Fourteen emails. That’s the amount of GDPR policy notification emails I’ve received in the past few weeks. The EU’s General Data Protection Regulation (GDPR) compliance deadline is May 25, requiring companies around the world to notify their contacts about data privacy changes under this new rule.
While this outreach is essential (Article 7 of GDPR requires data processors to “demonstrate that the data subject has consented to processing of his or her personal data”), this flood of email communications offers hackers a timely opportunity to spread malware and/or harvest sensitive data.
Redscan, a threat detection and response firm working out of the UK, reported the first known GDPR-related phishing scam just this week. In this scam, hackers pose as Airbnb’s customer support team. The email requests customers update their personal information by (surprise!) clicking a link in the email. The email looks like this:
As you can see, the email is convincing. The Airbnb logo adds legitimacy, and like so many other emails sent recently, cites GDPR as reason for the outreach.
Unfortunately, security policy acceptance scams are not new. What’s particularly dangerous about this new strain of GDPR-related scams is how well they can hide in the dozens of other legitimate policy acceptance emails we receive each week.
Educating yourself, your coworkers and your family about how to detect phishing emails is one of the best ways to keep your data safe from attacks. Fortunately, protecting yourself from this new threat is simple: Instead of clicking on any GDPR policy-related links, navigate to the sender’s website yourself and review and accept changes directly on their website.