Beware GDPR email scams, which can be dangerously easy to fall for

The GDPR compliance deadline on May 25 could be a godsend for opportunistic cybercriminals, security experts have warned.

Earlier this month, cybersecurity firm Redscan discovered a worrying new phishing attack that takes advantage of the uncertainty surrounding GDPR compliance.

Related: GDPR 2018 UK

In essence, people are receiving countless messages about incoming privacy changes from a multitude of companies, and some of them might not be genuine.

In a recent case, Redscan found that hackers have been attempting to trick people into clicking malicious links and giving away their personal information, by posing as Airbnb’s customer support team.

The email told recipients that they needed to update their personal information − by following a link to a malicious site − in order to be able to continue using Airbnb.

“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data,” said Mark Nicholls, Redscan’s director of cybersecurity.

“Reported phishing attacks on customers of Airbnb is just the tip of the iceberg. No doubt hackers will be repeating the approach with other brands, doing so right up until the GDPR implementation and probably beyond.

“The window of opportunity for social engineering attempts is often short and criminals are unlikely to pass up the opportunity to trick unsuspecting account holders”.

To add to the confusion, the fake Airbnb emails look convincing. Furthermore, Airbnb has been sending users genuine messages about privacy policy changes, and asking them to follow links in these emails to review them.

Genuine privacy email from Airbnb


Fake privacy email from criminals

“These emails are a brazen attempt at using our trusted brand to try and steal users’ details, and have nothing to do with Airbnb,” the company said.

“We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate.”

To protect yourself, Redscan says you should first check for signs that the sender is who they claim to be.

“Fake addresses won’t use a real brand’s official domain, they will often use a bogus variation intended to look legitimate e.g. @mail.airbnb.work as opposed to @Airbnb.com,” it says.

“If you’ve opened an email and you’re still unsure, look for branding inconsistencies (font, logos, colours) and spelling errors, all of which may indicate that scammers are trying to copy a real brand.”

Have you been targeted by hackers in the lead-up to GDPR compliance day? Share your experiences @TrustedReviews.