The opportunistic nature of modern cybercriminals means it should come as no surprise to see hackers taking advantage of current events for nefarious purposes.
With organisations across the EU busy making final preparations for the General Data Protection Regulation (GDPR), which takes effect in less than two weeks, Redscan has uncovered a new breed of email phishing attacks designed to mimic a GDPR permissioning campaign.
Our researchers were the first to highlight the example of a scam targeting users of the home-sharing site, Airbnb. The discovery was widely reported across the national, security and technology press, with coverage including:
Mark Nicholls, Redscan’s Director of Cyber Security had this to say:
“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data.
“Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links, since it’s important to ensure they originate from a trusted source.
“Cyber awareness education and training is essential. Organisations should also ensure appropriate controls and procedures are in place to swiftly detect and respond to attacks when they occur”.
“Reported phishing attacks on customers of Airbnb is just the tip of the iceberg. No doubt hackers will be repeating the approach with other brands, doing so right up until the GDPR implementation and probably beyond. The window of opportunity for social engineering attempts is often short and criminals are unlikely to pass up the opportunity to trick unsuspecting account holders”.
Redscan’s top tips for spotting and avoiding phishing scams
1. Before opening an email, check for signs that the sender is who they say they are, and look for use of fake addresses. Fake addresses won’t use a real brand’s official domain , they will often use a bogus variation intended to look legitimate e.g. @mail.airbnb.work as opposed to @Airbnb.com
2. If you’ve opened an email and you’re still unsure, look for branding inconsistencies (font, logos, colours) and spelling errors, all of which may indicate that scammers are trying to copy a real brand
3. If an email asks you to do something such as click a link or provide personal data, consider first if they have a genuine reason to make such a request. If so, check their website to see if you can complete the process there instead
4. Be extra careful when checking emails via a smartphone, since they usually provide a condensed screen view, which tends to hide important details such as sender email address
5. If you think you’ve been phished, change your passwords immediately across all accounts with the same/similar log in details
6. Be aware that hackers may also try to steal personal data over the phone, so be equally vigilant when receiving unsolicited phone calls and don’t provide personal information unless you’ve made initial contact
7. Businesses concerned with the risk of phishing should implement multiple email-validation and authentication systems designed to prevent email spoofing. They should also conduct regular employee training and introduce proactive network and endpoint monitoring, which can be highly effective at detecting these types of attacks, so long as systems are being routinely analysed
Redscan is an award-winning provider of managed security services, specialising in threat detection and integrated incident response.
Possessing a deep knowledge of offensive security, Redscan’s experts are among the most qualified in the industry, working as an extension of clients’ in-house resources to expose and address vulnerabilities plus swiftly identify and shut down breaches. Services offered include: CREST accredited Pen Testing, Red Teaming and Managed Detection and Response.