Organizations need to be on the lookout for GDPR-themed phishing lures, according to Mike Puglia, Chief Product Officer at Kaseya. In an article for ITProPortal, Puglia explains that GDPR compliance is something most organizations are worried about, and scammers are aware of this. An email concerning a possible GDPR violation would catch the attention of many employees, particularly executives and others responsible for ensuring compliance. This tactic is particularly effective since ignoring such a tip—if it were legitimate—could have legal ramifications down the road.
“The complex nature of GDPR requirements, regulations, and guidance is a source of stress,” Puglia says. “With stories regularly hitting the press about big fines for data privacy violations, these factors have combined to create a situation that makes businesses more likely to look for advice from a firm that specializes in GDPR compliance, especially when making changes to their cybersecurity suite.”
Puglia describes a recent phishing scam that informed recipients that their organization was out of compliance, and conveniently offered to help them fix the problem.
“No one wants the headaches that come with non-compliance, so they’re likely to be receptive to the fake offer of ‘help’ with their company’s ‘problem,’” Puglia says. “All of this is presented very reasonably, making it an easy social engineering attack to fall for. Some variations of the scam even spoof internal company emails, with the cybercriminals posing as corporate IT techs that are performing routine maintenance, including the right graphics, header, signatures, and other details that make it convincing. Targeted executives or other power users may even arrive at a landing page that’s personalized just for them, with many relevant details already populated so they only need to provide a few things to finalize the upgrades.“
Puglia concludes that education can help employees avoid falling for social engineering tactics.
“Security awareness training can lower a company’s chance of experiencing a damaging cybersecurity incident, but this only works if it’s regularly refreshed,” he says. “A recent experiment found that subjects only retain the awareness created by phishing resistance training for about four months before improvements are lost.”
New-school security awareness training with realistic phishing simulations can provide your organization with a vital layer of defense.
ITProPortal has the story.