Review Bombing Attacks: Don’t Pay the Ransom, Protect Your Business From What Might Come Next

Across the U.S. and beyond restaurant owners are reporting sudden waves of one-star reviews appearing within hours or days, often from accounts with no real connection to the business. This tactic, known as review bombing, is designed to damage a business’s online reputation fast. Fake complaints about food, service, or hygiene can quickly push a restaurant down in search results, scare away customers, and impact revenue almost overnight.

While restaurants are the ones which raised the alarm*, review bombing an affect any business that relies on online reviews, especially in hospitality and local services, from cafés and hotels to salons, gyms, car rentals, and other local businesses.

What makes review bombing particularly dangerous is how it’s increasingly being used as a pressure tactic for extortion. With 81% of consumers use Google to read reviews to evaluate local businesses and 94% of consumers saying* a bad review has caused them to avoid a business, attackers know that damaging a rating creates panic.

In some cases, fake reviews are followed by direct demands for payment, with criminals promising to stop the attack or remove reviews in exchange for money. When review bombing is tied to extortion, the risk goes beyond reputation damage and client loss, to further attacks, including account takeovers, impersonation scams, and phishing attempts aimed at staff or customers. Here’s what to do if it happens to you.

What Is Review Bombing?

Review bombing happens when a business suddenly receives a large number of negative reviews in a short period of time, often from people who were never real customers. These reviews are typically coordinated, repetitive, and designed to damage the business’s reputation as quickly as possible. Unlike genuine negative feedback, review bombing is about volume and timing. A wave of one-star ratings can push a business down in search results, lower its overall rating, and scare away potential customers before the owner even understands what’s happening.

This type of attack can show up on major review and commerce platforms such as Google Reviews, Yelp, Trustpilot, Facebook, Amazon, and even entertainment platforms like Steam or Metacritic. 

Related:

• How to Deal with or Remove Negative Google Reviews (Fake or Legitimate)
• How to Spot and Protect Your Business from Fake Reviews: Red Flags, Tips, and Tools

When Review Bombing Becomes Extortion and a Gateway to Bigger Attacks

While the reasons behind review bombing can range from online backlash and competitor sabotage to trolling or public controversies, the most damaging scenario is review bombing used for financial extortion.

In these cases, fake reviews are the pressure tactic. Cybercriminals flood a business with one-star ratings to create panic, then follow up with demands for payment in exchange for stopping the attack or “fixing” the reviews.

It can quickly escalate, as once attackers see that a business is stressed, responsive, or unsure how to react, review bombing can become the first step in a broader cybercrime campaign.

Common follow-up risks include:

· Account takeovers. Attackers may try to break into business accounts on review platforms, social media, email, or booking systems. Gaining access allows them to post more damaging content, lock owners out, or demand further payment to restore control.

· Phishing attacks. Criminals may send emails or messages that look like they come from Google, Yelp, or a “review support team,” tricking you or your employees into sharing login details or clicking malicious links.

· Fake support or “reputation repair” offers. Some attackers pose as marketing agencies or reputation specialists, offering to “clean up” reviews for a fee while being part of the same scam or creating a new one.

· Customer impersonation and fraud. In some cases, attackers impersonate the business to contact customers, share fake warnings, or redirect people to fraudulent websites, further damaging trust.

· Repeat targeting. Once a business is flagged as vulnerable, it may be targeted again, either by the same group or by others using similar tactics.

Related: Small Business Security Starter Kit: The Tools You Need and Why

What to Do If Your Business Is Targeted

When review bombing turns into extortion, the pressure can feel intense. The goal is to make you panic and act fast. The most important thing you can do is slow the situation down and respond strategically.

1. Don’t pay

If someone demands money to stop the reviews or “fix” your rating, don’t pay. There’s no guarantee the reviews will stop, and in many cases, paying simply marks your business as an easy target for repeat attacks or new scams.

2. Document everything

Before responding publicly or privately:

· Take screenshots of suspicious reviews, profiles, timestamps, and messages

· Save any emails, messages, or calls asking for payment

· Note sudden spikes in reviews or patterns that don’t match real customer activity

This evidence matters for platforms, and potentially for law enforcement.

3. Report and escalate on review platforms

Most platforms prohibit fake reviews and extortion, and they do act, but reports work best when they’re detailed and timely.

· Report suspicious reviews directly through the platform

· Escalate to customer support if your profile is being overwhelmed

· Clearly explain why the reviews are fraudulent (timing, location mismatches, non-customers, repeated wording)

Google has recently introduced dedicated merchant extortion reporting tools and uses AI to detect coordinated abuse. In 2025 alone, Google removed more than 240 million reviews that violated its policies, a sign that reporting does make a difference, even if it takes time. Yelp and Metacritic also have clear rules against fake or coordinated reviews and allow businesses to flag violations.

4. Know your rights your legal and the limits

Laws are increasingly catching up with fake reviews and online extortion. In the U.S., the Federal Trade Commission now bans fake reviews outright and allows for you to seek civil penalties. Violators can face fines of up to $50,000 per fake review. But note that enforcement becomes more complicated when attackers operate overseas or use anonymous accounts.

5. Keep your public response minimal and professional

Avoid engaging emotionally or accusing reviewers publicly. A short, neutral response or no response at all is often better while platforms investigate. Attackers want attention and reaction; calm limits their leverage.

Related: Most Common Cyber Threats on Small Businesses and How to Prevent Them (Without Hiring an IT Team)

How to protect your business from follow-up attacks

Review bombing tied to extortion often doesn’t stop at reviews. Take basic steps to reduce the risk of escalation:

· Lock down all business accounts. Use strong, unique passwords for review platforms, email, social media, booking tools, and payment services to stop attackers move from reviews to account takeovers.

· Turn on two-factor authentication (2FA). Enable 2FA wherever it’s available, especially for email and review platforms.

· Brief your staff. Let employees know that fake “support” messages may follow a review attack. No legitimate platform will ask for passwords, codes, or urgent action via email or DMs.

· Be skeptical of quick fixes. Agencies or individuals offering to “clean up” reviews fast, especially if they contact you right after an attack, may be part of the scam or a separate one altogether.

Bitdefender Ultimate Small Business Security can help carry some of this load. It protects business devices, email accounts, and  your business digital identity, and can reduce the risk of follow-up attacks. Protection works best when it’s already in place, before an incident happens.

Try Bitdefender Ultimate Small Business Security for free for 30 days.

Sources: restaurantbusinessonline.com, powerreviews.com

FAQs

What is review bombing?

Review bombing is when a business receives a sudden surge of negative reviews in a short time, often from people who were never customers. These reviews are typically vague, repetitive, or unrelated to real experiences and are meant to damage ratings and scare away potential customers.

What should you do first if your business is review bombed?

The first step is to document everything. Take screenshots of suspicious reviews, note timestamps and patterns, and report them immediately on the platform where they appear, such as Google Reviews or Yelp. Them secure your business online accounts and email. 

How long does it take to recover from review bombing?

Recovery time varies depending on how quickly platforms respond and how severe the attack is. Some fake reviews may be removed within days, while others take weeks, but consistent reporting and genuine customer reviews usually help ratings stabilize over time.