Security Snippets: GDPR and Royal Wedding Phishing Scams

Charles KillmerCybersecurity & Compliance, Financial IT, Healthcare IT

Social engineers are opportunists, continually seeking out new and creative ways to scam users into providing personal and financial information. They’ll often develop topically relevant phishing scams around major holidays and major events, trying to capitalize on periods of high web traffic around a specific topic to trap unsuspecting phishing victims.

This week is no different, as we’ve seen a marked rise in phishing attempts around two primary events:

  • The implementation of the European Union’s General Data Protection Regulation (GDPR) standard that goes into effect on May 25
  • The Royal Wedding that occurred this past weekend

The threat of GDPR scams

If you haven’t heard of GDPR, you likely don’t have customers in the European Union. In short, if you do business in the European Union, GDPR requires you to take additional security steps to make sure that you’re protecting the data of any users or customers in the European Union. Because of the crippling fines that can be levied against companies that don’t have GDPR-compliant data policies in place before May 25, 2018, many companies are scrambling this week to make sure that they take any last-minute steps to meet compliance requirements.

As a result, it’s created an opportunity for hackers to prey upon companies looking for last-minute information about GDPR to make sure that they’re compliant. Specifically, over the past few days, some Apple users have been the target of sophisticated phishing scams that state that—due to GDPR—Apple is proactively preparing to better protect their users’ data. It goes on to threaten to suspend users’ accounts if they don’t go to an “account rescue site” where they are asked to provide their account login credentials and any other personal financial information.

It’s a sophisticated attack in the sense that it uses some advanced technologies to bypass some anti-phishing tools embedded in antivirus solutions. The target landing page looks and feels like a legitimate Apple website, but savvy users will notice that the target URL in the email does not go to an Apple URL.

Advise users that they should not click on any email links or open any suspicious attachments claiming any kind of problems with GDPR.

Royal Wedding Mania

Society’s fascination (insert Royal Wedding hat joke here) with the Royal Family was on full display this past weekend, with midnight viewing parties across America over the weekend to watch the latest Royal Wedding. Royal Family Mania sprawled across the internet this weekend, even spilling into this week with juicy clickbait quizzes like “Find Your Fascinator Style” and “What’s Your Royal Name?” Quizzes like this are a social engineer’s dream because, under the guise of a fun personality quiz, they can extract key personal information like your father’s middle name, your mother’s maiden name, your pet names, the street you live on, etc.

Make sure your users/friends/family are staying safe online when looking for information on the Royal Wedding, only visiting trusted websites for news, information and quizzes (if they must!).