Social engineering follows seasonal patterns. It's also connected to major events. We see this every year with holiday-themed phishing attacks between Thanksgiving and New Year's Day.
We're seeing it now with this week's implementation of GDPR, the European Union's General Data Protection Regulation. GDPR takes effect on May 25th. In this case the phishbait is the claim that Apple is proactively preparing to better protect your data.
This sophisticated phishing scam targets Apple users, threatening them with account suspension. If your user falls for this social engineering tactic and is manipulated into preventing a negative consequence, they're redirected to an "account rescue site" which of course is established to extract credentials and other personal financial information.
The phishing website is a legitimate-looking but bogus Apple site. It presents itself as a place where the users can rescue their account from being "restricted."
In addition to looking legitimate, this website is more sophisticated than most phishing sites because the bad guys correctly set the web directory permissions, and encrypted the spoofed site using Advanced Encryption Standard (AES) – allowing it to bypass some anti-phishing tools embedded in antivirus solutions.
One of the things the victims are asked to do is "update payment details." Once they've entered the requested information, the scammers say, the victims will see their accounts "returned to normal". Upon completion the victims are asked to click a button labeled "unlock." Doing so sends the information they've just entered directly to the scammers.
The site looks legitimate, but as usual there are red flags: First, the phishing emails were not all that highly targeted. Some of the recipients haven't even been Apple users. Second, the URL is off. For all of its convincing appearance, it's not an Apple site at all.
Companies worldwide are indeed working on becoming GDPR compliant—part of that, train your users!—and try to make sure that the people whose data they've collected have in fact consented to give them their information. Criminals are aware of this, and are following suit. You should remind your users that GDPR is indeed taking effect this week, but that they should be wary of this flavor of social engineering.
The Royal Wedding Is A Social Engineer's Dream
And obviously, this weekend's royal wedding is a social engineer's dream. Wedding fever has taken over the net and a variety of scams and attempts to steal personal information are out there.
For example, there are quizzes out there asking for your Royal Wedding Guest Name and then want your mother or father's middle name, pet names, street they live on and the like.
I suggest you send this email to your employees, friends and family. Feel free to copy/paste/edit:
Be on the lookout for a new Apple-flavored email phishing Scam of the Week. New European data privacy regulation is going into effect this week. It's called General Data Protection Regulation (GDPR) and bad guys are using it as bait in a variety of ways. This scam looks like it is from Apple and claims that if you do not take action, your account will be "restricted". But in reality they steal your identity and credit card information.
And then there is the royal wedding. It's a scammer's dream so be very careful. Go to trusted websites to get information and news about it.
Do not click on links in emails, or social media links related to the royal wedding or open suspicious attachments that claim any kind of problem with "GDPR". Delete the email or click on the Phish Alert Button to forward it to IT and delete if from your inbox.
Let's stay safe out there.
Founder and CEO