The increase of GDPR hysteria in the general population has lead to the rise of a new type of phishing campaign. Security firm Redscan has discovered scammers pretending to be Airbnb, requesting personal details from the users. A similar campaign has been discovered for bitcoin exchange Poloniex, proving the scammers aren’t out for simply personal details.
GDPR hysteria in companies and users
With GDPR comes increasing worry and uncertainty from both businesses and employees. With the enforcement date coming closer and closer several companies have started sending out emails requiring user consent to keep storing their data.
For the regular user the reason for these emails could be quite unclear. Generally being filled with legal terms doesn’t exactly clear the confusion. Therefore they are quite likely to simply do what’s asked of them and for some malicious actors this hysteria and confusion is just another business opportunity.
Airbnb GDPR phishing scam
Security firm Redscan first warned of phishing scam campaigns designed around GDPR. These try to steal personal data or spread malware through impersonating the above mentioned GDPR re-consenting emails. The initial campaign discovered by Redscan consists of attackers impersonating Airbnb customer support where users are urged to update their personal data to keep using the platform.
“The irony won’t be lost on anyone that cyber criminals are exploiting the arrival of new data protection regulations to steal people’s data,” Mark Nicholls, director of cyber security at Redscan stated.
Any data entered on the phishing page is to be considered exposed. Redscan also warned that attackers are likely to use the same tactic with other targets, which seems to ring true: A recent phishing campaign targeted users of bitcoin exchange service Poloniex, proving attackers are after more than just personal details.
“Using current events and trends as bait for social engineering attacks is a common tactic. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action.”, Nicholls said.
How to protect yourself
Modern phishing campaigns are increasingly difficult to protect yourself against. The correct logos are in use, email addresses are very similar, etc. However, some key characteristics to look out for are:
- Inconsistencies in spelling and grammar
- Email address not recognizable or differing from previous communication
- Incorrect font usage