So now, May 25th has come and gone.
If you live in the EU, you’re probably at least somewhat familiar with the significance of this past Friday, the 25th of May, 2018 – this is the day that the EU’s new General Data Privacy Regulations, GDPR, became binding law.
Um, What’s GDPR???
But if you happen to live outside of the EU and have no clue what any of this means, here is a three line synopsis of the 99 articles and 173 recitals (!!) that make up this new exhaustive body of laws:
The point of GDPR is to give citizens living within the EU heighten control over their data and how it’s used. Any business or organization, regardless of where they are located, that holds any data at all on people living within the EU must become fully compliant with the new regulations and do everything they can to prevent improper handling of user data.
One of the many things businesses need to do to avoid getting hit with whopping fines (up to 20 million Euros!) is to update their privacy policies and obtain users’ consent to remain on their mailing lists. To this end, you may have noticed an influx of emails over the last few days from entities such as Google, Netflix and Amazon, all asking you to read their new enhanced privacy statements and to agree to remain on their mailing lists.
Attackers Love GDPR (for now, anyway)
Oh, the irony of using these new data protection laws as the basis for sophisticated phishing scams!
But wait, there’s more.
Just last week, reports of a new Apple/GDPR-based scam began to emerge. In this variant, the fake Apple email asks the recipient to update their profile as part of security hardening measures ahead of the new regulations. The idea here is to get victims to divulge their Apple account information, which may include credit card details.
Spotting GDPR Phishing Emails
These fake-out emails may look a whole lot like the real thing and, with all the confusion GDPR has created for the non-legally-minded, they may indeed sound very legit. So how can you spot a fraudulent GDPR email if and when you get one?
- Check the design, context, spelling, domain names and grammar thoroughly. When creating fraudulent emails, it’s (thankfully) really tough to get all the nitty gritty details just right, so attackers usually mess up in at least one of these areas. For example, the Apple phishing email was sent at random, which means that lots and lots of non-Apple users got it, making it out of context. Moreover, the domain name that readers reached upon clicking the embedded link was completely unrelated to Apple, another giveaway right there.
- Pay close attention to the sender’s email address. Sure, the email may say it’s from Airbnb, but if the email address doesn’t sufficiently reflect that, delete it.
- Think about the tone of the email. Attackers want to get the reader to act without thinking, so the tone of such emails is usually quite urgent.
Don’t assume that since GDPR has already taken effect, you won’t be seeing any more of these emails. More than 50 percent of companies won’t be GDPR-complaint until the end of the year — and many more will only achieve compliance in the next few years. This means that you’ll be getting these “We’re updating our privacy statement” emails for a long time to come — so continue to be on the lookout for more of these baddies. Make sure you’re armed with enough information to avoid getting caught in their snare.