World News – USA – Don’t be addicted to GDPR compliance phishing scams

A new flurry of GDPR compliance scams shows how cybercriminals are consistently evolving their tactics to exploit human error and capitalize on fear and confusion.

Phishing is the number one threat to cybersecurity today. Cyber ​​criminals are constantly revising and improving their tactics to take advantage of random circumstances, and a new flurry of GDPR compliance phishing scams underscores their ability to capitalize on human error, as we saw this year.

Bad actors specialize in exploiting fear, uncertainty, complexity, chaos, and misinformation. The COVID-19 pandemic was exactly the kind of turbulent world event that allowed bad actors to flourish. However, an event or concern doesn’t have to be this epic to fuel cybercrime. Savvy cybercriminals can use social engineering to turn something as routine as compliance into a phishing gold mine.

GDPR is a ghost that haunts many compliance officers and business owners. A wide communication network on the subject enables inaccurate information to be disseminated. The complexity of the requirements, regulations and guidelines of the GDPR is a source of stress. Given that the press is regularly briefed on heavy data breach fines, these factors combined have created a situation where businesses are more likely to seek advice from a company that specializes in GDPR compliance, especially when they make changes to theirs Make cybersecurity suite.

This is exactly what has happened recently to many companies that operate under the GPDR umbrella. Helpful specialist firms that specialize in GDPR compliance would like to inform companies that the email security system currently in use does not meet today’s standards for GDPR compliance. An example of this was a GDPR compliance firm that discovered a problem and wanted to help the non-compliant company resolve the issue quickly.

Except that they’re not really GDPR compliance specialists or even real service companies – they’re cyber criminals and the only thing they do is cybersecurity disaster. These messages are particularly likely to be directed at business owners, executives, and others in organizations who can be expected to have highly privileged email accounts, which is what gives the bad guys the maximum return on their email scam investment.

>. These are low-hanging fruits. GDPR regulations are known to be strict, notoriously complicated and full of bureaucracy. So it’s not a heavy sale. Nobody wants the headache that comes with non-compliance and is therefore likely to be susceptible to the bogus offer of « help » with their company’s « problem ». .

Then the cyber criminals rush and use very compelling messages and landing pages to encourage the target to fix the problem by entering some information and giving their email credentials. Typically, these scams use a poisoned link to trick victims into filling out an HTML form or providing information that the « specialist » can use to make the necessary changes. Unfortunately, this also includes the credentials for the target’s email account.

All of this is presented very reasonably, making it a simple social engineering attack to fall for. Some variations of the scam even falsify internal company emails, with the cyber criminals posing as the company’s IT technicians doing routine maintenance, including the right graphics, headers, signatures, and other details that convince them.

Targeted executives or other key users may even end up on a landing page that is personalized just for them. Many of the relevant details are already filled in so you just need to provide a few things to complete the upgrades. However, small defects often allow attentive employees to spot the fake. Some possible hints are:

Generally, a recipient aware of cybersecurity threats, particularly phishing scams, can easily tell that the message wasn’t actually from their company’s internal IT department, or even from a legitimate company – and so did their company before an expensive, messy problem save disaster.

How do cyber criminals get this data? Unauthorized access can usually be traced back to an insider threat like phishing or password compromise. By updating (and updating) security awareness training, organizations can reduce the likelihood of insider threats like this one and enable cybercriminals to deploy ransomware or steal data.

Planning a data loss prevention strategy isn’t all about malicious insiders. Well-intentioned but neglectful employees can easily do as much, if not more, damage than a malicious insider – human error is the number one cause of data loss. These solutions reduce the risk of an employee’s mistake leading to a data breach.

How can companies be sure that every user on their network is aware of these small mistakes? Through consistent, effective security awareness and phishing resistance training. Security awareness training can reduce a company’s likelihood of a malicious cybersecurity incident occurring. However, this will only work if it is updated regularly. A recent experiment found that subjects maintained the awareness created through phishing resistance training for only about four months before improvements were lost.

Cybersecurity will never be the same after this year’s events. The global pandemic and economic consequences have made the dark web more dangerous than ever. Therefore, it is important to analyze everything that may have gone wrong in the past, especially at the intersection between cybersecurity and COVID-19, in order to be prepared for possible future cybersecurity challenges.

While 2020 was a banner year for cybercrime, especially ransomware, companies that have invested in protecting digital risks can better address the growing number of cybersecurity threats. From security awareness training to backup and disaster recovery solutions, organizations must take a comprehensive approach to security to ensure that their security efforts are not left weak.

Subscribe below to receive the latest information from ITProPortal, as well as exclusive specials, delivered to your inbox!

Thank you for signing up for IT Pro Portal. You will receive a confirmation email shortly.

ITProPortal is part of Future plc, an international media group and leading digital publisher. Visit our company page.

©
Future Publishing Limited Kai House, The Ambury,
bath
BA1 1UA. All rights reserved. Commercial number 2008885 in England and Wales.

Computer Security, Information Security, Phishing