Scammers are using GDPR email alerts to conduct phishing attacks

Malicious actors posing as well-known businesses using the guise of GDPR to steal personal data

phishing

Threat detection specialists have uncovered a new trend of malicious actors using GDPR compliance as a cover to target businesses with email phishing attacks.

Hackers, according to cyber security company Redscan, are impersonating well-known companies to send fake emails warning about imminent changes to privacy settings in an attempt to spread malware or steal personal data.

Advertisement - Article continues below

Redscan said it first encountered this GDPR-inspired scam in an email sent by attackers disguised as Airbnb's customer support, asking recipients to update their personal information to continue using the service.

This technique is particularly opportunistic, with it taking advantage of the growing sense of urgency spreading among businesses as they race to comply with GDPR less than a month until its 25 May deadline.

Many businesses routinely handling personal data, including Airbnb, are in the process of complying with requirements set out in the new set of data regulations, with many contacting their personal and commercial users with updated terms of service and privacy policies.

"The irony won't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people's data," said Mark Nicholls, director of cyber security at Redscan, adding: "The skill level in launching phishing attacks is generally quite low so it's difficult to estimate the scale of such scams."

In a fake email sent by scammers using the address 'important@mail.airbnb.work' - resembling an authentic message sent by Airbnb (noreply@airbnb.com) - recipients were told they could not accept new bookings or send messages until they accepted the company's new Privacy Policy.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The email read: "This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies."

Airbnb, unsurprisingly, did not look kindly on its band being used for phishing attacks: "These emails are a brazen attempt at using our trusted brand to try and steal user's details, and have nothing to do with Airbnb."  

"We'd encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate.  We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites," the company said in a statement to IT Pro

Nicholls noted that such attacks are commonplace: "Using current events and trends as bait for social engineering attacks is a common tactic. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that's clicking a link or divulging personal data.

Advertisement - Article continues below

"It's a textbook phishing campaign in terms of opportunistic timing and having a believable call to action."

He told IT Pro the phishing email Redscan came across was targeted at a generic business address, suggesting the attackers may have scraped addresses from the web.

"As we get closer to the GDPR implementation deadline, I think we can expect to see a lot a lot more of these types of phishing scams over the next few weeks, that's for sure."

The cyber security firm warned that businesses concerned with the risk of phishing should implement measures to prevent them falling foul to such scams, including multiple email-validation and authentication systems designed to prevent spoofing, as well as holding regular training sessions for staff.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/policy-legislation/general-data-protection-regulation-gdpr/355337/ico-will-reduce-gdpr-fines-due-to
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
Visit/security/privacy/355304/nhs-working-with-apple-google-coronavirus-tracking-app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020