GDPR, or General Data Protection Regulation, is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It’s a law that gives control of people’s personal data back to the people. It includes the right to see all the data a company has on you, as well as the “right to be forgotten.” In other words, a company that is covered by the GDPR has to delete your personal data at your request.
Once the GDPR took effect in 2018, it was incumbent upon companies in the EU to be in compliance with GDPR regulations. Companies found not to be in compliance could be fined up to €20 million or up to 4% of the annual worldwide income. That’s a pretty hefty sum, so GDPR compliance is a pretty important thing. Then it should come as no surprise that hackers are using GDPR compliance as a lure to phish employees in the EU.
According to an article in Help Net Security, “Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials.”
Continuing from the article, “The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy (execs and upper management).”
The purpose of this phishing attack is similar to most others: credential harvesting. Once usernames and passwords are obtained, that’s when the havoc really begins.
The good news, if there is any, is that this is not a particularly advanced phishing attack. Other than the messaging, it’s like most other phishing attacks, from a technology standpoint: clever message + bogus website. That means that this attack is easy to spot and defeat for services like Phishing Protection from DuoCircle.
Phishing Protection is a cloud-based, real-time, link scanning email security platform. What the means is Phishing Protection ignores the message—in this case about GDPR—and only focuses on the links in the email and the websites they point to. And if the websites are bogus, the email gets quarantined and the recipient never sees it.
Cloud-based Phishing Protection requires no hardware, no software and no maintenance. It sets up in 10 minutes, works with all major email providers and only costs pennies per user per month.
If you’re a cost-conscious organization in the EU and you need to be in compliance with GDPR, the fastest and easiest way to make sure that compliance doesn’t leave you vulnerable to phishing attacks is to put Phishing Protection in place. Try it today for free for 60 days.