Social engineering follows seasonal patterns. It's also connected to major events. We see this every year with holiday-themed phishing attacks between Thanksgiving and New Year's Day.
We're seeing it now with this week's implementation of GDPR, the European Union's General Data Protection Regulation. GDPR takes effect on May 25th. In this case the phishbait is the claim that Apple is proactively preparing to better protect your data.
This sophisticated phishing scam targets Apple users, threatening them with account suspension. If your user falls for this social engineering tactic and is manipulated into preventing a negative consequence, they're redirected to an "account rescue site" which of course is established to extract credentials and other personal financial information.
The phishing website is a legitimate-looking but bogus Apple site. It presents itself as a place where the users can rescue their account from being "restricted."
In addition to looking legitimate, this website is more sophisticated than most phishing sites because the bad guys correctly set the web directory permissions, and encrypted the spoofed site using Advanced Encryption Standard (AES) – allowing it to bypass some anti-phishing tools embedded in antivirus solutions.
One of the things the victims are asked to do is "update payment details." Once they've entered the requested information, the scammers say, the victims will see their accounts "returned to normal". Upon completion the victims are asked to click a button labeled "unlock." Doing so sends the information they've just entered directly to the scammers.
The site looks legitimate, but as usual there are red flags: First, the phishing emails were not all that highly targeted. Some of the recipients haven't even been Apple users. Second, the URL is off. For all of its convincing appearance, it's not an Apple site at all.
Companies worldwide are indeed working on becoming GDPR compliant—part of that, train your employees!—and try to make sure that the people whose data they've collected have in fact consented to give them their information. Criminals are aware of this, and are following suit. You should remind your users that GDPR is indeed taking effect this week, but that they should be wary of this flavor of social engineering.
The Royal Wedding Is A Social Engineer's Dream
And obviously, this weekend's royal wedding is a social engineer's dream. Wedding fever has taken over the net and a variety of scams and attempts to steal personal information are out there.
For example, there are quizzes out there asking for your Royal Wedding Guest Name and then want your mother or father's middle name, pet names, street they live on and the like.