Scammers Take Advantage of GDPR Rush

Emails from various actors masquerading as legitimate services informing users of an updated privacy policy in line with General Data Protection Regulation (GDPR) has seen a dramatic increase. The regulation came into force on the 25 May and has caused a significant spike in email traffic and related spam activity. This was expected and was part of a National Cyber Security Centre (NCSC) security advisory last week.

Strategic assessment: It is important to note that the majority of these phishing attacks do not technically deviate from the norm. One of the first instances of a GDPR-related phishing attack, which prompted the NCSC security advisory, targeted Airbnb. Reported by Redscan, the phishing email insists that new bookings will not be taken on behalf of the host until a new privacy policy has been accepted. The redirect led to a page where the user is prompted for personal information, including account credentials and payment card information. Another example included targeting Apple users. In this instance, the actors claimed the user’s accounts had been ‘limited’ due to unusual activity. Contained in the body of the email was a link to a website, controlled by the scammers, requesting user details. Although this was not directly linked to GDPR, the actors deliberately timed the emails to hide in the traffic sent from legitimate companies. Interestingly, the phishing technique demonstrated a higher technical ability than previously observed. The actors employed Advanced Encryption Standard protocols when redirecting victims to the scammer-controlled page, this was in order to avoid anti-phishing tools. This is unusual and signifies a more sophisticated actor group is responsible. Across the board, it appears that the actors seeking to leverage GDPR are financially motivated and interested in personal data, as opposed to seeking to infect the target with malware. It is almost certain that GDPR-related scams will decline as the high volume of emails from companies to users reduces. Employees should be encouraged to remain vigilant for suspicious emails during this period, especially from companies they are unfamiliar with or were not expecting contact from.

Leave a Reply

Your email address will not be published. Required fields are marked *