes out like a bandit, having made money off a reservation without having to put any of their own money on the line. The diner who bought their table misses out on hundreds of dollars without actually getting to eat in, and the restaurant is in the position of either having an empty table or not having enough space for everyone despite using and potentially even paying for a reservation service. The reservation service in the middle of these transactions takes a hit to their reputation for accepting the fraudulent reservation and not preventing the confusion that results from the fraudster canceling after scalping their spot on the books.

Social engineering and vishing restaurants and patrons

Scalping is a problem, but it isn’t the only way fraudsters take advantage of reservation apps and restaurants. In another type of scheme, a fraudster might call a restaurant pretending to be a customer service representative from their chosen reservation software developer. The script might look something like claiming there’s a problem with the restaurant’s account and that the fraudsters need sensitive account information to confirm the restaurant’s authenticity.

If they successfully vish the information they’re after, the fraudster will then use it to compromise the restaurant’s account and access sensitive information about customers. This information could contain credit card information, which the fraudster can use to commit CNP or card-not-present fraud. Even if there are no customer cards on file, the bad actor can still access phone numbers and reservation info, giving them helpful context to vish for the financial information they’re after. For instance, a bad actor might call a diner claiming to be the restaurant staff and to need a card on file in order to hold the reservation.

This type of social engineering is harmful for everyone involved, but luckily, it’s largely preventable. Educating both restaurant and dining account holders never to give account or credit card information over the phone or email is a good start, but ATO or account takeover can also be prevented with some passive signals like location and device intelligence. For instance, in Incognia’s case, we use both location and device intelligence as identity signals that help us authenticate an account holder—or detect if someone signing into an account may not be who they say they are. If a restaurant account holder who usually logs in from Chicago suddenly logs in from Los Angeles, or accesses their account on a different device than normal, that’s a higher risk of ATO attempt than a typical sign in.

Using these sorts of signals to assess the risk of new sign-ins and transactions can help protect user accounts and the data they hold from nefarious actors.

Everyone likes a good night out at a restaurant, especially a popular one. Fraudsters try to take advantage of high demand by booking with stolen credit cards, selling people reservations they tend to cancel at a high markup, vishing reservation app users, and selling the same reservation to multiple people. Reservation apps exist to make restaurateur and diners’ lives easier—fraudsters exist to make it harder. 

Fortunately, there are fraud prevention and detection tools on the market to help combat these bad actors. Passive authentication can help prevent ATO attacks after successful vishing attempts, for example, or the risk assessment from a device integrity check can help prevent a fraudster from booking with a stolen credit card, or from booking in-demand reservations en masse using a reservation app.

When the apps that enable these reservations take all necessary precautions against fraud and abuse, they come one step closer to ensuring everyone gets their proper seat at the table.