Scammers pushed out phishing emails that incorporated the European Union’s General Data Protection Regulation (GDPR) as a theme in an attempt to steal users’ sensitive information.
Without naming the standard directly, the fake email asserted that GDPR was behind the senders’ decision to make their request.
This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies.
After news of this phishing email broke, Airbnb came out with a statement confirming that it had not sent out those emails analyzed by RedScan. As it told this author in an email:
“These emails are a brazen attempt at using our trusted brand to try and steal user’s details, and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on firstname.lastname@example.org, who will fully investigate. We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites.”
Airbnb also clarified that the attackers never accessed users’ information and shared a full list of its aliases that commonly appear in official business correspondence.
Mark Nicholls, director of cyber security at RedScan, said the scammers’ incorporation of GDPR makes sense given the increased amount of awareness surrounding the Regulation before it comes into effect on 25 May. As quoted by ZDNet:
“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action.”
Bad actors could send out more GDPR-themed spam on or around 25 May. With that said, it’s important that organizations protect themselves against phishing campaigns. Running phishing awareness and training simulations with their employees would be a good place to start.
At the same time, organizations should familiarize themselves with GDPR (if they haven’t already) and devise a strategy to achieve compliance with the Regulation. MetaCompliance can help organizations strengthen their data security measures. For more information, click here.