IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Scammers are using GDPR email alerts to conduct phishing attacks

Malicious actors posing as well-known businesses using the guise of GDPR to steal personal data

phishing

Threat detection specialists have uncovered a new trend of malicious actors using GDPR compliance as a cover to target businesses with email phishing attacks.

Hackers, according to cyber security company Redscan, are impersonating well-known companies to send fake emails warning about imminent changes to privacy settings in an attempt to spread malware or steal personal data.

Redscan said it first encountered this GDPR-inspired scam in an email sent by attackers disguised as Airbnb's customer support, asking recipients to update their personal information to continue using the service.

This technique is particularly opportunistic, with it taking advantage of the growing sense of urgency spreading among businesses as they race to comply with GDPR less than a month until its 25 May deadline.

Many businesses routinely handling personal data, including Airbnb, are in the process of complying with requirements set out in the new set of data regulations, with many contacting their personal and commercial users with updated terms of service and privacy policies.

"The irony won't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people's data," said Mark Nicholls, director of cyber security at Redscan, adding: "The skill level in launching phishing attacks is generally quite low so it's difficult to estimate the scale of such scams."

In a fake email sent by scammers using the address 'important@mail.airbnb.work' - resembling an authentic message sent by Airbnb (noreply@airbnb.com) - recipients were told they could not accept new bookings or send messages until they accepted the company's new Privacy Policy.

The email read: "This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies."

Airbnb, unsurprisingly, did not look kindly on its band being used for phishing attacks: "These emails are a brazen attempt at using our trusted brand to try and steal user's details, and have nothing to do with Airbnb."  

"We'd encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate.  We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites," the company said in a statement to IT Pro

Nicholls noted that such attacks are commonplace: "Using current events and trends as bait for social engineering attacks is a common tactic. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that's clicking a link or divulging personal data.

"It's a textbook phishing campaign in terms of opportunistic timing and having a believable call to action."

He told IT Pro the phishing email Redscan came across was targeted at a generic business address, suggesting the attackers may have scraped addresses from the web.

"As we get closer to the GDPR implementation deadline, I think we can expect to see a lot a lot more of these types of phishing scams over the next few weeks, that's for sure."

The cyber security firm warned that businesses concerned with the risk of phishing should implement measures to prevent them falling foul to such scams, including multiple email-validation and authentication systems designed to prevent spoofing, as well as holding regular training sessions for staff.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Internet providers look to ease cost of living crisis with cheaper broadband
broadband

Internet providers look to ease cost of living crisis with cheaper broadband

29 Jun 2022