All of these GDPR notices are overwhelming. Unless you have been living under a rock, you already know that May 25th 2018 is the date that organizations must be in compliance under the new directive called General Data Protection Regulation. In short, GDPR is a compliance regulation designed to help data protection and increased privacy for all individuals within the European Union. With all of the good intentions behind GDPR, comes some really bad situations for everyone, including the people it is intended to protect. Let’s talk more about why GDPR is the perfect phishing scam and understand how hackers will take advantage of this situation.
Why GDPR is a perfect phishing scam
GDPR requires an explicit request for consent. This means that filling out web forms and other activities online requires consent to store, collect personal information, and market to those individuals. Otherwise, the business or organization doing so is at risk of “violating” the GDPR regulation. That being said, a perfect phishing scam will do just that. I am sure you have been seeing them appear in your mailboxes.
“Due to updated regulations, we require you to opt-in to receive communications from us.”
Our team has been analyzing and collecting these emails for availability to launch in our phishing simulator, but it’s important we look at the underlying problem here. This type of communication is very difficult to defend against for your employees. Think about how challenging receiving an email from Google Analytics will be for your marketing team when the email distinctly says that you will no longer be receiving analytics on your account if you don’t click this button. Or imagine your HR team getting an email about employee records being out of compliance in their HR system.
Training your employees is a critical part of your business. The processes and procedures they follow will more than likely change, not only due to GDPR, but for other regulations as they come down the road. You should be consciously thinking about the processes that are in place vs. the types of attacks that are targeting your employees. For example, if your organization requires employees to click links to access certain data, you are most certainly increasing the risk of them falling for a phishing scam by accident. Since employees have never experienced a GDPR notification to release consent before, they will probably fall victim to one unless they are trained not to do so. Ensure that you are taking the precautionary measures with your employees to defend against GDPR phishing attacks by giving them the foundational knowledge to better understand the reasoning behind GDPR notifications. Educating your employees will help them defend against these types of GDPR phishing attacks and others that use a sense of urgency to bait their victims.
What does GDPR consent really look like?
If consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data is used for. Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn. Basically this means you need permission before you start handling someone else information in the EU.
The area of GDPR consent has a number of implications for businesses who record phone calls. The typical “this call will be recorded for training purposes” warning will no longer be sufficient to acknowledge approved consent to record calls. Even when a recording has concluded, the caller may withdraw their consent. Somehow the agent receiving the call must be able to stop a previously started recording and ensure the recording does not get stored. And you thought it was hard to search an email from a colleague in your mailbox!
This isn’t just a one-way street. When a request comes in for right to erasure for example, entities must handle the scenario. Think about it. How is your team going to review and accept requests for GDPR complaints? What does the process look like? Do you have an in-app request? Do people call you? How would every single employee completely confirm what a legitimate request looks like? These are all really tough questions to answer for an organization. They are also a perfect precursor to a targeted phishing attack based on GDPR communications.
In conclusion, the GDPR regulations are a step in the right direction, but have a poor implementation plan when trying to apply to businesses of all shapes and sizes across the world. Hackers are going to take advantage of this situation and will continue to over the coming years. Your goal is to have your employees use critical thinking when receiving an email from any system or person.
An employee’s first instinct should not be to click on anything that comes to their mailbox just because it looks like they are in trouble. A strong phishing awareness training program is designed to help construct this defense system into your employees and encourage them to use critical thinking when dealing with these types of attacks. Make sure you discuss this topic with your employees and make them aware that this scam that will continue to threaten organizations across the world.