The European Union’s General Data Protection Regulation (GDPR) is designed to shield internet users against misuse of their personal information but in the short term, the new legislation may have resulted in a new wave of phishing fraud attempts.
Implemented in the UK and across the rest of EU on May 25, GDPR is intended by Europe’s legislators to be a good deed in a wicked online world. Under the legislation, organisations who collect, store and process customer data are required to be transparent about how they put that information to use. In particular, any company that harvests customer data must ask permission from individual consumers and provide them with an opportunity to opt out.
The result has been a deluge of “please don’t leave us” emails, in which organisations invite those on their mailing lists to agree to receive marketing messages on an ongoing basis. For consumers, therefore, the arrival of GDPR is providing an opportunity to cut back on unwanted messaging. Put simply, if we want to go on receiving special offers from Company X, we opt in. If we never want to hear from Company Y again, we opt out, or simply ignore the message.
But according to UK Finance – the trade body representing Britain’s financial services industry – the influx of GDPR-related messages that most of us have been experiencing is providing useful camouflage for an intensified campaign by ever-resourceful internet fraudsters aimed at tricking individuals into parting with confidential information.
In a statement coinciding with GDPR coming into force in Britain, UK Finance warned that criminals habitually use the publicity surrounding major events as an opportunity to pose as genuine companies, including banks, utilities, online retailers and internet service providers.
And Katy Worobec, Managing Director of Economic Crime at UK Finance, urged consumers to be cautious.
“With many people getting a flurry of emails as GDPR comes into force, it is important that everyone is vigilant of criminals trying to cash in. Be wary of any requests out of the blue for personal or financial details,” she said.
The Phishing Risk
Here’s the problem. Phishing scams are a huge problem in the UK. A typical fraud attempt might involve an internet criminal sending out a message claiming to be from a legitimate business. The recipient will be told there is a problem – such as a bank account being deactivated, or a credit card payment to a retailer not going through. The target will then be asked to link through to a page where the problem can be rectified. As part of the process, the victim will be asked for confidential information, such as an account number and password details.
Alternatively, simply clicking on a link might trigger a download of malicious software (malware), which will infect the target’s computer and harvest confidential data automatically.
Phishing attempts are often easy to spot, but they tend to work best when recipients receive an email from an organisation they are half expecting to hear from. For instance, cybercriminals have in the past sent out messages claiming to be from HMRC (Her Majesty’s Revenue and Customs) in the New Year period when many taxpayers were rushing to complete self-assessment tax returns before the January 31 deadline. In these circumstances, a message from HMRC is not deemed unusual, so the recipient is more likely to respond.
If UK Finance is correct, criminals are applying the same principle to GDPR. And according to Vince Warrington, founder of digital security company Protective Intelligence, the enormous volume of mailshot activity generated by GDPR is making it much easier for criminals to trick their targets.
“The wave of ‘GDPR Compliance’ emails has opened up a window for cybercriminals, “he says. “The sheer number of emails – many of which were completely unnecessary – gives the opportunity to undertake an effective spear phishing campaign for the attacker. Because of the volume of emails, many of us will have become accustomed to just clicking on the links in these emails without thinking.”
As Warrington explains, those who respond might not even know they have been defrauded.
“These links – even when disguised as an ‘Opt Out’ button – can lead you to a website that contains malware. Whilst on the screen you see a message that says ‘Successfully Unsubscribed’, it’s possible for an attacker to be using this page to infect your computer,” he says.
The risk is more than theoretical. In early May, digital security company Redscan announced that it had detected a fraudulent email sent to Airbnb users, warning them that due to GDPR compliance policies. they wouldn’t be able to use the service unless they updated their details.
Mark Nicholls, Redscan’s Director of Cyber Security, said this was unlikely to be just a one-off incident.
“Reported phishing attacks of customers of Airbnb is just the tip of the iceberg. No doubt hackers will be repeating the approach with other brands,” he said.
Perhaps inevitably, his words proved prophetic. In late May, the Daily Telegraph reported that customers of NatWest had received fake GDPR compliance messages.
Protecting Against The Threat.
So how do we protect ourselves?
According to UK Finance, the golden rule – at least as it applies to communications from banks – is that no legitimate financial organisation will write to customers “out of the blue,” asking them supply PIN and account numbers. Thus, consumers should never be tricked into giving away account details.
UK Finance also cautions against clicking on links, within emails. This may be bad news for businesses that are sending legitimate GDPR emails and whose ongoing marketing operations depend on a response.
If are tempted to click on a link, you can at least check the underlying address of the sender. An email may appear to come from, say Barclays, Currys or Tesco because that’s what appears on the ‘sent by’ line. However, if the underlying address doesn’t match the expected domain name, then the chances are, the message is fraudulent. Equally, you can check the website address behind a link by hovering over it with the cursor. Look out also for spelling errors and text that begins Dear Customer rather than addressing you by name.
But as Vince Warrington points out, ignoring the email is often best, particularly if you don’t intend to opt in.
“The best advice is to ignore these emails. Consent must be given clearly under GDPR, so an organisation cannot consider you to have given consent by you not responding to their email request,” he says.