In just over three weeks, the compliance deadline for the European Union’s (EU’s) General Data Protection Regulation (GDPR) will arrive. On May 25th, enterprises that collect and store data on EU citizens—including enterprises not based in the EU—must comply with GDPR mandates or pay a truly heavy fine: 20 million euros OR 4% of annual sales whichever is higher.
GDPR Phishing Scams: A Rising Threat
Cybersecurity and pen testing firm Redscan has been credited as uncovering the new wave of GDPR phishing scams after investigating attacks posing as emails from hospitality giant Airbnb. These emails contain many of the same components of a normal phishing attack: the facsimile of legitimacy, a sense of urgency, and a mechanism in which victims input their information allowing the hackers to steal them. GDPR phishing scams differ only in the manner the sense of urgency and the facsimile of legitimacy are presented, but they’ve proven incredibly effective.
According to a statement by Mark Nicholls, Director of Cyber Security at Redscan, “Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action.”
“As we get closer to the GDPR implementation deadline, I think we can expect to see a lot a lot more of these types of phishing scams over the next few weeks, that’s for sure.”
At time of writing, it is unclear how many enterprises are being used as masks for GDPR phishing scams, but Redscan’s research indicates that more of them are forthcoming…and more enterprises will be victims of these attacks in the near future.
GDPR Phishing Scams Hurt Your Enterprise
Redscan’s research indicates that GDPR phishing scams are targeting consumers, yet your enterprise is not safe from them. The majority of targeted emails are business emails—most likely because these are easier to scrape off the web. Given the prominence of poor password behaviors, an employee losing their personal password to a GDPR phishing scam can still jeopardize your enterprise—and that supposes that your employees didn’t give the phishers their business credentials.
Phishing attacks constitute over ¼ of all enterprise frauds. A single phishing attack can cost an enterprise over a million dollars in damages. One employee is all it takes to compromise your entire IT environment. This is a serious issue your enterprise needs to take this seriously, and that starts with employee training.
An Ounce of Prevention…
Your IT security team needs to drill your employees on how to detect fake emails and what GDPR compliance will require of enterprises and consumers. Here are a few lessons your employees should absorb:
- If a company sending emails asking for anything involving GDPR compliance, check that company. If they don’t have a business presence in the EU, they shouldn’t have any reason to comply with GDPR.
- If possible, see if you can give consent and your personal information at the company’s website directly rather than through email, to ensure the right people receive it. Make sure employees actually type in the address of the company into their search bar rather than jump off the email—that would defeat the purpose.
- Check email’s sender domain. GDPR phishing scams are using domains that passingly resemble the real company’s but under close scrutiny fall apart. Encourage your employees to use close scrutiny.
- Look for inconsistencies in the brand imagery such as off-colors or fonts in a logo. Also, look for spelling mistakes in the email—no legitimate enterprise would send off an email with a spelling mistake in it.
- Ensure that your employees know the incident response plan for your enterprise so that, if they fall prey to GDPR phishing scams they can alert the right people promptly and have their passwords changed.
- While falling for GDPR phishing scams should be a part of performance reviews, employees shouldn’t retributive punishments for falling prey to such attacks. Mistakes happen, and punishing the victims discourages communication—increasing dwell time and the resultant damages.
These pieces of advice are in fact almost identical to best practices for preventing phishing attacks. Yet GDPR is putting a great deal of psychological pressure on consumers and enterprises alike. Your enterprise should encourage clear, rational decision-making and safety over speed. It may save you more in the long-term.
If your enterprise is also concerned with GDPR compliance, check out some of our resources on the subject such as the “Best Practices and Essential Tools for GDPR Compliance” from AlienVault.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021