Gardaí warn of possible rise in email scams related to new data law

Criminals using introduction of General Data Protection Regulation as cover to harvest personal information

Gardaí have warned of a possible rise in scam emails taking advantage of the introduction of a major new EU privacy law as a cover to harvest people’s personal information.

So called “phishing” emails purporting to come from the short-term letting site Airbnb have been circulating asking customers to update their subscriptions to comply with the General Data Protection Regulation (GDPR), which will be enforceable from Friday.

While there are no reports of any such incidents in Ireland to date, a number have been reported throughout Europe.

A Garda spokesman said the advent of GDPR would see online customers being asked by their service providers to update personal user agreements so that their services, such as email updates or record maintenance, can be continued.

“However, cybercriminals will also see this as an opportunity to exploit those agreements and send fake GDPR notices to customers asking them to confirm login or personal information via online links so that they can continue to use the service being provided,” he said.

“Recent enquires have already identified a string involving the sending of fake notices which allege to be from Airbnb asking customers to update details in order to continue their agreement.”

The spokesman said clicking on fake or fraudulent links within a phishing email could result in redirections to fake or infected sites for attacks targeting specific online users or organisations.

Malicious attachments

They could also contain malicious attachments which appear to be GDPR-related documents or invitations which attack the network or system, or they might request private or personal and financial information such as account details, credit card details or passwords.

The scams could also involve the harvesting of email account details which could be exploited for marketing or junk mail campaigns.

He said the Garda National Cyber Crime Bureau advised caution before following any link which asked for personal or financial data or before responding to any such emails.

People should ensure they had an agreement with the service sending the email and that the email address was genuine and from the provider.

They should also check that the link within the email was genuine by either hovering over it to ensure it leads to where it says it does, or by checking the page it leads to and its contents.

If still unsure, they should contact the service provider or organisation and confirm that they sent the email. The crime bureau also said people should never supply banking or financial information via email.

The regulation, first proposed by the European Commission in 2012 and adopted in 2016, imposes stringent new rules for organisations to make them more accountable for how they handle personal data.

It also creates new and enhanced rights for individuals, known as “data subjects”, such as a so-called “right to be forgotten” allowing them to have their personal data erased in certain circumstances.

The regulation applies not only to organisations within the EU, but also to those outside it where they offer goods or services to data subjects in the EU, or where they monitor the behaviour of data subjects, where it takes place within the EU.