Warning about GDPR-themed phishing emails

May 21st 2018

This week sees the final countdown to Friday's long-awaited implementation of GDPR (General Data Protection Regulation) – designed to give consumers more control over their online data. It seems that right now, everyone who has ever provided any personal details – including contact details – to a website or membership association, is receiving a raft of emails either explaining those organisations’ updated privacy policies or requesting opt-in for continued contact. 

For information and advice on spam and scam email, click here.

Somewhat ironically, this is the kind of situation normally exploited by cybercriminals, who impersonate authentic organisations in an attempt to defraud innocent victims of money, their identity, or both. Unfortunately, this is actually happening now in the lead-up to GDPR, with phishing emails attempting to deceive consumers into handing over passwords and payment card details.

Such scams are thought to be rife. An example has been revaled by researchers at cybersecurity firm Redscan, which in this case appears to be targeting business email addresses with emails claiming to be from Airbnb, the global online marketplace and hospitality service for people to lease or rent short-term accommodation. The email, which addresses the user as an Airbnb host, threatens that they are not able to accept new bookings nor send messages to prospective guests until they accept a new privacy policy.

It reads: "This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies," before going on to urge the reader to click a link to accept the new ‘policy’. This, in turn, leads to a website on which visitors are asked to enter their confidential details including account credentials and payment card information.

The real Airbnb is certainly sending messages to users in the face of the new regulation, but its messages are substantially more detailed and rather than requesting credentials, purely seek agreement to its new Terms of Service. Also, the sender address of the fake emails is typically ‘@mail.airbnb.work' as opposed to '@airbnb.com' – the authentic address. It should be noted, however, that even a genuine address can be spoofed by criminals to make the email appear authentic.

According to Airbnb, user details have not been illicitly accessed in order for the emails to be sent. A spokesperson told publisher ZDNet: “These emails are a brazen attempt at using our trusted brand to try and steal user's details, and have nothing to do with Airbnb. We'd encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on [email protected], who will fully investigate.”


Written by

In partnership with