The owner of a New York City restaurant was the victim of a cyber scam last month that forced him to close temporarily for the summer.
It wasn’t a cyber attack, in the sense that typically makes the news. But it was the type of digital deception that could happen to any business with a payroll, said Bret Csencsitz, owner of the 40-year-old restaurant Gotham Bar & Grill in New York’s Greenwich Village.
In part as a result, Csencsitz has closed the fine-dining venue entirely for the summer, laying off about 50 employees—though he hopes to hire most of them back when the restaurant reopens.
It’s a cautionary tale that Csencsitz wants to share with the industry. He wants others to learn from his mistake.
“This is a known issue, and I don’t think restaurants, certainly independent restaurants, are aware of how these things work,” said Csencsitz. “I think the awareness needs to be elevated.”
It all started last month on payroll day, a Friday. Usually, Csencsitz starts the payroll process earlier in the week, but sales had been tight and he put it off until Friday morning.
“That was the thing. When people are under pressure and you have to act quickly, it’s easier for these issues to happen,” he said.
The process had started out normally. The person responsible for payroll at the restaurant verified the amount via email, and so did the representative at Paychex, the restaurant’s payroll services provider. Csencsitz, who was cc’ed on the interaction, typically is the one to complete the transaction.
But the Thursday night before the transaction was scheduled, an odd email came from what appeared to be the account rep from Paychex. It included the earlier thread, but Csencsitz was asked to send the money to a different account and routing number.
Csencsitz said the email appeared to be from the same person he had been dealing with. The routing number was for the same bank.
So he sent the money, which was roughly $45,000.
But then, he realized the wire had gone to a name that was unfamiliar. And he didn’t receive the usual confirmation.
Looking through the emails more closely, Csencsitz noticed a URL at one point added another letter—just one K where it shouldn’t be—though everything else was identical to earlier communication.
“It was very subtle and highly sophisticated,” he said.
Csencsitz called the bank and sent the email trail to show when the “nefarious actor” entered the email chain—though it’s still not clear how.
Initially, he had hope. The bank said the funds would be “recalled,” though Csencsitz learned later that just meant the bank would ask for the money back.
“That doesn’t make sense. You’re asking for a thief to return money,” he said.
Csencsitz didn’t want to identify the bank, saying officials were working with him to investigate and he still hopes to be made whole.
Meanwhile, however, he believes the hack occurred through Paychex, since whomever inserted themselves into the email thread knew names, amounts and timing.
Csencsitz was told that the payroll provider did an internal investigation and they found no hack on their end. They suggested the restaurant’s email had been breached.
Paychex officials reiterated in an email that the payroll providers network was not inappropriately accessed.
"We take issues of fraud seriously," said Tracy Volkmann, manager of public relations. "Paychex has been working with this client since the fraud was discovered and will continue to assist them directly in the investigation."
She added that social engineering, including phishing, is one of the most common ways that such attacks occur and businesses should exercise caution when conducting business via email, especially when exchanging sensitive information.
Csencsitz also said Paychex had insurance on his account. But he was told it could not be tapped because Csencsitz did not follow the proper security protocol.
“Proper protocol which nobody trained me on,” Csencsitz said.
That protocol includes setting up a double verification system with at least two forms of identification. Volkmann did not comment on the question about insurance or the protocol.
“I don’t claim to be completely non-responsible,” Csencsitz said. “At one level, how could I fall for such a thing. But I’ve decided it’s worth talking about because other people should know. Apparently this happens all the time.”
The International Monetary Fund agrees. In a recent report, the IMF said cyber attacks have more than doubled since the pandemic, and the size of losses has reached as much as $2.5 billion—not including indirect costs for a business that falls victim, like the need for upgraded security or reputational damage.
After the incident, Gotham carried on for another month. Workers were paid, he said.
But it couldn’t have come at a worse time for the restaurant, which had spent its reserves keeping workers paid during the tumultuous period following the Covid shutdown, and through Omicron.
Summers are always a slow season, he said, and New York hasn’t fully recovered from the pandemic. Before 2020, Gotham saw 40% to 60% of revenue from business meals. Now people are only in their offices two or three days a week.
“New York has fundamentally changed,” he said.
Even before the incident, Csencsitz had been planning to close the restaurant for some renovations for a week or two. But the incident, combined with the slow summer, forced Csencsitz to take more drastic action.
The restaurant closed June 10 and will remain closed through July. The dining room is being reworked to add private dining space, he said. He hopes to reopen in August.
He plans to use a different payroll service.
And he offers others in the industry this advice:
Get cyber insurance.
“We had an opportunity a year ago, and I declined it because it was not inexpensive,” he said. “But it was probably something I should have done.”
UPDATE: This article was updated with a response from Paychex.
Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.