Hackers have been exploiting the imminent GDPR deadline to target Airbnb users with a phishing scam aimed at spreading malware and stealing personal data.
With the impending GDPR deadline just weeks away, businesses across the globe have been rushing to ensure that they have clear consent from customers to store and process their personal data.
Not one to miss a trick, the opportunistic cybercriminals have taken full advantage of the mass of GDPR emails that are flooding into people’s inboxes to trick users into handing over personal information and credit card details.
Researchers at Redscan uncovered the GDPR phishing scam which is predominantly targeting business email addresses. The email appears to come from Airbnb’s customer support department and requests that recipients update their personal information to be able to continue using Airbnb’s services.
Those who click on the link are asked to enter their personal information, including account details and payment card information. Once clicked, the hackers will then use this information to deliver malware, commit identity fraud or may sell the details on the dark web.
Real and Fake Airbnb Emails (Source: Hubspot / Redscan)
Airbnb has been sending out legitimate emails to customers informing them of the changes to policies that will come into effect on the 25 May, however, these emails are much more detailed and do not ask users to enter any personal information but simply to agree to the new terms of service.
Customers have been advised to check the sender’s email address for the very small changes that may indicate fraud. Despite the Airbnb emails appearing legitimate, the domain name is different. The fake messages come from ‘@mail.airbnb.work’ as opposed to ‘@airbnb.com’.
Airbnb has responded to the scam by saying: “These emails are a brazen attempt at using our trusted brand to try and steal user’s details and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious-looking email to report it to our Trust and Safety team on firstname.lastname@example.org, who will fully investigate.”
Despite the increasing sophistication of phishing emails, there are a number of signs to look out for that might indicate a fraudulent message. These include a generic greeting, threatening language, spelling mistakes, poor grammar, a mismatched URL or a request to enter or update personal data.
If you are looking to start a phishing awareness campaign or would like more information on how to protect yourself online, click here to find out how MetaCompliance can help. Our MetaPhish Platform has been specifically designed to protect businesses from phishing and ransomware attacks and provides the first line of defence in combatting cyber-crime.