Article posted: Dec 13, 2017
By William Houry, VP of Sales
It was inevitable: the scammers are now going after companies in Europe and elsewhere that are preparing for the European Union's cybersecurity General Data Protection Regulation (GDPR), also known as EU 2016/679. The GDPR privacy rules go into full effect in May 2018.
In early December in France it was reported that companies preparing for the GDPR, which is known as the RGPD in France, were being targeted with some less-than-sophisticated phishing-type schemes. According to what was reported, the scheme involved alarm-inducing urgent phone calls and faxed messages to companies, purportedly from the Commission nationale de l'informatique et des libertés (CNIL).
In the scam, companies were threatened with financial penalties if they didn't supply information via a premium phone number that would show they were working toward or in compliance. The CNIL, of course, was not involved in the phishing and urged companies to reach out to them directly with any questions - including whether the query is legitimate -- before providing any information.
For those not familiar, the CNIL is an independent administrative regulatory body in France that ensures that "data privacy law is applied to the collection, storage, and use of personal data." It is the regulatory body for France's compliance with the GDPR, which is designed to strengthen and unify data protection for all individuals within the European Union (EU). The regulation also addresses personal data being sent out of the EU. The intent of the regulations is to give citizens control over their personal data.
Back in France, the phishing scheme's apparent purpose was to collect sensitive data from companies or to get them to submit payment for fraudulent services that are not actually affiliated with GDRP compliance. While it started in France and was reported by the CNIL, it's likely other companies and locations will be targeted as well in the months leading up to the mandatory compliance with the GDPR.
Our advice for companies in Europe and elsewhere is that they should be very cautious around their GDPR compliance, working with only reputable agencies and compliance providers and double-checking the veracity of any requests for information.
Lest anyone not in Europe feel complacent, it's important to know GDPR regulations have reach beyond the EU's boundaries. Many businesses in the other parts of the world face impacts from the EU's GDPR if they have subsidiaries, branches or offices in Europe. Companies that do not comply with the complex regulation face severe monetary fines and more, which is what can make the urgency and warnings imparted in the phishing scheme feel very real.