Key Takeaways
A simple safety notice that speaks to a bigger problem
TheFork, a well-known restaurant booking platform, has sent a short security message that explains how criminals try to trick diners and restaurant staff with fake online messages.
Clear rules that are easy to remember
The message says that TheFork and its partner restaurants do not ask for payments or sensitive data such as card numbers or passwords through text messages, chat apps, phone calls, or casual online messages, and that any request like this is a red flag.
Hospitality under pressure from smarter scams
Reports from European cybersecurity authorities show that phishing has become a main way for attackers to break into organisations, and hotels and restaurants are frequent targets.
Artificial intelligence raises the stakes
Analysts warn that more than four in five social-engineering attacks now use artificial intelligence tools, which makes fake booking and payment messages look more natural and harder to spot.
Awareness, not fear, is the real defence
Simple habits such as checking the sender, ignoring unexpected payment links, and using official apps and websites to confirm any request give diners and hospitality workers real power against these scams.
Story & Details
A small banner that hides a serious message
TheFork is a regular part of daily life for many diners who book tables, collect loyalty points, and sometimes buy gift cards through its website and app. At the top of the safety message, the account area shows a gift card balance of zero and a loyalty balance of zero points. It looks like a normal account screen, the kind that appears before a booking or a review.
Below that, the tone shifts. The message explains that customer safety is a top priority and that online scams aimed at restaurants and their guests have increased during 2025. It introduces a key term in simple language: phishing. In this context, phishing means a fake digital message or call that pretends to be from a trusted service in order to push a person to pay money or share sensitive information such as passwords or card details.
TheFork describes what these messages often look like. Many use pressure. They may say that a reservation will be lost unless payment is made at once, or that a special offer will expire in minutes. They may look like a booking update, a loyalty reward notice, or a delivery question. The message tells customers to pay close attention to who is really sending the message and which channels are used.
The rules that draw a clear line
At the heart of the notice are a few very direct promises. TheFork states that it does not ask for payments or sensitive information by casual digital messages, by calls out of the blue, or by chat apps such as popular mobile messaging services and social media chats. Partner restaurants using TheFork’s tools follow the same rule.
This simple line is important. It means that any unexpected message that asks for payment or sensitive data through these channels can be treated as suspicious at once. The text then explains what to do in that situation in very plain terms: do not click links, do not download files, do not send money, and do not answer the sender. Instead, delete the message.
The notice also gives a safe way to get help. If a person is not sure whether a message is real, they are advised to avoid all links and attachments and to contact TheFork’s support team through official contact pages on its website. The company’s legal and information pages explain how it handles data, reviews, and gift cards, and they sit under the main TheFork domain rather than in strange or unfamiliar addresses. [1][5]
Why restaurants and hotels attract phishers
This is not an isolated warning. Across 2024 and 2025, the European Union Agency for Cybersecurity has reported that phishing has become the most common starting point for successful attacks against organisations. Once attackers gain access to an account or internal system, they can move on to install malware, steal more data, or launch ransomware. [1][4]
Hospitality is a natural target. Hotels and restaurants work with constant flows of bookings, cancellations, last-minute changes, and payment questions. Staff are used to dealing with urgent requests from guests and booking platforms. Criminals exploit this culture of speed. Security researchers have described campaigns where fake booking pages copy the look of popular travel sites and try to capture staff login details. Other campaigns send bogus messages to hotel managers asking them to open attachments that secretly install malicious software. [3][4]
Smaller restaurants can be at special risk. They may not have full-time technical staff, but they do rely on online tools to manage reservations, loyalty schemes, and payment systems. A single stolen password can expose lists of customers and their bookings. In busy periods such as holidays, staff may have little time to check details and may feel strong pressure to respond quickly to every message.
Artificial intelligence changes the tone of fake messages
Another trend worries experts: the growing use of artificial intelligence in social-engineering attacks. A recent European awareness campaign on phishing warns that more than 80 percent of observed social-engineering activity now uses some form of artificial intelligence, including language models that generate convincing text in many languages and tones. [4][7]
In practice, this means that fake booking messages can now sound more natural and less robotic. They may match the style of real messages from known platforms. They can include local place names, realistic restaurant details, and personalised greetings scraped from public data. Combined with urgency and emotional triggers such as fear of losing a table or a discount, these messages can fool even careful staff and guests.
