A GDPR phishing scam has been detected targeting Airbnb customers. The GDPR-themed scam requests customers of the home-sharing website must re-enter their contact information and credit card details in order to comply with the EU’s General Data Protection Regulation that comes into force on May 25, 2018.
The scammers are taking advantage of the high volume of emails currently being sent by companies as part of their GDPR compliance efforts. Consumers have been receiving emails from a wide range of companies requesting they update their information, re-confirm that they still want to remain on mailing lists, and review new GDPR-compliant privacy policies ahead of the compliance deadline.
Over the past few weeks, many companies have been sending these emails, so consumers are now used to receiving the messages and responding. This familiarity with the emails could lead some consumers to click without thinking and disclose their sensitive information.
As with other phishing campaigns, there is a sense of urgency. Once the compliance deadline is reached, companies will be required to delete all customer data if a valid GDPR-compliant opt-in has not occurred and new privacy policies have not been accepted. As is stated in the Airbnb phishing email, failure to respond will prevent users from accepting any further bookings.
The request is plausible, the emails have been sent from the domain @mail.airbnb.work, the branding and logos used in the email appear legitimate, and the link directs Airbnb customers to a webpage that looks like the genuine site, apart from the domain name.
Airbnb is already sending emails to its customers asking for them to accept its new GDPR-compliant privacy policy, although the genuine emails do not ask customers to re-enter their information. They are only required to accept the firm’s new privacy policy and agree to its terms of service.
This GDPR phishing scam is one of many that have been detected over the past few weeks and it is unlikely to be the last. With such a high volume of GDPR-related emails being sent, it is providing cybercriminals with a perfect opportunity to obtain sensitive information.