Phishers Target Businesses with Fake GDPR Compliance Requests

• New phishing campaign uses the European Union’s General Data Protection Regulation (GDPR) compliance as a lure
• Attackers are targeting businesses in several industries
• Emails also target high-profile individuals (executives and upper management)

A new phishing campaign making the rounds is targeting businesses with fake GDPR compliance emails.

Security researchers are sounding the alarm regarding a phishing scheme that tries to harvest credentials from businesses across various industry verticals using the European Union’s General Data Protection Regulation (GDPR) compliance as a lure.

First caught by Area 1 Security on August 31, this phishing message leverages misconceptions regarding the relatively recent, yet stringent data protection law to steal email login credentials from unsuspecting targets.

“The phish uses a classic tactic of creating a false sense of urgency to fool recipients into complying with the request,” researchers said. “The attacker lures targets under the pretense that their email security is not GDPR compliant and requires immediate action. For many who are not versed in GDPR regulations, this phish could be merely taken as more red tape to contend with rather than being identified as a malicious message.”

The sender email address is spoofed to look like an automated message from the targeted company's security department. The email body is nicely formatted, complete with convincing graphics. A keen eye will spot an occasional typo, and discern that the sender is not an authority, but a Gmail user.

Phishers are predominantly launching this campaign at public-facing emails of the targeted companies. To a lesser extent, it targets executives and upper management. The malicious payload is a rigged portal that autocompletes the victim’s email address to pass as a legitimate website and harvest the user’s password.

Organizations are advised to watch out for this phishing campaign and instruct employees to refrain from interacting with such emails. Instead, they should report any suspicious (unsolicited) email to their IT department. As a general rule, businesses big and small should employ a proven cybersecurity solution or, at the very least, business-grade email protection.