Restaurant accounts payable fraud prevention: Reducing cybersecurity risks

The rapid adoption of digital technology for payments, operations and customer engagement has helped restaurants substantially grow their businesses, but it also has provided criminals with troubling new opportunities to steal money and critical data.

Between March 2024 and February 2025, the average cost of a data breach in the hospitality industry — which includes hotels, cruise lines and restaurant chains — rose to $4.03 million, reflecting the growing financial impact of cyber incidents across the sector. As restaurants continue to expand their digital payment channels and operational technologies, criminals gain new access points to exploit. This creates an increasing risk for businesses that haven’t modernized their internal processes. At the same time, high employee turnover creates additional vulnerabilities as new staff may have limited familiarity with internal controls and vendor relationships.

Consumer demand for stronger protection of credit card information has driven improvements in security along payment rails. It has also led to the rollout of more advanced point of sale solutions that encrypt data. “Consumers are more fraud savvy,” says Shannon O’Donnell, senior merchant specialist with Bank of America. “They’re more aware of the safeguards in place, so they’re more open to making point of sale payments at the table.”

Nonetheless, the rapid increase in digital sales at quick service restaurants through apps, third-party platforms and websites has also opened the door for more credit card fraud, fraudulent chargebacks and even compromised point of sale systems. Each digital payment channel represents another area where adaptable cyber defenses are necessary.

Restaurants should be aware that back-office operations and accounts payable (AP), in particular, are also more frequent targets for fraud. Complex supply chains and an increasing number of vendor and third-party suppliers have introduced many potential access points for fraud and data breaches. Meanwhile, criminals continue to make use of well-known but still highly effective methods, such as phishing emails and malicious attachments, to trick overstretched employees.

Fraudsters have become more sophisticated over time, deploying some of the same tools used by legitimate businesses — such as chatbots and large language models (LLMs) — to produce scam emails and requests that look legitimate. There has been a recent boom in fraud where back-office workers receive emails from what appears to be a known vendor asking to change the payment details for invoices. The money is then sent to a criminal instead of the actual vendor.

Unfortunately, the level of control AP departments have over payments has thinned as they increasingly turn to third parties to help execute transactions. There are more points along a payment pathway, and each represents an opportunity for fraud.

Restaurants of all formats need to remain vigilant to identify anomalous activity or requests from a vendor. Onboarding a new vendor always carries risk, especially for companies that do not have robust policies in place for verifying the vendor’s identity (e.g., background checks, verification of licenses or submission of W-9 forms or tax ID numbers).

Increasingly, businesses are setting up relationships with vendors that are exclusively digital. Absent from these relationships is human-to-human interaction, which otherwise provides a basic security safeguard. The risk of fraud also goes up when companies are paying for non-material charges, such as consulting services.

To manage this risk, Charles Murphy, senior treasury sales specialist at Bank of America, suggests that restaurants need to lean on transaction experts. “They really should engage their bank. Restaurants are in the business of serving food. Financial institutions are in the business of securely moving money,” he says. “They have a lot of intelligence to share, as well as solutions that can help manage back-office workstreams, protect sensitive account information, verify the legitimacy of vendor requests and implement fraud controls.”

Effective defense against AP fraud begins with recognizing that cyber fraudsters have observed the shift to ACH payments and ramped up activity in response. Employees receiving an invoice or request for payment from an established vendor — even one that matches their known contact information — should no longer assume the communication is legitimate.

When onboarding new vendors, employees should take the necessary time to record and verify key details, such as company or personal information and the routing numbers and contact information of the financial institution where the vendor directs payments.

To increase transaction security, AP departments can also create friction, or slow the process, by establishing review protocols and thresholds for any requests to change accounts or process out-of-cycle payments. Rather than framing the process as a delay, AP staff can present it as a necessary step for ensuring the security of the vendor’s accounts as well as their own.

Combating cybercrime and fraud will require ongoing technological refinements. A good defense depends on educated, alert employees who adopt a rigorous approach to security and do not assume communications are legitimate simply because they appear to come from established vendors and partners. A well-trained employee is the best line of defense against a serious breach that could affect your organization’s bottom line and reputation. The key to that training?  Make sure employees know how to use technology while maintaining a healthy level of scrutiny.

¹IBM, “Cost of a Data Breach Report 2025”