With the EU's General Data Protection Regulations (GDPR) going into effect in just three weeks, many organizations are alerting customers to changes in their privacy policies and terms of service. Hackers are taking advantage of this opportunity to turn legitimate announcements into phishing campaigns.
Airbnb announced to its users that changes to their policies will go into effect on 25 May 2018. Scammers then mimicked that email distribution with a specious email asking customers to update their account information.
According to the security firm Redscan the hackers are attempting to spread malware and steal the personal data of Airbnb customers by fooling them into following malicious links in phishing emails and entering their personal information into a system that the hackers control.
In a prepared statement, Airbnb wrote, “These emails are a brazen attempt at using our trusted brand to try and steal users’ details, and have nothing to do with Airbnb."
Those who have received what they think might be a fraudulent message are encouraged to report it to report.phishing@airbnb.com. Airbnb confirmed that before the phishing scam, no bad actors had gained access to Airbnb user details and that it works closely with external partners to help report fake websites.
"The irony won't be lost on anyone that cybercriminals are exploiting the arrival of new data protection regulations to steal people's data," said Mark Nicholls, director of cybersecurity at Redscan.
Phishing scams are increasingly becoming more difficult to recognize because hackers are getting better at tricking users. They are using more sophisticated tactics in order to dupe people into sharing personal information. As a result, it is becoming increasingly difficult to track the bad guys.
"Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance," said Paul Edon, director at cybersecurity firm Tripwire.
Because attackers prey on the inherent trust of the email recipients, Edon said, "The best way people can help avoid future attacks is to educate themselves about the risks and consequences of clicking unknown links and attachments.”
Customers are advised to always check the sender's email address for the very small discrepancies that are indicators of fraud. "If you do click a link in the email, check the website address you are directed to. If it’s not Airbnb.com, it’s likely to be a copycat website. You can always enter https://www.airbnb.com into your browser to access our website," Airbnb said.