Is the GDPR Encouraging Phishing Scams?

Skillful criminals know how to use crowds — just ask anyone who has been pickpocketed in a subway station. Now that principle applies to Europe’s General Data Protection Regulation (GDPR) – at least according to one report.

Security Boulevard reported this week (June 6) that in the wake of the new digital security rule taking effect, criminals were quick to use it to their advantage. The GDPR has led to a “barrage of new terms and conditions released by companies” eager to meet the terms of the rule — as any internet user knows — and criminals are using all those notices as cyber camouflage, according to the report.

The regulation requires companies to provide more transparency over how consumer data is used. Consumers must acknowledge they understand the new terms of service related to how their data is used, and companies must offer them the right to have their data removed from those databases upon request.

All that back-and-forth results in all those notices.

“A phishing scam purporting to come from Apple is the most popular that we’ve seen,” Security Boulevard said. “It declares that ‘For Your Safety, Access To Your Apple ID Has Been Restricted,’ then prompts users to update account information before being allowed back in.” The criminal theory goes like this: Consumers are too numb or fatigued to give the message a close look, increasing the odds that enough of them will type in data to make the scam profitable for those on the other end.

That could reasonably stand as one of the ongoing unintended consequences of the GDPR, a topic that PYMNTS is revisiting regularly as the impacts of the European Union rule become more clear. Last week’s look focused on how Google seemed to be benefiting early on from ad sales since the GDPR kicked in on May 25.

The potential opportunities for criminals were not ignored in the weeks and months before GDPR, as a PYMNTS webinar with Ethoca showed. And not all criminal threats related to GDPR — or the PSD2, another major European regulation for digital activity — will involve phishing attempts.

For instance, the right to erasure could prove especially problematic. If a criminal requests the removal of identifying data points, such as an IP address, then it leaves merchants at a distinct disadvantage, as they are unable to add those data points to their negative list.

The GDPR also could bring “new pressure criminals can leverage concerning personal data that companies are responsible for,” Security Boulevard said. “Were criminals to target an organization handling EU resident data, they’d be in a position to leverage a ransom amount closer to fines meted out under GDPR laws once they’ve breached and encrypted the data. We expect to see an increase in targeted ransomware hoping to exploit the hefty GDPR fine structure.”

Meanwhile, the number of digital roadblocks that have gone up in the wake of the GDPR continues to grow. Businesses abroad that fear the consequences of noncompliance with the regulation — fines can take a material chunk out of revenues — are, for now at least, simply cutting off access to some European consumers.

According to reports this week, those organizations included The Association of National Advertisers, sites operated by A&E Networks and such newspapers as the Chicago Tribune, the Los Angeles Times and the New York Daily News.

Finally, there was evidence this week that giant companies — those same firms that EU regulators want to subject to greater scrutiny — are instead reaping rewards, as is apparently the case with Google. According to an article in MarketWatch this week, MKM Partners analyst Rob Sanderson views Facebook as having enough cash and expertise to meet GDPR compliance standards better than smaller rivals for online ad dollars. That’s the same trend benefiting Google.

“It could be an unintended consequence that privacy regulation squeezes marginal players and drives even more share consolidation into the duopoly,” Sanderson wrote in a note to clients. “This would be a major backfire on EU regulators, who are trying desperately to minimize the influence of Google and Facebook in the region.”