UK-based threat detection and response firm Redscan has warned of email phishing attacks, in which hackers are spreading fake email communications from well-known businesses about incoming privacy changes.
The scams are designed to spread malware and/or steal personal data by tricking recipients into clicking malicious links and entering personal information, as cyber criminals seek to capitalise on the fact businesses are actively re-consenting their contact databases ahead of the EU’s General Data Protection Regulation (GDPR) compliance deadline of 25 May.
Redscan first discovered the GDPR-inspired phishing scams in an email sent by hackers disguised as Airbnb’s customer support, which requests that recipients update their personal information to be able to continue using the home-sharing platform.
Recipients who click the link provided and enter their details risk exposing personal information such as account and payment card information to cyber criminals. Redscan warned that hackers were likely to be using the same technique to target customers of other well-known companies.
“The irony won’t be lost on anyone that cyber criminals are exploiting the arrival of new data protection regulations to steal people’s data,” said Mark Nicholls, director of cyber security at Redscan.
“Using current events and trends as bait for social engineering attacks is a common tactic. Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action.
“Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links, since it’s important to ensure they originate from a trusted source,” he said.
Social engineering campaigns can have damaging repercussions for employers as well as individual victims, said Nicholls.
“For businesses worried about their employees putting systems at risk, cyber awareness education and training is essential. Organisations should also ensure appropriate controls and procedures are in place to swiftly detect and respond to attacks when they occur.”
Airbnb described the emails as a “brazen attempt at using our trusted brand to try and steal user’s details”. It encouraged anyone who has received a suspicious-looking email to report it to the Airbnb trust and safety team for investigation.
“We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites,” it said.
Redscan’s tips for spotting and avoiding phishing email scams
Before opening an email, check for signs the sender is who they say they are and look for the use of fake addresses. Fake addresses will not use a real brand’s official domain. They will often use a bogus variation intended to look legitimate such as @mail.airbnb.work as opposed to @Airbnb.com.
Look for branding inconsistencies (font, logos, colours, etc) and spelling errors, all of which may indicate that scammers are trying to copy a real brand.
If an email asks you to do something such as click a link or provide personal data, consider first if they have a genuine reason to make such a request. If so, check their website to see if you can complete the process there instead.
Be extra careful when checking emails via a smartphone, since they usually provide a condensed screen view, which tends to hide important details such as sender email address.
If you think you have been phished, change your passwords immediately across all accounts with the same/similar login details.
Be aware that hackers may also try to steal personal data over the phone, so be equally vigilant when receiving unsolicited phone calls and do not provide personal information unless you have made initial contact.
Businesses concerned with the risk of phishing should implement multiple email validation and authentication systems designed to prevent email spoofing. They should also conduct regular employee training and introduce proactive network and endpoint monitoring.