GDPR: A Good Idea That is Being Used to Phish Companies
Quick Answer
Phishing attackers are sending fake GDPR compliance reminders to EU employees, claiming their email security is not compliant and demanding immediate action. The lure works because GDPR fines run up to 20 million EUR or 4% of annual worldwide revenue, so the threat feels real, and many employees view it as routine red tape rather than a phishing attempt. Targets are mostly addresses scraped from company websites, with some focus on executives. The goal is credential harvesting via a clever message plus a bogus website. From a technology standpoint these attacks are not particularly advanced, so cloud-based real-time link scanning catches them by ignoring the message content and only evaluating where links point. Cloud phishing protection deploys in about 10 minutes with no hardware or software required.
GDPR, or General Data Protection Regulation, is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It’s a law that gives control of people’s personal data back to the people. It includes the right to see all the data a company has on you, as well as the “right to be forgotten.” In other words, a company that is covered by the GDPR has to delete your personal data at your request.
Once the GDPR took effect in 2018, it was incumbent upon companies in the EU to be in compliance with GDPR regulations. Companies found not to be in compliance could be fined up to €20 million or up to 4% of the annual worldwide income. That’s a pretty hefty sum, so GDPR compliance is a pretty important thing. Then it should come as no surprise that hackers are using GDPR compliance as a lure to phish employees in the EU.
According to an article in Help Net Security, “Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials.”
Continuing from the article, “The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy (execs and upper management).”
The purpose of this phishing attack is similar to most others: credential harvesting. Once usernames and passwords are obtained, that’s when the havoc really begins.
The good news, if there is any, is that this is not a particularly advanced phishing attack. Other than the messaging, it’s like most other phishing attacks, from a technology standpoint: clever message + bogus website. That means that this attack is easy to spot and defeat for services like Phishing Protection from DuoCircle.
Phishing Protection is a cloud-based, real-time, link scanning email security platform. What the means is Phishing Protection ignores the message—in this case about GDPR—and only focuses on the links in the email and the websites they point to. And if the websites are bogus, the email gets quarantined and the recipient never sees it.
Cloud-based Phishing Protection requires no hardware, no software and no maintenance. It sets up in 10 minutes, works with all major email providers and only costs pennies per user per month.
If you’re a cost-conscious organization in the EU and you need to be in compliance with GDPR, the fastest and easiest way to make sure that compliance doesn’t leave you vulnerable to phishing attacks is to put Phishing Protection in place. Try it today for free for 60 days.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.