Phishing: GDPR exploited as a human vulnerability

GDPR phishing campaigns| On May 25th, the General Data Protection Regulation (GDPR) came into force, meaning from then on, companies have to fully comply with it. The GDPR has implemented new rules regarding consent of the use and hold of personal data; companies might have to ask it (again) if they did not have it as properly defined by the European regulation. “This is why you received tons of GDPR mails last week.”

GDPR: with massive flow come major opportunities

Loads of similar mails have been sent; these mails all asked for GDPR compliant consent. Therefore they all included call-to-action’s, most of the time with the necessity to fill out login credentials: an opportunity for data hunters.

Two types of motive have been noticed:

  • The marketing trick

RedSocks Security analysts have found out, about 20% of the mails received had been sent by companies they did not know or had not signed up to. These companies intend to legally obtain targets’ consent for their own use, after maliciously purchasing their contact information through previous ventures or data breach lists.

  • The traditional ‘data rush’

Phishing is a common practice for criminals on the hunt for personal data such as credentials and banking information, wether it is for their own malicious use or for reselling purposes. As reported, many users were victims of convincing GDPR phishing mails from Airbnb and other recognized organizations, asking to fill in personal information.

The exploitation of a human vulnerability: trust

Phishing campaigns are human vulnerability-based intrusion or data collection processes. Victims are mislead to click and login on malicious URL, to download infected documents or to give out sensitive information. In order to get to this point, criminals need to use psychological tricks to induce the action, by abusing the trust of their targets.

Awareness on phishing mails have significantly increased but it does not mean individuals, as aware as they can be, will comply with good practice in real life. Trust is subjective; it is an almost automated decision we make. The brain relies on key values it will use to determine wether it is right or wrong and some items are automatically recognized as trust-worthy and safe: for example, the logo of a famous company or a name the recipient knows. The automatic trust is the result of the framing effect, a cognitive bias influencing the way people will react, depending on how the content is presented.

Moreover, a phishing campaign, as it is in the GDPR phishing case, can be specifically designed to trick an overwhelmed, tired user, whose cognitive functions will then rapidly choose efficiency over a thoughtful vigilance. People mostly understand little about GDPR, beside its duty to protect their privacy. Thus, in an overflowed mail box, where little time is to be given to the management of the mails, the “GDPR” label is automatically associated with protection; this how criminals have easily caught off-guards users. “As ironic as it sounds, the GDPR has been used to illegally collect personal data.” 

Phishing- Best practices

  • Always remain vigilant while opening a mail and downloading or clicking on the attached items.

  • Verify the mail address: it can usually be similar to an official one but a short focus will enable the user to identify a fraudulent domain name (wether it is using different but similar words or puny code)

  • Phishing campaigns are short, social engineers are creative: knowing is not enough, knowing how to is better. Phishing trainings are a necessity for companies.

  • If in doubt, ask your collaborators for help in identifying the trustiness of the mail.


RedSocks Security can help you identifying indicators of phishing campaigns.

For more information, contact

Back to overview