Restaurant owners are being targeted by a sophisticated social engineering campaign that leverages fear of regulatory action and reputation damage to extort money. The scam, which has surfaced across multiple establishments, utilizes a recurring persona to pressure business owners into making quick payments to avoid legal or administrative consequences.
The Anatomy of the ‘Michael’ Scam
The attack begins with an email from an individual identifying himself as Michael
. In these messages, the sender claims to have suffered severe food poisoning after dining at the restaurant. The narrative is designed to create immediate panic, as the scammer threatens to report the establishment to health authorities and post damaging reviews online.
Here’s a classic example of a social engineering attack, where the perpetrator manipulates human psychology—specifically fear and urgency—to bypass critical thinking. By posing as a disgruntled and ill customer, the attacker puts the business owner on the defensive, making them more likely to comply with demands to make the problem disappear quickly.
Leveraging Regulatory Fear
A key component of the scam is the threat of involving the Netherlands Food and Consumer Product Safety Authority (NVWA). By mentioning a specific government regulator, the attacker adds a layer of perceived legitimacy and high stakes to the threat. The fear of a surprise inspection or a forced closure often drives victims to consider paying a settlement rather than risking a formal investigation.
The campaign is characterized by its breadth; the same Michael
persona has been used to target numerous restaurants simultaneously. This indicates a mass-distribution approach rather than a targeted attack on a specific business, suggesting the scammers are casting a wide net to find vulnerable targets.
Identifying and Mitigating the Threat
Security experts and local reports emphasize that these emails are fraudulent and that business owners should not engage with the sender or transfer any funds. The most effective defense is a simple verification process: checking reservation logs, payment records, or CCTV footage to confirm if a customer matching the description actually visited the establishment on the date claimed.
To protect against similar phishing and extortion attempts, businesses are encouraged to:
- Verify claims independently: Never assume the validity of an email complaint that demands payment to avoid reporting.
- Avoid clicking links: Scammers often utilize payment links that can lead to credential theft or malware installation.
- Report the incident: Documenting the scam with local authorities helps map the scale of the campaign and warns other business owners.
