Published on June 27th, 2018 | by Júlio Ventura0
How GDPR Can Become a Tool for Phishing
Governments adapt to the online world through legislation. Hackers and scammers develop new tactics through flawed legislation. Find out how scammers are using fake GDPR e-mails to collect personal data, a tactic known as phishing.
Before we discuss the new wave of phishing, let’s first talk about how it all started…
The “problems” first arose when the Facebook and Cambridge Analytica scandals were unveiled to the public. Facebook faced a lot of scrutiny over how they handled private data. Although a US-based company, Mark Zuckerberg’s company operates a social media platform that is widely used all over the world. The estimative is around 1.45 billion daily active users  in the first quarter of 2018 alone. Every time we log on to Facebook and exchange data, we are putting our privacy at the hands of a foreign company. Unexpectedly, the Facebook privacy scandal , was the culmination of an on-growing public concern, fed by an also on-growing trend of tech companies to misuse user’s data.
US Tech Companies Misuse of User Privacy Leads to Europe’s New Privacy Law
While the proposal to implement the General Data Protection Regulation (GDPR) started in 2012, a series of public scandals regarding online privacy began prompted it to become a popular issue. The GDPR was adopted by the European Parliament in April of 2016, but after the, already mentioned, Facebook scandal, the regulation became ‘forcefully’ applicable in all the 28 EU countries. It was the European Parliament’s reaction to how user’s data was being stored and used online. It meant companies now had to follow some privacy rules and guidelines when handling EU traffic. Doesn’t matter where the company is based. Handling European traffic? Deal with GDPR.
A Brief Summary on GDPR
Who is Affected by GDPR?
The General Data Protection Regulation applies to all profit and non-profit organizations around the globe that handle, store, or process data of EU citizens and residents, see more of it here. Although some identities address GDPR as being only for EU citizens, in fact, the regulation does not define it to be for citizen nor resident. In reality, the regulation uses the term “Data Subject”. Which is the definition GDPR gives to “Data Subject”? Quoting the actual regulation: “This Regulation applies to the processing of personal data of data subjects who are in the Union” and “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” In summary, if you are in EU territory citizen, regulation will apply, but if you are a EU citizen living in the US, regulation won’t apply.
What Changes With GDPR?
In a very a short answer: GDPR gives EU citizens and residents more control over their personal data. In a longer answer:
“The primary purpose of these regulations is to clear the vagueness and create a transparent environment … the major focus of the GDPR is to strengthen the conditions of consent so that the tech companies are not able to use vague or unclear statements to get you to agree to give them data.” – TechnoFAQ on “GDPR, What, How and Its Consequences on Internet Giants.”
Basically, it forces all organizations that handle such sensitive data to be completely clear and direct on how they store, handle, and process data. The GDPR gives “Data Subject” 6 privacy rights, while fining organizations up to 4% annual global turnover or €20 Million (whichever is greater) if they violate the law. These 6 privacy rights, as stated in the regulation , are:
- Breach Notification – Whenever a security breach occurs, organizations must notify users (either affected by breach or not) in 72 hours.
- Right to Access – User must be informed if any data (personal or not) about him/her is being processed, where and why.
- Right to be Forgotten – User has the right to have any of his/her data deleted from any database, potentially even third parties of the organization in question.
- Data Portability – User can request to see all the data being stored about him/her.
- Privacy by Design – The designing of systems must have privacy as its core, not as an addition to the system.
- Data Protection Officers – Organizations now must have internal recording keeping requirements, and a Data Protection Officer may or may not be mandatory to an organization. Depending on their scale and use of data.
The Week All Europeans Got Their Inbox Invaded by GDPR Related E-mails
As a citizen and resident of Portugal, I too was bombarded with GDPR related e-mails by every single website, newsletter, forum, e-commerce site, etc, I ever signed up to. If you live outside of the EU, you probably don’t know what I’m talking about. But it happened to every user residing in the EU using any GDPR-regulated service. As stated in the “Right to Access”, all organizations had to notify their users about privacy changes and how they handle our data, and of course what data is that. Doesn’t matter if its personal data or not, they had to inform us under the risk of taking a big penalty.
What is Phishing and How Does it Play into This?
We have discussed how it all started, what it means, what affects does it have. The question now is, how can GDPR become a scam tool? Well, there is a reason why I mentioned (and showed you) my e-mail box. One of the hackers and scammers, preferable method of spreading phishing attacks is e-mail. You can do a mail-shot targeting and have thousands of potential victims in minutes. What better way to hide a phishing attack then on a private data related e-mail? Yes, the darker side of the web was also paying attention to the GDPR.
But… what is Phishing?
It’s a method used by hackers and scammers to send e-mails pretending to be from reputable organizations in order to induce individuals to reveal personal information. E.g. user receives a fraudulent e-mail purporting to be his/her bank company asking for personal data and/or, often, linking to a fake clone-website that steals login info (username and password) once you try to login (and of course fail to do so).
As reported last month by Independent , fraudsters have been posing as banks in data protection related e-mails to steal data. Although at first one may think will never fall for this, some e-mails are so well disguised that their success rate of stealing info is very high. Especially if you get your inbox filled with GDPR e-mails everyday and you actual open and comply without checking authenticity. It is a very common issue. One that gives a lot of value to fraudsters.
If you wish to learn how to recognize and avoid online scams, follow the link, as we have already written about it on TechnoFAQ. Don’t take your security lightly. I hope you found this article useful, don’t forget to share it with your friends and warn them about this scam. Have a great day!