New GDPR Compliance Phishing Scams Capitalize on Fear and Confusion Cleverly
Phishing is today’s biggest cybersecurity threat, and cybercriminals are constantly revising and upgrading their tactics to take advantage of fortuitous circumstances. A fresh spate of GDPR compliance phishing scams is a good reminder that one of their favorite things to capitalize on is human error, as we’ve seen this year to chilling effect.
Bad actors specialize in taking advantage of fear, uncertainty, complexity, chaos, and misinformation. The COVID-19 pandemic was exactly the kind of tumultuous world event that enables bad actors to thrive. But an event or concern doesn’t have to be that epic to drive cybercrime. Savvy cybercriminals can use social engineering to turn something as boring as compliance into a phishing bonanza.
The Perfect Blend of Ingredients to Brew Up Some Social Engineering
GDPR is a specter that haunts many compliance officers and business owners. A wide web of communications on the subject allows inaccurate information to proliferate. The complex nature of GDPR requirements, regulations, and guidance is definitely a source of stress. With stories regularly hitting the press about big fines for data privacy violations, these factors have combined to create a situation that makes businesses more likely to look for advice from a firm that specializes in GDPR compliance, especially when making changes to their cybersecurity suite.
That’s exactly what has happened to many businesses in the last few months that operate under the GPDR umbrella. Helpful specialist firms that specialize in GDPR compliance are reaching out to let businesses know that the email security system they’re currently using doesn’t meet today’s GDPR compliance standards – but luckily, this GDPR compliance specialty firm spotted the problem, and can help the non-compliant business get that sorted out fast.
All Tricks, No Treats
Except, they’re not really GDPR compliance specialists or even real service businesses – they’re cybercriminals, and the only thing they’re serving up is cybersecurity disaster. These messages are especially likely to target business owners, executives, and other individuals within organizations that could be expected to have highly privileged email accounts, giving the bad actors the maximum return on their email scam investment.
First caught by Area 1 Security on August 31, a common GDPR email security phishing message preys on misconceptions regarding the relatively recent, yet stringent data protection law to create a sense of urgency and fear in recipients. Its low-hanging fruit – GDPR regulations are known to be strict, notoriously byzantine, and rife with red tape, so it’s not a hard sell. No one wants the headaches that come with non-compliance, so they’re likely to be receptive to the fake offer of “help” with their company’s “problem”.
Then the cybercriminals pounce, using highly convincing messages and landing pages to encourage the target to begin fixing the problem by filling in some information and handing over their email credentials. Typically these scams use a poisoned link to drive victims to fill out an HTML form or provide information that enables the “specialist” to make necessary changes. Unfortunately, that also includes the credentials for the target’s email account.
The Devil is in the Details
All of this is presented very reasonably, making it an easy social engineering attack to fall for. Some variations of the scam even spoof internal company emails, with the cybercriminals posing as corporate IT techs that are performing routine maintenance, including the right graphics, header, signatures, and other details that make it convincing.
Targeted executives or other power users may even arrive at a landing page that’s personalized just for them, with many relevant details already populated so they only need to provide a few things to finalize the upgrades.
However, small flaws often enable observant staffers to spot the fakery. Some potential clues include:
- Small mistakes in spelling, punctuation, usage, or grammar
- Color palettes and fonts that are just a little bit off
- Images like signatures or headers that are blurry.
- A failure to properly use industry lingo
- Misidentifying company departments or workers
- Using a Gmail address
- Emails and landing pages that use unfamiliar formats
A recipient that is alert to cybersecurity dangers, especially phishing scams, can generally easily detect that the message isn’t really from their company’s internal IT department, or even a legitimate firm at all – saving their company from an expensive, messy disaster.
Don’t Let Your Guard Down
How can businesses be sure that every user on their network has their eyes open for those little mistakes? Through consistent, effective security awareness and phishing resistance training. Studies show that security awareness training can lower a company’s chance of experiencing a damaging cybersecurity incident by up to 70%. But only if it’s regularly refreshed – a recent experiment found that subjects only retain the awareness created by phishing resistance training for about 4 months before improvements are lost.
BullPhish ID is the perfect choice to ensure that everyone’s on the same page and up-to-speed on the latest threats fast. Easy campaign and group management means that companies don’t need specialized personnel to oversee training. Plug-and-ply phishing campaign testing kits complete with fake emails, dummy landing pages, and video lessons to illustrate phishing threats provide training in bite-sized pieces.
BullPhish ID also includes online testing to measure retention, with reporting that enables you to sort groups in any way that you need to as you determine who needs more help. Plus, at least four new training kits and new videos are added every month featuring the latest threats, including COVID-19 content. More than 80% of today’s cyberattacks are email-based, including ransomware, making phishing resistance training is a smart investment.
Get the Last Laugh on Cybercrime
With materials available in 8 languages and constantly updated training materials just a click away, BullPhish ID is both effective and cost-effective, offering every company the chance to turn their greatest cybersecurity risk into their greatest cybersecurity shield against GDPR compliance phishing scams – its employees.