GDPR Phishing Scams A Novel Trap to Scoop up Information

GDPR Phishing Scams – A Novel Trap to Scoop up Information

General Data Protection Regulation (GDPR), an EU regulation comes into force on 25 May 2018 and aims to provide users with more control over their online data. 

It is ironic that the aim of GDPR is violated by the scammers in an unexpected way i.e. GDPR phishing scams. 

What are GDPR phishing scams?

To comply with the GDPR requirements, organizations send emails to customers to ask permission to use or retain their data. If customers give their consent, organizations keep those customers on the mailing lists. It was streamlined before the cybercriminal opportunists emerged. They take advantage of the deluge of GDPR emails and arrive in the inboxes of naive customers. Flood of messages is sent from the websites where customers have registered themselves previously and are supposed to resend a consent via email. From there web scraped emails, the personal details are stolen and used in malevolent activities. Criminals trick consumers through such phishing emails and grab credit card details, passwords, and personal information. 

EU GDPR regulation is applicable to all EU residents. They are supposed to strictly follow the GDPR requirements, therefore the emails are sent by the companies far and wide. Scammers use these emails to fool the customers. A large number of phishing scams have surfaced in the past few months. The regulation whose purpose is to secure the data of online users has turned turtle and became the trick to violate privacy. 

Apple Phishing Scam

Phishers impersonate reputable companies and familiar brands because there are higher chances that the recipients will respond to the emails from such email addresses or they would definitely have registered at such websites. Apple is one of those famous brands. 

The attackers sent GDPR phishing emails to users and asked to log in to a fake Apple site. These emails appear as if they belong to a legitimate Apple website and fool the victims by saying, ‘due to unusual circumstances, their account has been limited and need to update the credit card credentials’. At the end of the email, a link is given and when a click stroke is done, it is redirected to a website that seems a real website but is actually a phishing attack. Once the user enters the account credentials, the Apple account is taken over by the attacker where they find all the possible personal and financial information of the user. At the time victims report against the website, the fake website was offline which gets hard to track. 

Airbnb Phishing Scam

The GDPR email phishing scams are predominantly targeting the email addresses of well-known companies. Airbnb has also been subjected to these attacks. After the GDPR compliance requirements, Airbnb started sending legitimate emails to its customers to comply with the policies. Fraudsters took advantage of these emails and send phishing emails to Airbnb users. It seems that email is from a customer support office of Airbnb but these are actually the fraudulent messages whose aim is to steal the customer data for illegal purposes. These sophisticated emails had different URLs, grammar mistakes, spelling mistakes, threatening language and request to update the credentials. After such phishing incidents, Airbnb asked its customer community to verify these emails if they look suspicious.

These two main scams have come onto the surface which explicitly delineates the email malware which is fooling the customers of trusted brands. More such cases can also appear in the future that can directly or indirectly affect the lives of people and organizational reputations. Therefore, such brazen attempts and ransomware attacks should be curbed by logging into the official websites to verify request emails.

Recommended for you:

GDPR

GDPR Checklist

GDPR Checklist – Practices to adopt as Business Norms

It’s been a little over eight months since the GDPR came into effect on 25 May 2018. From that point onwards all organizations are expected to be compliant, however many companies from the EU are either still in the process of GDPR compliance or finalizing their programs GDPR Checklist. For people who still do not know about GDPR, General Data Protection Regulation is an EU based regulation that is responsible for data protection and privacy of individuals belonging from the EU. The regulation applies to businesses operating within the EU or external ones, who deal in the personal data of EU citizens, data subjects as they call it.

The fundamental principals of the GDPR are fairly straightforward, however, bringing an entire organization on the same page is crucial. To legally meet each and every provision of the regulation can be quite complex and intricate to understand.  For this reason, higher management and compliance officers need a GDPR checklist for business to stay up to date with this data privacy regulation.

GDPR Checklist – Aspects for Business To Consider  

Like any responsible company that respects the privacy and security of data, it is important that you should assess aspects of your business model that requires you to collect personal information from your incoming users. Whether it is for customer due diligence or a KYC for ICO process, It is always important to be aware of the compliance guidelines that govern your data collection practices and how that data is used for service delivery to customers. This assessment is known as DPIA – Data Protection Impact Assesment. ICO and blockchain based ventures have to be specially careful about such business practices in order to gain legtimacy and credibility.

  • Businesses should assess what data do they collect and have the necessary consents been sought before any collection. Companies should also be clear and documented in their purpose of data collection in addition to relevant data collection only. All this data should be considered a risk and necessary safeguards should be thought for data security and protection. This also includes a holistic overview of the data flow in a company and highlight any cross border data transfers into third countries or jurisdictional bounds.

