You’ve probably noticed a lot more privacy-related emails coming in over the last few weeks. This is a classic example of last-minute planning, as every company operating in Europe scrambles to ensure it’s GDPR-compliant ahead of the 25 May start date.
READ NEXT: What is GDPR?
It’s in this tidal wave of junk mail that enterprising criminals are trying to hide in plain sight, somewhat ironically taking advantage of our privacy policy fatigue to steal personal data.
Researchers are Redcan uncovered one such email purporting to be from an Airbnb host claiming that they’re not able to accept the user’s (non-existent) booking until they accept a new privacy policy.
“This update is mandatory because of the new changes in the EU Digital privacy legislation that acts upon United States-based companies, like Airbnb in order to protect European citizens and companies,” the message reads, in a text that will be tediously familiar to anyone with an active email address.
Of course, clicking a link which claims to accept a new privacy policy does no such thing – instead leading you to a page encouraging you to enter your personal information: login, payment card information and all. What happens next isn’t certain, but it’s likely you’ll be subject to fraud or theft, and your details may well be sold on the dark web too.
“The irony won’t be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people’s data,” said Mark Nicholls, Redscan’s director of cybersecurity.
“Scammers know that people are expecting exactly these kinds of emails this month and that they are required to take action, whether that’s clicking a link or divulging personal data. It’s a textbook phishing campaign in terms of opportunistic timing and having a believable call to action.”
To confuse matters slightly, Airbnb has been sending out its own GDPR-related messages, but there are a number of telltale differences. First, the email address is a legitimate “@airbnb.com” rather than the more suspect “@mail.airbnb.work”. Secondly, Airbnb’s own messages are far more detailed and don’t ask you to enter your credentials, just to agree to new terms of service.
In a statement, Airbnb told Alphr: “These emails are a brazen attempt at using our trusted brand to try and steal user’s details, and have nothing to do with Airbnb.
“We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on report.phishing@airbnb.com, who will fully investigate. We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites.”
It wouldn’t be surprising if more cybercriminals used GDPR fatigue as a way of getting tired users to be less vigilant than they usually would, so keep an eye out for suspect-looking emails, check URLs and think twice before entering your personal details anywhere. If in doubt, contact the service the email is claiming to be from. Airbnb, for its own part, has a guide of what to look out for in legitimate emails, which you can read here.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
