Oh, the irony; phishers are using GDPR to scam you

logo
Featured On

NewsweekForbesBuisiness InsiderAxios
This article contains
arrow

So now, May 25th has come and gone. If you live in the EU, you’re probably at least somewhat familiar with the significance of this past Friday, the 25th of May, 2018 – this is the day that the EU’s new General Data Privacy Regulations, GDPR, became binding law.

Um, what’s GDPR? 

But if you happen to live outside of the EU and have no clue what any of this means, here is a three-line synopsis of the 99 articles and 173 recitals (!!) that make up this new exhaustive body of laws:
The point of GDPR is to give citizens living within the EU heighten control over their data and how it’s used. Any business or organization, regardless of where they are located, that holds any data at all on people living within the EU must become fully compliant with the new regulations and do everything they can to prevent improper handling of user data.
One of the many things businesses need to do to avoid getting hit with whopping fines (up to 20 million Euros!) is to update their privacy policies and obtain users’ consent to remain on their mailing lists. To this end, you may have noticed an influx of emails over the last few days from entities such as Google, Netflix, and Amazon, all asking you to read their new enhanced privacy statements and to agree to remain on their mailing lists.

Attackers love GDPR 
Well, surprise, surprise – scammers have noticed this uptick in emails too. And as with any smartly executed phishing ploy, they are using the opportunity to send their own fraudulent emails. The first scam to emerge posed as a privacy policy update from Airbnb. Originally noted by security firm RedScan, it implores readers to accept the terms of their new policy before any new bookings can be made. It tells readers to click a certain link and enter their account details, which may lead to exposure of their credit card details.
Oh, the irony of using these new data protection laws as the basis for sophisticated phishing scams!
But wait, there’s more.
Just last week, reports of a new Apple/GDPR-based scam began to emerge. In this variant, the fake Apple email asks the recipient to update their profile as part of security hardening measures ahead of the new regulations. The idea here is to get victims to divulge their Apple account information, which may include credit card details.

Spotting GDPR phishing emails
These fake-out emails may look a whole lot like the real thing and, with all the confusion GDPR has created for the non-legally-minded, they may indeed sound very legit. So how can you spot a fraudulent GDPR email if and when you get one?

  1. Beware of GDPR-privacy policy related emails that request personal information. This is a dead giveaway that what you’re reading should be deleted ASAP.
  2. Look for links that seem to be out of place. You should know by now that links in emails can and often do harbor malicious code that, if clicked on, can provide attackers with access to your data. No legitimate privacy policy update should be asking you to click links to update your information.
  3. Check the design, context, spelling, domain names and grammar thoroughly. When creating fraudulent emails, it’s (thankfully) really tough to get all the nitty-gritty details just right, so attackers usually mess up in at least one of these areas. For example, the Apple phishing email was sent at random, which means that lots and lots of non-Apple users got it, making it out of context. Moreover, the domain name that readers reached upon clicking the embedded link was completely unrelated to Apple, another giveaway right there.
  4. Pay close attention to the sender’s email address. Sure, the email may say it’s from Airbnb, but if the email address doesn’t sufficiently reflect that, delete it.
  5. Think about the tone of the email. Attackers want to get the reader to act without thinking, so the tone of such emails is usually quite urgent.

Don’t assume that since GDPR has already taken effect, you won’t be seeing any more of these emails. More than 50 percent of companies won’t be GDPR-compliant until the end of the year — and many more will only achieve compliance in the next few years. This means that you’ll be getting these “We’re updating our privacy statement” emails for a long time to come – to continue to be on the lookout for more of these baddies. Make sure you’re armed with enough information to avoid getting caught in their snare.