GDPR Checklist – Necessary Measures in Accountability and Control  

GDPR measures need an adequate representation of accountability and control to ensure the rightful assessment conducted in prior can be implemented to the best.

  • For businesses, it is absolutely crucial to place a person in authority to deal in all matters of GDPR compliance – A DPO or data protection officer. Also under control is to proactively inform a relevant security team of their obligations under the GDPR. A major element under this stage is Consent Management. Does the company have the procedures to handle requests from data subject in reference to, Deletion, Modification, and Access?  For effective monitoring of requests, tools of alerts and notifications are important in GDPR Compliance. Companies need to have in place the required training to ensure uniform awareness regarding Data privacy to employees of the company. To ensure responsible handling of data and their relevant requests. To ensure data protection regulations are not breached after initial implementations. Review and auditory practices should be implemented to keep a check on data storage and conformity to regulations.  

Mandatory Documentation and Listed Work-Flow

No regulation can be practiced if there is no necessary documentation put in place before. Documentation provides a visual representation of transparency to onlookers. This includes the end-users and the general public and to the company itself. Documented workflow represents a companies testament of clarity to end-user rights.

  • A privacy policy is a must-have document for companies pursuing GDPR compliance. If the company already has it, what are the required changes to be made in accordance with the guidelines of the GDPR? Does the company have adequate documentation of its business processes in easy writing, to facilitate an immediate request by a customer? An important part under documentation are contracts, these include contracts between Data Controller and Data Processor. This also includes any documents that provide information between partnerships with third-party vendors who provide service involving PII data. A company should have necessary policies in a document that highlight the data retention periods and the types of data retained by a company.

Carrying Forward GDPR Mindset

In all likelihood, all guidelines of the GDPR are irrelevant if the company does not have the necessary business aptitude to undertake such compliance irrespective of how important the implementation of the regulation is for the company. For businesses,  GDPR is no certification that a company can easily acquire, but rather a regulation that wants deep-change within the operating mechanism to embed the changes required by the regulation. KYC industry is an ideal example, where companies have to deal in the preservation of data and address its security and privacy in accordance with the GDPR. These identity verification services, such as Shufti Pro, have to facilitate user requests regarding collected data while effectively negotiating with customers.

Implementing GDPR is no simple task for businesses, as the complexities of the regulation require a deep understanding, to begin with. The implementation of the regulations can be initiated through a simple GDPR checklist before any expensive consultations, saving companies any additional cost. Companies nearing complete GDPR compliance have higher chances to reap the full benefits of trouble-free and smooth operations.

Recommended For You:

Shufti Pro GDPR Review 2018: How we protected our clients from regulatory fines?

 

GDPR

Shufti Pro GDPR Review 2018: How we protected our clients from regulatory fines?

Shufti Pro stands out in KYC industry not only because of its highly customizable and global identity verification services but because of the unique regulatory protection provided by Shufti Pro to its customers. After all, the collection of personal information to authenticate the true identity of an end-user puts both Shufti Pro and its customers at a substantial risk. Regulators from all over the world have put forward strict privacy laws and regulations that not only dictate strict guidelines for personal data collection but also want companies to follow set rules when it comes to using personal information of a common user.

GDPR was one of the most comprehensive and powerful regulations introduced a couple of years back and July 2018 was the deadline for businesses to become GDPR Compliant. This set of rules was applicable for businesses that were either based within the European Union or even those that were based outside of EU but provided services to its citizens. In order to safeguard its customers from multi-million dollars fines – fines for businesses found in breach of GDPR – Shufti Pro aligned its verification services in line with GDPR specific guidelines.

GDPR guidelines for Identity Verification Services by Shufti Pro

GDPR never had any specific guidelines set out for identity verification services or for third party KYC service providers. In fact, it was a generic set of instructions for any business that was collecting personal information of its customers and the privacy guidelines that these businesses have to follow.

As a third-party verification service that was verifying the identity and financial risk attached to customers of online businesses, Shufti Pro designated a special role for itself as per the specific terminology introduced by GDPR i.e. processor of data. This made our clients collecter of personal information in order to verify the identity of incoming users.

Read: Try Shufti Pro KYC Services Free of Cost for 15 Days Now

It meant that although, Shufti Pro was the business entity that was tasked to verify the personal information claimed by end-user it was the responsibility of Shufti Pro client to secure that data. On our own end, the collected information was secured from not only any brute force attack but special protocols were developed to delete the collected data, when a request was received either from Shufti Pro client but also from an end-user as well.

