Scammers are using GDPR email alerts to conduct phishing attacks

Threat detection specialists have uncovered a new trend of malicious actors using GDPR compliance as a cover to target businesses with email phishing attacks.

Hackers, according to cyber security company Redscan, are impersonating well-known companies to send fake emails warning about imminent changes to privacy settings in an attempt to spread malware or steal personal data.

Redscan said it first encountered this GDPR-inspired scam in an email sent by attackers disguised as Airbnb's customer support, asking recipients to update their personal information to continue using the service.

This technique is particularly opportunistic, with it taking advantage of the growing sense of urgency spreading among businesses as they race to comply with GDPR less than a month until its 25 May deadline.

Many businesses routinely handling personal data, including Airbnb, are in the process of complying with requirements set out in the new set of data regulations, with many contacting their personal and commercial users with updated terms of service and privacy policies.

"The irony won't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people's data," said Mark Nicholls, director of cyber security at Redscan, adding: "The skill level in launching phishing attacks is generally quite low so it's difficult to estimate the scale of such scams."

In a fake email sent by scammers using the address 'important@mail.airbnb.work' - resembling an authentic message sent by Airbnb (noreply@airbnb.com) - recipients were told they could not accept new bookings or send messages until they accepted the company's new Privacy Policy.

The email read: "This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies."

Airbnb, unsurprisingly, did not look kindly on its band being used for phishing attacks: "These emails are a brazen attempt at using our trusted brand to try and steal user's details, and have nothing to do with Airbnb."

"We'd encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate. We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites," the company said in a statement to IT Pro.

Nicholls noted that such attacks are commonplace: "Using current events and trends as bait for social engineering attacks is a common tactic. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that's clicking a link or divulging personal data.

"It's a textbook phishing campaign in terms of opportunistic timing and having a believable call to action."

He told IT Pro the phishing email Redscan came across was targeted at a generic business address, suggesting the attackers may have scraped addresses from the web.

"As we get closer to the GDPR implementation deadline, I think we can expect to see a lot a lot more of these types of phishing scams over the next few weeks, that's for sure."

The cyber security firm warned that businesses concerned with the risk of phishing should implement measures to prevent them falling foul to such scams, including multiple email-validation and authentication systems designed to prevent spoofing, as well as holding regular training sessions for staff.