The advent of the General Data Protection Regulation on 25th May within the EU will see online customers being asked by their service providers to update personal user agreements so that their services such as email updates or record maintenance can be continued. However, cybercriminals will also see this as an opportunity to exploit those agreements and sent fake GDPR notices to customers asking them to confirm login or personal information via online links so that they can continue to use the service being provided. Recent enquires have already identified a string involving the sending of fake notices which allege to be from Airbnb asking customers to update details in order to continue their agreement.
Clicking on fake or fraudulent links within a phishing email can result in:
• Redirections to fake/infected sites for watering-hole attacks targeting specific online users or organisations
• Malicious attachments which appear to be GDPR related documents or invitations which attack the network or system
• Request for private or personal and financial information such as account details, credit card details, passwords etc.
• Harvesting of email account details which can be exploited for marketing or junk mail campaigns
Users and organisations who have agreements or connections with services for which they have supplied personal information should be aware of this potential threat. The Garda National Cyber Crime Bureau advises that before following any link which asks for personal or financial data, you should ensure
- you are careful before responding to unsolicited emails
- You have an agreement with the service sending you the email
· - The email address used to send you the message is genuine and from the provider
· - The link within the email is genuine by either hovering over it to ensure it leads to where it says it does, or by checking the page it leads to and its contents
- If still unsure contact the service provider or organisation and confirm that they sent the email
- Never supply banking or financial information via email
Banking institutions never ask for personal information via email. If you receive one delete it and report it to your bank or financial institution. All incidents of phishing or theft of personal information should be reported to your Local Garda Station with a copy of the original email you received.
Note: There are no reports of any incident reported in Ireland to date however a number of incidents have been reported throughout Europe. This is a crime prevention measure to ensure that no person or organisation become a victim of this type of crime.