May 21st 2018
This week sees the final countdown to Friday's long-awaited implementation of GDPR (General Data Protection Regulation) – designed to give consumers more control over their online data. It seems that right now, everyone who has ever provided any personal details – including contact details – to a website or membership association, is receiving a raft of emails either explaining those organisations’ updated privacy policies or requesting opt-in for continued contact.
Somewhat ironically, this is the kind of situation normally exploited by cybercriminals, who impersonate authentic organisations in an attempt to defraud innocent victims of money, their identity, or both. Unfortunately, this is actually happening now in the lead-up to GDPR, with phishing emails attempting to deceive consumers into handing over passwords and payment card details.
It reads: "This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States based companies, like Airbnb in order to protect European citizens and companies," before going on to urge the reader to click a link to accept the new ‘policy’. This, in turn, leads to a website on which visitors are asked to enter their confidential details including account credentials and payment card information.
The real Airbnb is certainly sending messages to users in the face of the new regulation, but its messages are substantially more detailed and rather than requesting credentials, purely seek agreement to its new Terms of Service. Also, the sender address of the fake emails is typically ‘@mail.airbnb.work' as opposed to '@airbnb.com' – the authentic address. It should be noted, however, that even a genuine address can be spoofed by criminals to make the email appear authentic.
According to Airbnb, user details have not been illicitly accessed in order for the emails to be sent. A spokesperson told publisher ZDNet: “These emails are a brazen attempt at using our trusted brand to try and steal user's details, and have nothing to do with Airbnb. We'd encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on [email protected], who will fully investigate.”