Airbnb customers need to be alert to a new phishing scam that takes advantage of the upcoming General Data Protection Regulation (GDPR) to fool them into sharing personal and financial data, according to cybersecurity firm Redscan.
GDPR is an extensive set of data protection reform measures set to come into force across the European Union (and affecting EU citizens worldwide) on May 25th. The new privacy laws are intended to give people more control over the information they share online. As such, companies have been sending emails to their users for the last several weeks asking for their consent to stay on their mailing lists.
Hackers appear to be taking advantage of the situation with Airbnb customers by sending legitimate seeming phishing emails to customers, telling them that in order to continue to use Airbnb and accept new bookings or contact potential guests, they must follow various steps to accept a new privacy policy. The phishing emails direct the Airbnb customers to malicious links where they are asked to enter their personal information, including credit card details and account data, into a system actually controlled by attackers.
Redscan’s director of cybersecurity, Mark Nicholls, said they weren’t able to tell the scale of the scam or how effective it had been, but it was likely aimed at email addresses taken from the public web.
Mr Nicholls added: “Modern phishing campaigns are becoming increasingly difficult to spot and people need to be extra vigilant when opening emails and clicking links, since it’s important to ensure they originate from a trusted source.”
Airbnb is actually sending emails to alert users to changes related to GDPR, however, the genuine notifications do not ask for users’ credentials, and include more detail than the phishing scam emails.
Airbnb told Sky News: “These emails are a brazen attempt at using our trusted brand to try and steal user’s details, and have nothing to do with Airbnb. We’d encourage anyone who has received a suspicious looking email to report it to our Trust and Safety team on [email protected], who will fully investigate. We provide useful information on how to spot a fake email on our help centre and work closely with external partners to report and help remove fake Airbnb websites.”
Nicholls pointed out the irony of cybercriminals exploiting new data protection regulations to steal people’s data, and encouraged people to look for use of fake addresses.