GDPR allows crooks to perform new phishing scams, get tips to avoid it

by Ugnius Kiguolis - - 2018-06-01

Criminals send GDPR-themed phishing emails

GDPR phishing scam

Despite the good intentions, General Data Protection Regulation (GDPR) has created new opportunities for the criminals to generate illegal profits^[1]. Cybersecurity researchers have detected a new phishing attack which targets to steal sensitive data from novice computer users.

GDPR-themed emails have been sent to a vast of people. Unfortunately, most of them have fallen for the scam and gave up personal information:

Logins and passwords;
Names;
Credentials;
Addresses, etc.

Most recent GDPR phishing attack was reported at NatWest bank when customers received emails supposedly coming from the financial institution^[2]. Since now almost every company is informing about the changes in Privacy Policies, it is easy to be tricked into giving private data.

Now, the most common GDPR scam technique contains questions whether the user wants to continue receiving notifications from the company^[3]. And if they do, they must update their records by filling the necessary information. As a result, crooks are provided with numerous sensitive information for further attacks.

GDPR scam targets Airbnb users and impersonates other tech giants

Cybersecurity experts from Redscan have detected a phishing attack on Airbnb users which also includes GDPR-themed emails. The letter informs the users about recent changes in the Privacy laws due to the upcoming GDPR.

Airbnb spam messages include this or similar text in GDPR phishing attack^[4]:

This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb to protect European citizens and companies.

Hosts on Airbnb are informed that they will be unable to accept guests and booking until they accept the new regulations. To complete that they are encouraged to fill the forms which require personal information.

Criminals are using the remarkably similar domain as the legitimate Airbnb to trick people into giving sensitive data. The original domain appears as @airbnb.com while hackers employed small changes and used @mail.airbnb.work for phishing^[5].

Even though there are no reliable reports about other attacks, experts believe that cybercriminals might be targeting other tech giants as well. Thus, people are advised to be cautious as legitimate GDPR emails do NOT ask for any personal data.

Tips to protect from GDPR scam

Keep in mind that GDPR phishing scams and the number of malicious emails will only increase in the future. Therefore, we advise following these tips to protect your personal information:

Do not open emails sent from unknown people or companies;
Do not click on links which might be potentially dangerous;
Do not fill your personal details even if you are asked before making sure that it is official;
Always use a professional antivirus and update it along with your OS to avoid spyware.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Elaine Edwards. Gardaí warn of possible rise in email scams related to new data law. The Irish Times. Breaking News.
^ Oliver Wheaton. GDPR latest: Fraudsters posing as banks in data protection emails phishing scam. The Independent. UK and Worldwide News.
^ Saqib Shah. Police warning over GDPR email scams – here’s what to look out for. The Sun. News, sport, celebrities.
^ Danny Palmer. Phishing alert: GDPR-themed scam wants you to hand over passwords, credit card details. ZDNet. Technology News, Analysis, Comments and Product Reviews.
^ Pierluigi Paganini. GDPR Provides Scammers with a New Golden Opportunity. InfoSec Institute. IT Security Training & Resources.