In response to the news that the police are warning that the EU GDPR has prompted a wave of scam messages as fraudsters masquerade as banks to trick Brits into handing over their payment details, IT security experts commented below.
Mark James, Security Specialist at Internet Security Firm, ESET:
“As with any special event that attracts large amounts of interest you will always find scammers and malicious actors trying to take advantage. Some utilise a “fan” interest like an annual sports event or a heart touching event that encourages public interaction. However, one thing we can always be sure of is a steady flow of fake or scam emails trying to blend into the official ones and trick the end user.
GDPR falls perfectly under this category, the public are expecting these emails, it’s not out of the blue.
It’s not always easy to determine if emails are good or bad but we should always double check the contents of any email especially before submitting any personal or private information. If you have an doubts then I would contact the original company by a separate means and verify why they want that data.”
Javvad Malik, Security Advocate at AlienVault:
“It is common for phishing scams to increase in the wake of any change, event or natural disaster. Therefore, unfortunately, it is not uncommon for scammers to take advantage of an event like the implementation of GDPR to come out in force to try and swindle unsuspecting users.
Despite GDPR, the usual rules apply whereby users should remain vigilant of all emails and what is being requested. Most organisations like a bank will not communicate via email anything related to the account and will not ask for personal information or passwords in an email. If in doubt, users should contact their bank through their usual channels to validate.”
Ben Herzberg, Director of Threat Research at Imperva:
“These issues will probably be temporary until these companies get over the obstacles and set their services in the right way. Complying with GDPR (As well as other privacy regulations) is challenging, especially for global organizations. We ourselves had to spend months of work to make the necessary adjustments for ourselves and for our customers. Regarding the regional blocking that was applied, it is not completely bullet-proof. I’m pretty sure that European users are already using international proxies or VPN services to be able to still access these services. Although meeting GDPR isn’t trivial, companies have had more than a year to get ready. And while it’s unfortunate that these companies aren’t yet ready, the fact that companies are in fact concerned enough about GDPR consequences that they will shut down parts of their global business speaks highly of the motivation GDPR has created for increased security.“