A Europe-wide push for simple cyber hygiene
Against this background, European institutions have turned phishing into a central theme of public campaigns. European Cybersecurity Month, held every October, has focused strongly on social engineering and phishing in recent years. The 2025 edition again highlights phishing as a main way attackers break into devices and accounts, and it encourages both organisations and citizens to adopt very simple habits: think before clicking, check the sender, and use trusted channels. [2][6]
ENISA, the European Union Agency for Cybersecurity, has published threat landscape reports that track thousands of incidents over recent years. These reports show that phishing and related social-engineering tricks remain a steady and powerful tool for attackers, even as technical defences improve. The agency stresses that human awareness is a vital part of any defence plan, and it produces materials aimed not just at experts but at the general public. [1][4][6]
One example is a short awareness video on how phishing scams work and how to stay safe. The video explains in simple language how a message can look real while leading to a fake site, and it shows viewers what to look for before they click. It is hosted on the official ENISA YouTube channel and is part of a wider push to make cybersecurity advice easier to understand:
[6] https://www.youtube.com/watch?v=Pfkh_Cc43W0
Turning a loyalty point balance into a teaching moment
TheFork’s own loyalty system, which lets diners earn points and turn them into discounts at partner restaurants, adds another layer. These points represent real value. That makes them attractive to criminals who can send fake messages that promise bonus points, warn that points are about to expire, or offer special rewards if the customer confirms card details.
By setting clear rules about how it will and will not contact customers about payments and sensitive information, TheFork gives its users a simple test they can apply every time. If a message about bookings, payments, or loyalty points arrives in a way that breaks those rules, the safest action is to ignore it and use the official app or website to check the account directly.
In 2025, as the holiday season brings crowded restaurants and busy hotel lobbies, that kind of clarity can make the difference between a short moment of doubt and a costly mistake.
Conclusions
A small nudge toward safer habits
A short safety notice from a restaurant booking platform may seem like a small thing, but it reflects a much larger shift. Phishing is no longer a rare, clumsy scam. It is now a polished, often automated tool used against hotels, restaurants, and their guests almost every day.
Clear, simple rules such as those shared by TheFork help cut through the noise. When a company states that it never asks for payments or sensitive data through casual digital messages, staff and customers gain a quick way to judge new messages. This kind of guidance does not remove the need for good technical security, but it gives ordinary people a practical role in defence.
A shared responsibility for a busy sector
For the hospitality world, the message is gentle but firm. Bookings, discounts, and loyalty points will always be part of the business. So will last-minute changes and urgent guest requests. Phishing will keep trying to ride on that sense of urgency.
By combining clear communication from platforms like TheFork, regular awareness campaigns from public bodies, and calm daily habits from staff and guests, the sector can stay welcoming and warm while making life much harder for those who want to turn fake messages into real damage.
Selected References
[1] European Union Agency for Cybersecurity (ENISA). “Emerging technologies make it easier to phish.”
https://www.enisa.europa.eu/news/emerging-technologies-make-it-easier-to-phish
[2] European Commission. “European Cybersecurity Month 2025 kicks off with focus on phishing threats.”
https://digital-strategy.ec.europa.eu/en/news/european-cybersecurity-month-2025-kicks-focus-phishing-threats
[3] TRG International. “Phishing in Hospitality: The Growing Threat Hotels Can’t Ignore.”
https://trginternational.com/blog/hospitality-phishing-threat-hotels/
[4] European Union Agency for Cybersecurity (ENISA). “ENISA Threat Landscape 2025.”
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
[5] TheFork. “Legal and Trust, Safety and Transparency Information.”
https://www.thefork.com/legal
[6] European Union Agency for Cybersecurity (ENISA). “Beware email phishing scams” (video).
https://www.youtube.com/watch?v=Pfkh_Cc43W0
[7] Geneva Internet Platform Digital Watch Observatory. “EU kicks off cybersecurity awareness campaign against phishing threats.”
https://dig.watch/updates/eu-kicks-off-cybersecurity-awareness-campaign-against-phishing-threats
Appendix
Cybersecurity Month
Cybersecurity Month is an annual campaign in the European Union that runs each October and promotes safer use of digital services, with themes such as phishing and social engineering and with activities for both organisations and citizens.
Hospitality sector
The hospitality sector includes hotels, guesthouses, restaurants, cafés, bars, and related services that provide food, drink, and accommodation to guests, often relying heavily on online booking and payment systems.
Phishing
Phishing is a form of online fraud in which criminals send fake digital messages or create fake sites that pretend to be from trusted organisations, in order to trick people into sharing sensitive information or sending money.
Social engineering
Social engineering is the use of psychological tricks and emotional pressure to make people do something that helps an attacker, such as clicking a dangerous link, opening a harmful file, or sharing confidential details.
TheFork
TheFork is an online service and mobile app that lets people find restaurants, book tables, post reviews, and use digital payment and gift card features, and it works with partner restaurants in many European countries.
Yums loyalty points
Yums loyalty points are a reward currency in TheFork’s loyalty system that diners earn when they book and complete meals through the service and that can later be exchanged for money-off discounts at participating restaurants.
My Diary - Leonardo Cardillo 