Be Prepared for GDPR, and Be Prepared for GDPR-Themed Phishing Attacks

Teams from all across FireEye have been preparing for a long while now to be ready for the incoming EU General Data Protection Regulation (GDPR), which officially goes into effect on May 25, 2018. GDPR is meant to protect consumers and their data; however, cyber criminals are taking advantage of the widespread attention surrounding the regulation to do just the opposite.

Many organizations, as part of their GDPR preparations, are updating their data policies and making those changes clear to their customers, usually by emailing them a statement. Cyber criminals have been taking advantage of the influx of GDPR-related emails being sent to consumers by using the letters as templates for their phishing attacks.

Attackers have been observed targeting customers of large and small organizations in various industries, including financial services and hospitality. Currently these attacks are designed to steal personal information such as credit card numbers; however, they can easily be turned into something more sinister if the attacker were to, for example, trick the user into downloading malware instead.

In many observed instances, the phishing emails were copied from corporate letters most likely scraped from the web. To improve the success rate, the sender’s domain would appear similar to the organization’s official domain (@[organization’s name].com). To make these emails look truly authentic and legitimate, the phishing letter would also contain the corporation’s official logo.

FireEye Email Security offers advanced threat protection against look-alike domains similar to the ones used in these phishing attacks. Along with these types of impersonation attacks, FireEye Email Security detects and blocks email-based malware and URL attacks to help prevent unauthorized access, loss or compromise.

Keep in mind that it only takes one click on a work computer for an employee to inadvertently jeopardize the organization’s entire IT infrastructure. For this reason, it is important that organizations not only use a solution that helps prevent these emails from ever reaching users’ inboxes, but also train users on how to identify phishing emails and other email threats.