Several reports have recently emerged of email phishing campaigns attempting to lure business personnel to websites soliciting business and personal financial information. These messages include some wording demanding the recipient urgently take some action such as clicking a link and entering information in order for the purported sender to update their records. This latest campaign is related to the quickly approaching May 25th deadline for GDPR (General Data Protection Regulation) compliance. Knowing that users of technology solutions are expecting opt-in mailing list requests from major vendors and providers, it seems that the phishing campaign authors are hoping to capitalize on this as well.
To protect your organization, we offer the following recommendations:
- Put processes and procedures into place to verify and approve requests before disclosing financial information or initiating transactions, especially wire transfers.
- Educate customers and personnel on what to expect when contacted by the company.
- Educate personnel on how to handle unsolicited email messages including phishing.
- Leverage technologies to protect your business and employees such as:
- Email security gateways
- Web URL Filtering
Understand and follow these communication best-practices:
- Expect services providers to request or accept sensitive info via secure communication means only. These include authenticated HTTPS websites and encrypted email channels.
- Screen emails for greetings that are specific to the user or account being referenced. This usually includes personalized information such as names, company account name, etc. Fraudulent emails often include the salutation “Dear ____ User” or “Dear Valued Customer”.
- Never download, open or install attachments from senders whom they are not expecting to receive attachments. Attachments should be communicated via other channels such as phone, text or IM beforehand. Attachments contained in fraudulent emails often contain viruses that may harm your computer or compromise your business or personal accounts.
- Never send personal information via unencrypted email. Fraudulent email often request a reply or link to fraudulent web addresses.
- Be very leery of emails requesting sensitive information such as legal name, logon ID, password, security questions, credit card numbers, bank info, PIN numbers, social security number, mother’s maiden name, etc. Fraudulent emails often request this info that the service provider already has on file. When in doubt, navigate to the provider’s website via google search or trusted bookmark and check that your account info is updated.
If you believe your organization has been a victim of a GDPR Phishing Scam, we can help. Contact our sales team at 800-319-3051 for more information.Security