Scammers are using GDPR email alerts to conduct phishing attacks

Malicious actors posing as well-known businesses using the guise of GDPR to steal personal data

phishing

Threat detection specialists have uncovered a new trend of malicious actors using GDPR compliance as a cover to target businesses with email phishing attacks.

Hackers, according to cyber security company Redscan, are impersonating well-known companies to send fake emails warning about imminent changes to privacy settings in an attempt to spread malware or steal personal data.

Redscan said it first encountered this GDPR-inspired scam in an email sent by attackers disguised as Airbnb's customer support, asking recipients to update their personal information to continue using the service.

This technique is particularly opportunistic, with it taking advantage of the growing sense of urgency spreading among businesses as they race to comply with GDPR less than a month until its 25 May deadline.

Many businesses routinely handling personal data, including Airbnb, are in the process of complying with requirements set out in the new set of data regulations, with many contacting their personal and commercial users with updated terms of service and privacy policies.

"The irony won't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people's data," said Mark Nicholls, director of cyber security at Redscan, adding: "The skill level in launching phishing attacks is generally quite low so it's difficult to estimate the scale of such scams."

In a fake email sent by scammers using the address 'important@mail.airbnb.work' - resembling an authentic message sent by Airbnb (noreply@airbnb.com) - recipients were told they could not accept new bookings or send messages until they accepted the company's new Privacy Policy.

The email read: "This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies."

Airbnb, unsurprisingly, did not look kindly on its band being used for phishing attacks: "These emails are a brazen attempt at using our trusted brand to try and steal user's details, and have nothing to do with Airbnb."  

"We'd encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate.  We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites," the company said in a statement to IT Pro

Nicholls noted that such attacks are commonplace: "Using current events and trends as bait for social engineering attacks is a common tactic. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that's clicking a link or divulging personal data.

"It's a textbook phishing campaign in terms of opportunistic timing and having a believable call to action."

He told IT Pro the phishing email Redscan came across was targeted at a generic business address, suggesting the attackers may have scraped addresses from the web.

"As we get closer to the GDPR implementation deadline, I think we can expect to see a lot a lot more of these types of phishing scams over the next few weeks, that's for sure."

The cyber security firm warned that businesses concerned with the risk of phishing should implement measures to prevent them falling foul to such scams, including multiple email-validation and authentication systems designed to prevent spoofing, as well as holding regular training sessions for staff.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020