KYC Verification procedure under GDPR

Shufti Pro only collects data for verification purposes as per the legal agreement signed by Shufti Pro and its customers. This data will be limited to verification of the credentials, identity or any other related verification that was required by our customers to be provided as per the legal agreement. We have even added a consent button at the form where a customer is supposed to fill its identification details. We also provide the option for customers to go through our data protection, privacy policy and Terms & Conditions, to ensure full transparency.

Access Rights

User can request access to the personal data he has shared with Shufti Pro about himself. Personal data is anything identifiable, like his name and email address. If he requests access, Shufti Pro (as the processor) need to provide a copy of the data, in most cases in machine-readable format (e.g. CSV or XLS). Daniel can also request to see and verify the lawfulness of processing. A client can seek access to their data by asking Shufti Pro of what they require at privacy@shuftipro.com. We at Shufti Pro believe to be at legal and moral obligation to facilitate any manner of an individual rights request. Shufti Pro enables you to grant any access request by easily exporting user record into a machine-readable format.

Deletion Rights

Under the GDPR, the user has the right to request that Shufti Pro delete all personal data it has collected from him. The GDPR is required to permanently remove userís contact from their database, including verification results, all personal information, saved images/video, form submission data, and credit card data. In a GDPR compliant manner, a client can seek to have their data deleted by querying Shufti Pro at privacy@shuftipro.com. The Data protection officer at Shufti Pro in most cases will respond back within a 30 day period. In many cases, the right to deletion is not absolute and can depend on the context of the request, so it doesnít always apply.

 

KYC services

GDPR Compliance vs BlockChain Debate – Things you must know

GDPR Compliance is here to stay and it is going to be binding on every business and online enterprise that wishes to operate in European Union or want to offer its services to EU citizen despite having a non-EU presence. But this user-friendly and pro data rights regulations create an interesting scenario for companies utilising blockchain technologies or individuals involved with Blockchain based products. Interestingly, unlike a straight forward clash among technology and regulations, GDPR and Blockchain offer several positive points in addition to some clearly daunting pointers for future. GDPR compliance ensures transparency that sometimes goes in favor of blockchain technology but in case of oversight or data usage rights, same blockchain is found to be in direct violation of GDPR. There are huge fines involved if a company or business is found to be operating in violation of GDPR. So it is pertinent that every company using this technology is fully aware of the risks and benefits of using Blockchain in post-GDPR world.

Positives in GDPR vs BlockChain Debate

Both GDPR and Blockchain has a lot in common as against to what most people might think. Protecting data rights of users is of utmost important and this notion was at heart of both GDPR and Blockchain. Blockchain requires a one-way authentication and data access, something that goes beyond the requirement of data security and encryption in GDPR.

Another important aspect of GDPR is that companies are required to adapt state of the art anti data breaching protocols so that customer data is at all times out of the reach of online data bandits. Blockchain comes in handy in protecting customer data as access is restricted to users on Blockchain technology.

Tracking consent of user becomes easier with Blockchain technology. With its permanent record of data and unbreachable access to data, Blockchain ensures that consent received from users is always on record and customer will not be able to claim that they never acceded consent for collection of their data or usage of their personal information to provide any service.

Anonymity offered by Blockchain is also a great benefit that suits GDPR compliance. For example in case of permissioned blockchains, transactions can be made in fully anonymous fashion without even letting the other people know – who are sharing the same network – about the origin or destination of a transaction. Restricted access for end-users ensure that their data is secure and anonymity becomes their best safeguard against data breaches at the same time.

Negative Aspects of GDPR on BlockChain

Transactions performed via blockchain not only have the tendency of being anonymous but they are also strictly one-way. You cannot force a refund like in the case of usual banking and transaction methods.

Another possible cause of concern for enterprises and businesses using blockchain for conducting business is deleting the user data. GDPR requires businesses to delete any data they have acquired from customers in order to provide service and any history of business they might have conducted with your company. Blockchain doesn’t support this feature. It is like a permanent trailblazer and you just cannot delete this data and this is one of the core reasons that made this technology so famous in short span of time. Your data or previous operational history is saved forever but GDPR compliance becomes a problem with this feature.

Blockchain offers a complex data infrastructure and application landscape. This can further make things difficult for a company that is looking to get regulators off their back by adopting transparent methods for collection of customer data and clearly defined usage of that personal information. Risks of unintended errors is also multiplied as the complexity of the employing technology (like Blockchain) starts getting out of hand.

GDPR and Blockchain has a lot to offer, not only for end-users but service providers and businesses as well. All they need is a genuine effort on part of companies to understand the potential of Blockchain and how it can be utilised to better provide services without making compromise on GDPR compliance. Features like unbreachable databases and superior encryption prowess means that blockchain can act as ultimate weapon to get a relief from hackers and prevent monetary penalties from regulators.

