What is the Issue:
With the EU rolling out new General Data Protection Regulation (GDPR) Laws on May 25th, many internet scammers have been using these laws to steal personal information, by sending fraudulent emails claiming to be from legitimate enterprises. These emails are crafted to make the user believe that as part of an account security hardening in preparation for the new regulations, their accounts could be suspended or terminated if they do not update their records. The email prompts the user to click on a link, which would prompt them to put in their login credentials or credit card information, in order to “unlock” their account.
Why is this noteworthy:
The mishandling of user data has gained a lot of attention recently, due to massive data leaks from Facebook earlier in 2018. Since the Facebook data breach, many governments have been putting legislature into effect that will help protect a users data from being misused. Internet scammers are well aware of this, and have been trying to capitalize on these headlines by crafting phishing emails designed to lure in users who are concerned with the use of their data. Some of the verbiage for these emails may contain a statement like “We have updated our Privacy Statement to support new EU data protection law. Please login in to update your account policy.”
What is the exposure or risk:
Phishing attacks are designed to steal valuable information from a user, so that it can be used or sold on the dark web. Phishing attacks target bank information, login credentials, credit card information, and anything else a scammer may find valuable.
What are the recommendations:
SkOUT recommends regularly training employee’s on security awareness, and teaching them how to identify legitimate email from a phishing email. We also recommend that you inform your employee’s to never open or take action on emails that are not addressed to the recipient, that have grammatical errors, or request you input personal information in the link below. Banks and other large enterprises, will never ask you for a username, password, credit card information, or account pin through email.
References:
[1] https://threatpost.com/gdpr-phishing-scam-targets-apple-accounts-financial-data/131915/
[2] https://www.independent.co.uk/news/uk/crime/gdpr-latest-updates-emails-fraud-data-protection-phishing-scam-a8368741.html
If you have any questions, please contact our Security Operations Center.