Blog :: Security Operations

Watch Out for GDPR Phishing Scams

GDPR phishing scams

The EU’s General Data Protection Regulation (GDPR) goes into effect starting today. Even if you don’t follow news related to data privacy, you’ve probably noticed that something’s going on. All month, organizations have been sending notifications of privacy policy updates and asking their subscribers to officially agree to continue receiving emails (including Plixer—look for that opt-in if you’re subscribed to our blog).

As a result, we’re all up to our elbows in these emails. One unfortunate and ironic side effect is that it’s created an opportunity for hackers to launch GDPR phishing scams.

How Do the GDPR Phishing Scams Work?

It’s not unlike the delivery confirmation phishing scams that are common during the holidays. Hackers know what your inbox looks like right now and they know that many of these emails require action. So they simply add one more to the pile. When you’re weary from privacy policy fatigue, you may not immediately recognize the phishing attempt.

Most likely, the hacker will try to get you to click on a malicious link or glean important information from you.

Privacy Policy Phishing Email in the Wild

Cybersecurity firm Redscan uncovered these GDPR phishing scams when they noticed an email that allegedly came from Airbnb.

Fake Airbnb email
GDPR-related phishing attempt. Image: Redscan

The email, which addresses the recipient as an Airbnb host, claims that they must accept the new privacy policy before they can accept new bookings or send messages. It also explains that the update is mandatory due to the new privacy legislation.

Clicking on the hyperlink brings you to a page that prompts you to enter personal information, including account credentials and payment information.

At the very least, that’ll be a gigantic red flag even if you missed the other telltale signs (like the “” email domain). Legitimate organizations will never require that you enter any of your important information just to accept an updated privacy policy.

But don’t depend on finding red flags after clicking a hyperlink. Redscan said it well:

“In the case of the Airbnb scam email, hackers were attempting to harvest credentials. Attack vectors do vary however and it’s possible that other attacks may attempt to infect hosts with keyloggers or ransomware, for example.”

Airbnb has had an admirable response to the news:

“These emails are a brazen attempt at using our trusted brand to try and steal user’s details, and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on [email protected], who will fully investigate.”

They also provided a webpage fully dedicated to informing users on how to identify phishing emails.

What IT Pros Can Do

If you work on a cybersecurity team, make yourself a resource for your users. Let them know to expect GDPR phishing scams and what red flags they should look for. Offer your guidance if they’re ever unsure whether an email is legitimate.

This simple step can save your organization from a breach, but it can even help your users when they’re dealing with their personal inboxes. What better way to foster a good relationship with your users?

For more information on GDPR, check out some of our related articles: