Cybercriminals and hacker groups have now started disguising themselves as recognized enterprises and use GDPR to steal private information. GDPR is the abbreviation for General Data Protection Regulation. It is a method being used by European Union member states to grant greater data rights to residents. The regulation implements some changes across all EU nations and makes their data protection laws identical. This has been done to further increase the possibility of charging errant organizations with fines. At the same time, it enables individuals to find out the relevant information any business has on them more easily. So GDPR basically intends to provide greater clarity to people regarding their data being collected and installs measures to prevent the same.
GDPR-based Phishing Scam – A New Online Threat
How Does GDPR Define Personal Data?
According to the current legislation, personal particulars like name, residential and office address, and photographs are considered personal data. GDPR is intended to enhance this definition to include other factors like IP addresses as well.
Further, highly personal data like genetic information as well as biometric data is also now considered personal. This is done to prevent people from being uniquely identified based on these factors.
Where is GDPR Applicable?
Broadly speaking, GDPR is applicable to all organizations. In case you are processing personal data of EU residents, you have to be in compliance with GDPR. This is inclusive of any customers or your own employees as well.
Any organization that is not based in EU is still expected to follow GDPR if they handle data on EU residents. Further, the role in data handling is defined in GDPR as a data controller and data processor according to particular responsibilities.
How Are Scammers Misusing GDPR?
Effective on 25 May 2018, every organization is expected to meet GDPR. So businesses have been involved in updating privacy policies and their websites to be in compliance with the law. However, recently, security experts have found a pattern of bad actors making use of GDPR as a disguise to make phishing attacks on businesses.
According to Redscan, a cybersecurity company, hackers pretend to be recognized companies and send illegitimate emails. The emails mostly detail changes made by GDPR and contain malware or other means of gathering personal information. In the past few weeks, the company has received as many as fifteen such emails.
While the May 25 deadline must be met by all companies, it also gives scammers great means to perpetrate phishing scams. Since the companies must inform their clients about the new policy changes, hackers are using it to their benefit. They are conning people into divulging their personal information and then using it for personal gains.
Redscan has reported the first GDPR-based phishing scam last week. The particular email in question posed as Airbnb. Specifically, the mail was masked as if sent from the company’s customer support department. After detailing a few relevant changes, the email asks people for their updated personal information through a link.
Surprisingly, the email was rather convincing and even had the Airbnb logo on it. It also makes detailed mention of GDPR as the cause for the mail and thus, can easily fool unsuspecting individuals.
One More Incident
NatWest is yet another company which has been used as a scapegoat by phishing scammers. Over the past week, many emails claiming to be from the bank have been sent to customers.
Many businesses have been reaching out to their customers to assure them the company will conform to the new laws set under GDPR. The companies also let customers choose if they want to continue receiving these emails.
As this is the norm now, scammers pose as trusted sources and fool people into tricking any person into divulging their personal information. And indeed, many people have already become victims of these attacks. They have given up vital personal information like:
- Usernames and passwords
- Personal Credentials
- Actual Names
- Residential Addresses, etc.
Most often, these emails inform the customers that their account might be terminated unless the new information is updated. They are then told to click on a link and are redirected to their own site that is designed like a trusted website.
The main objective of these scams is to get the credentials to access the bank accounts of individuals.
To spread awareness about these, Action Fraud recently released a statement. This document detailed why banks are never likely to ask for pin numbers, passwords, or sensitive information through any electronic medium.
The organization also mentioned that these fake emails might contain spelling or grammatical errors. Also, their design quality will not be what you would expect from a legit business. Such emails can be very generic and not mention your name at the beginning. They might also be originating from an unknown Yahoo or Gmail account.
Things to Remember about GDPR scams
Always remember that with the growing sophistication of technology, scams are also likely to grow complex. So, you should consider the following if you want to keep your personal data secure from bad actors:
- Never open emails coming from individuals you do not know
- Never click on any link provided in any email unless totally verified.
- Never give out personal information unless you have made sure the source is verified and legit
- Use the best and most advanced antivirus on your device and update your operating system regularly.
With just a few precautionary measures, you can stay safe from scams.
GDPR-based Phishing Attacks – Conclusion
GDPR phishing scams are just one in a long line of scams being perpetrated online. However, the ease with which they can hide amongst the legit emails people get every day is certainly disconcerting.
The only way you can stay clear of any financial scam is by knowing how to spot a real email from a fake one. This is for individuals and for businesses as well because one access point could potentially grant access to the entire system.
But it does not take a whole lot of knowledge to really tackle a GDPR phishing email. If you get a GDPR email and think it might be genuine, then go to the sender’s actual website and get the process done from there.