Security experts warns of GDPR phishing scams


Chances are that over the past few weeks, your inbox has been inundated with emails prompted by the changes that will be brought into play with the General Data Protection Regulation (GDPR), a new piece of EU legislation that – put simply – requires companies that deal with consumer data to abide by more stringent rules regarding how that information is used.

But hiding among those emails or website notices could be cyber criminals hoping to gain some of your own personal data, a new report suggests.

According to UK threat detection company Redscan, hackers are increasingly using privacy notices disguised as GDPR warnings to trick browsers into giving up their information or even spread malware to other recipients.

The scams use communications made to look like they are coming from well-known businesses in a bid to make them more believable, as cyber criminals scramble to capitalise on the fact that most organisations are encouraging their contacts to re-consent to being on their mailing lists or letting users keep their data.

Redscan says that in the first instance, it encountered such phishing schemes in the form of a compromised email apparently send from Airbnb’s customer support.

An email that appeared to be sent from the lettings app asked recipients to update their personal information in order to continue using the service. Those that click the link and entered a few details, however, were running the risk of giving up contact information, account credentials or event credit card information to cyber criminals.

“The irony won’t be lost on anyone that cyber criminals are exploiting the arrival of new data protection regulations to steal people’s data,” said Mark Nicholls, director of cyber security at Redscan.

“Using current events and trends as bait for social engineering attacks is a common tactic. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action,” he explained.

Help is at hand, however, as Redscan has published a list of their top tips for identifying and avoiding phishing scams. They are:

– Check that the email is sent from a genuine user and not from a fake or bogus address
– Looking for branding inconsistencies – the wrong font, logo or colours – and spelling errors
– If asked for personal data, consider whether the request sounds genuine. If worried, log in to the official website and see if you can complete the process there
– Take care when looking at emails on a smartphone, which can obscure crucial details
– If you think you have been scammed, change all your passwords immediately
– Watch out for anonymous phone calls – attackers might try calling too
– Businesses worried about being targeted should implement multi-step authentication practices

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *