Watch Out for GDPR Phishing Scams

Share this post!

Sadly, but expectedly, on the heels of the European Union enacting their new General Data Protection Regulation (GDPR), hackers are now using this regulation as an opportunity to deceive people into providing the type of data that the GDPR is specifically designed to protect.

This problem is not contained strictly to EU.  It affects people and organizations in North America as large companies that must comply with the regulation are delivering this effort to their world-wide audience.  Think Microsoft. Think Netflix. Think Starwood Hotels. Companies that must comply with the regulation have been busy emailing customers with information about updated privacy policies, consent forms, and other GDPR topics. These companies are not the only ones sending GDPR-related emails, however.  In May 2018, security researchers at RedScan discovered that hackers were distributing GDPR phishing emails designed to mislead people into willingly providing sensitive data.

The Scam

Pretending to be from Airbnb, the hackers sent phishing emails, at the time, mainly to businesses’ email accounts. The hackers took care to make the emails appear to be from Airbnb, including its logo and standard format.

The phishing emails noted that Airbnb had updated its privacy policy. The recipients were told they had to accept the new privacy policy before they could log back into the Airbnb website. To accept it, they had to click a link in the email. The link led to a spoofed Airbnb website, where the victims were instructed to enter their account credentials, payment card information, and other personal data. If they did so, it fell right into the cybercriminals’ hands.

How to Protect Your Business

Phishing attacks like the Airbnb scam are not going away any time soon as hackers have successfully used them to steal money, obtain credentials, and spread malware. Businesses need strategies to protect from these attacks.

The First Line of Defense:  Security on the Network

The first line of defense is everything on your network that is geared towards security. Keeping operating systems and applications up-to-date will deliver a strong layer of protection. Hackers often exploit known vulnerabilities in software to install malware. By making sure your software has the latest security patches, you might be able to stop a malicious program that was released by a successful phishing attack.  Ensure that your security software is protecting every device on your network.

Whereas once upon a time having a firewall, antivirus and email security was enough, times are changing.  Tools exist today that are purpose built to keep the attacks out and your data safe, i.e. url filtering, behavioral analytics, multi-factor authentication.  Consider expanding your coverage.

The Second Line of Defense:  Your Staff

Email filtering tools and security software, no matter how new and improved, may not catch every situation.  The next, very important, layer of defense is your staff.  Ensuring they are well versed in how to recognize scams, the dangers of clicking links and opening attachments in emails, becomes important.  Some elements to look for include:

  • A deceptive email address.Phishing emails often include a deceptive email address in the “From” field. For example, in the GDPR phishing email, the Airbnb email address was “@mail.airbnb.work” and not a real Airbnb address.
  • A request for personal information.If an email asks recipients to enter a password, credit card number, bank account number, or other sensitive information, it is most likely a scam. In the Airbnb phishing scam, recipients were asked to enter their account credentials and payment card information. The email sent out by the real Airbnb did not ask customers to enter any personal information.
  • A sense of urgency.Cybercriminals like to create a sense of urgency by telling the potential victims there is problem that requires their immediate attention and where there will be unfortunate consequences if they do not take action. In the Airbnb phishing email, the potential victims were told that they would not be able to log in to their accounts if they did not accept the new privacy policy.

Where a staff member does fall for phishing scam, despite best efforts to prevent it, taking a few pre-emptive measures can help mitigate the effects of a successful attack:

  • Using a unique strong password for each business account. As the Airbnb scam illustrates, obtaining login credentials is the goal of many phishing scams. Once cybercriminals get the password for one account, they will try to use that password (or a similar version of it) to access other accounts because hackers know that humans tend to reuse passwords. If you use a unique strong password for each business account, cybercriminals will not be able to use the compromised password to access other accounts.
  • Performing backups regularly and making sure they can be successfully restored. Backups can save the day if an employee falls for a scam that unleashes ransomware. You will be able to restore your data and systems from backups taken before the attack.

 

 What Is Your Strategy?

Although developing a strategy to protect your business from phishing attacks takes some effort, it is important to have one. Using variations of basic lines of defense, PC Corp can help you create and then implement your defense strategy. Contact us: info@pccorp.com

Small Business

Education

Government

Enterprise