Restaurant accounts payable fraud prevention: Reducing cybersecurity risks

The rapid adoption of digital technology for payments, operations and customer engagement has helped restaurants substantially grow their business in just a few years, but it also has provided criminals with troubling new opportunities to steal money and critical data.

Between March 2023 and February 2024, the average cost associated with a data breach in the hospitality industry — which includes hotels, cruise lines and restaurant chains — reached $3.82 million, up from $3.36 million during the same period in 2022–2023.¹ Technology allows criminals to have more access points to operations, and restaurants that haven’t upgraded their processes are at increased risk. Plus, there’s the turnover issue, which creates additional vulnerabilities. Restaurants are constantly hiring new employees, who have less familiarity with internal controls and vendor and supplier relationships.

Consumer demand for active measures to protect their credit card information has led to better security along payment rails and the rollout of more advanced point of sale solutions that encrypt data. “Consumers are more fraud savvy,” says Shannon O’Donnell, senior merchant specialist with Bank of America. “They’re more aware of the safeguards in place, so they’re more open to making point of sale payments at the table.”

Nonetheless, the rapid increase in digital sales at quick service restaurants (QSR) through apps, third-party platforms and websites has also opened the door for more credit card fraud, fraudulent chargebacks and even compromised point of sale systems. Each digital payment channel represents another area where adaptable cyber defenses are necessary.

Restaurants should be aware that back-office operations and accounts payable (AP), in particular, are also more frequent targets for fraud. Complex supply chains and an increasing number of vendor and third-party suppliers have introduced many new potential access points for fraud and data breaches. Meanwhile, criminals continue to make use of well-known but still highly effective methods, such as phishing emails and malicious attachments, to trick overstretched employees.

Fraudsters have become more sophisticated over time and now deploy some of the same tools used by legitimate businesses — such as chatbots and large language models — to produce scam emails and requests that look legitimate. There has been a recent boom in fraud where back-office workers get emails from what appears to be a known vendor asking to change the payment details for invoices. The money then gets sent to a criminal instead of the actual vendor.

Unfortunately, the level of control AP departments have over payments has thinned as they increasingly turn to third-party middlemen to help execute transactions. Simply put, there are more points along a payment pathway, and each represents an opportunity for fraud.

That’s why restaurants of all formats need to remain especially vigilant to identify anomalous activity or requests from a vendor. Onboarding a new vendor always carries risk, especially for companies that do not have robust policies in place for verifying the vendor’s identity (e.g., background checks, verification of licenses or submission of W-9 forms or tax ID numbers). 

Increasingly, businesses are setting up relationships with vendors that are exclusively digital, in which human-to-human interaction, which can provide a basic security safeguard, is largely absent. The risk of fraud also goes up when companies are paying for non-material charges, such as consulting services.

To manage this risk, Charles Murphy, senior treasury sales specialist at Bank of America, argues that restaurants need to lean on transaction experts. “They really should engage their bank. Restaurants are in the business of serving food. Financial institutions are in the business of securely moving money,” he says. “They have a lot of intelligence to share, as well as solutions that can help manage back-office workstreams, protect sensitive account information, verify the legitimacy of vendor requests and implement fraud controls.”

Effective defense against AP fraud begins with recognizing that cyber fraudsters have observed the shift to ACH payments and ramped up activity in response. Employees receiving an invoice or request for payment from an established vendor — even one that matches their known contact information — can no longer assume the communication is legitimate.

When onboarding new vendors, employees should take the necessary time to record and verify key details, such as company or personal information and the routing numbers and contact information of the financial institution to which the vendor directs payments.

To increase transaction security, AP departments can also create friction, or slow the process, by establishing review protocols and thresholds for any requests to change accounts or process out-of-cycle payments. Rather than framing the process as a delay, AP staff can present it as a necessary step for ensuring the security of the vendor’s accounts as well as their own.

Combating cybercrime and fraud will require ongoing technological refinements. A good defense depends on educated, alert employees who adopt a rigorous approach to security and do not assume communications are legitimate simply because they appear to come from established vendors and partners. A well-trained employee is the best line of defense against a serious breach that could affect your organization’s bottom line and reputation. The key to that training? Make sure employees know how to leverage technology — without putting their unqualified trust in it.