Beware the GDPR Themed Scams

Unless you’ve been living under a rock, you’ve probably amassed a few dozen GDPR related emails in your inbox by now. Since the General Data Protection Regulations act went into effect, online services have been rushing to update their customers on policy changes; but did you know that some of those emails might be veiled attempts at data theft?

Numerous reports have emerged detailing phishing scams in relation to GDPR compliance emails, a particularly troubling trend when you take into consideration the fact that the vast majority of users typically fail to inspect such emails, driven away by legal parlance, and opting instead to blindly clicking “Yes, I agree”.

To give you an idea, here are some of the scams that have been reported so far:

Predating GDPR’s implementation, in early May, researchers at cybersecurity firm Redscan identified an effort to steal data with emails claiming to be from Airbnb. The message targeted Airbnb hosts, claiming that unless they accept the new privacy policy, they would not be able to accept new bookings or send messages to prospective guests. Clicking the embedded link users are directed to enter personal information, including account credentials and payment card information.

In late May, some users received a mailshot, seemingly on behalf of Apple, informing recipients that their Apple ID will be deleted in three days unless you follow a link and re-enter your account information.

Similarly, customers of NatWest were among those targeted by the scammers. Customers of the UK bank received fraudulent emails claiming that their accounts could be terminated if they fail to update their records. Customers were directed to a site which steals any data they input.

You get the gist.

In order to avoid falling for such swindles, be sure to follow these simple rules:

  • If you’re ever asked to enter personal data, make sure that is done on the official company websites. Scammers go to great lengths to replicate the look and feel of an authentic website. Looking at the URL is probably the best way to spot them; fake URLs look almost identical to the real URL, but are typically longer than average and contain odd and out of place characters.
  • Check links even before clicking them. Hover the mouse cursor over the link to reveal the destination.
  • Try to spot anything fishy in the sender’s email address. Businesses do not use addresses from email services such as Gmail or Yahoo.
  • Be on the lookout for spelling and grammar mistakes. Poor quality design and images are also red flags.
  • Be wary of emails that start with ‘ Dear valued customer’, this typically means that the scammers have your email but don’t know who you are, unlike the actual service you thought you are getting the email from.
  • Don’t fall for fear tactics. As we saw in the example above, scammers will try to scare you into complying. “Your account will be suspended immediately” is probably a desperate attempt to trick you.
  • Do not download any attachments. If you see an attached Zip file, it probably contains malicious software. Scammers love Zip files because it is supported by the vast majority of platforms.
  • Be sure to check the footer for any inconsistencies: incorrect copyright date, weird locations, and so on.
  • Still in doubt? Contact the technical support team of the service and ask them if they’ve indeed sent such an email.