Recommended For You:

GDPR Compliance

Digital KYC/AML Operations – Shufti Pro Gears Up for GDPR Enforcement

Ever since the debate about GDPR came into existence from the EU Parliament, the long awaited and much hyped GDPR enforcement date of 25 May 2018 has been announced. Many firms across the world and the EU will see the implementation of the GDPR legislative being carried out. At which time, organizations found to be in noncompliance may face severe financial consequences.

What is the GDPR ?

On a general note, the EU General Data Protection Regulation replaces the earlier Data Protection Directive 95/46/EC. The GDPR legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizen’s data privacy in the process, and to reshape how organizations approach data privacy.

Organizations – STOP Procrastination START Acting

The GDPR effects every EU individual and entity/organization operating in the zone, dealing in the storage and access of their data. While organizations might still delay a few more days, the enforcement date is just around the corner.

Companies need to prepare quick before GDPR is in effect. Failure to comply could land a firm 20 million BGP ($25 million) or upto 4% of its annual revenue in fines. That is not a financial state any company would want to be in, for their account balance sheets or from a public relations standpoint. A recent survey by PwC found that more than 60% of all companies plan to spend more than $1 million to become compliant to the regulations.

How Digital Identity Verification Holds Importance

Given that today businesses conduct business online,  the process of validating the identity holds great importance. Why you say? The imminent risk of fraud prevails, as the person is not physically present conducting the transaction with the merchant or business entity. As more merchants utilise the power of the internet, digitising the aspect of identity verification by performing e-kyc is a need of the hour for merchants to realise. Having a digital identity verification service, greatly increases customer onboarding time. Whereby, the possibility of fraudulent identity usage is minimized and only legitimate identities are accepted.      

Organizations heavily rely on digital kyc – Know Your Customer services, in order to prevent fraud and potential scams to take place in respect to fraudulent identities. This aspect is very important for Banks and Financial Institutions, providing financial services like opening a bank account, making bank to bank payments and clearing credit histories. As more businesses conduct business/trade online, verifying ‘Who’ is the other side has become all more vital to ensure legitimacy.

How GDPR Recognizes Digital Identity Verification

You might beg to question, will digital KYC services be affected by the GDPR? The law doesn’t restrict the operations of a certain company. Rather recognizes the importance of identity and ensuring its protection. GDPR at it’s core, merely emphasis the better protection of data subjects (EU Citizens), by how information is collected and how it is processed and used.

Companies that will be in contact with such information, will need to ensure the security of information in a manner that conforms to the GDPR guidelines. Additionally, make the use of information very clear and easy to understand and transparent for individuals.

GDPR & FinTech Companies – Mandatory Alliance

FinTech companies provide RegTech solutions to clients across the world. It is obvious from the nature of their operations that these companies collect PII information of individuals and also their transactional credentials. That includes their credit card numbers and other sensitive data. For FinTech companies, it should be evident from the onset that these companies are compliant with the GDPR directive. So as to ensure that these companies are up to date with stringent policy measures and prevent any criminal proceedings to happen against them.

FinTech companies have a moral and legal responsibility to be conforming to the legislative, as is it appears legit for customers to realise their company as ‘Good to Go’ with regulators. This symbols a great area of trust for potential prospective customer to transition into actual clients. Clients alike need to be aware of the new GDPR policy and ensure they do business with organizations that are compliant with latest regulations like for example Shufit Pro.    

Shufti Pro – The GDPR Compliant AML/KYC Operator

Given that most business today run online, the need for reliable and technologically advanced identity verification services will be high. As businesses operate online, the capacity to physically see their customers and online users becomes a rarity. The need to verify identities in real time and perform digital KYC/AML compliance is important than ever.

This is where Shufti Pro comes in with redefining digital identity verification services, providing KYC/AML compliance in all jurisdictions. The EU for example, implements the GDPR guideline for data protection, to which Shufti Pro complies effortlessly. Shufti Pro ensures all of the data that it collects, conforms to the guidelines set by the GDPR legislative.

Making Assessments

The GDPR is a global phenomenon that is set to place a new standard in consumer rights. Likewise, companies need to be looking into firms that will be GDPR compliant. This is important from an organizational as well as a client’s standpoint. GDPR compliant companies will be legitimately better off from a PR perspective and ensure trust in the eyes of potential customers. Customers are no longer naive, rather fully aware of their rights and they will be in the lookout to do business with GDPR compliant companies.   

Find more relevant resources:

Digital KYC/AML Operations