New Scams

GDPR Scamming

The introduction of GDPR (the European Union’s new General Data Protection Regulation) has become a perfect opportunity for cyber criminals to carry out phishing email campaigns since it came into effect on 25th May.

One of the requirements of GDPR is that organisations must be more transparent about the customer data that they hold, meaning that many organisations are sending email messages to customers asking for consent to remain on their mailing lists etc.

However, cybercriminals are taking advantage of these GDPR messages and privacy policies and are creating phishing emails, which attempt to trick consumers into giving out credit card numbers, account information, other payment information or clicking on malicious links that download malware, such as ransomware, Trojans or key loggers that will infect a computer. Quite ironic really considering that these new data protection regulations which aim to improve privacy protection are being used to steal people’s data…

These impersonation scams are often very convincing. The request seems perfectly acceptable, the emails appear to have been sent from a real company and the email address of the sender appears genuine. The emails are very convincing as they contain well-known branding and images, and the messages look very much like legitimate communications.

An example of this is a GDPR-related phishing scam, which has recently been uncovered, with emails claiming to be sent from AirBnB, stating that the company is unable to accept bookings or send messages to guests until a new privacy policy has been accepted. Anyone who clicks the link within the email is asked to enter their personal information, including account credentials and payment card information. If they do so, they hand the data directly into the hands of criminals who can use it for theft, identity fraud and more.

Genuine emails about GDPR should only ask you to accept new Terms and Conditions, but they won’t ask for personal information, ask you to download an attachment or visit a website.

If in any doubt, the best way to avoid a scam is to visit the website of the company by typing the correct address directly into the browser. It should be clear when you log in if you need to update your information because of GDPR.

As we mention many times, NEVER EVER enter credit card numbers, payment information or account credentials if urged to by an email. No reputable company would ask for this type of information, they already have it.

Philip Brooks