In recent weeks, a new variant of the GDPR compliance scam targets companies, says Vade Secure, security specialist.
One year after the implementation of the GDPR, Vade Secure has updated a scam campaign to GDPR compliance currently targeting French companies.
Decryption of this scam which acts in 2 stages:
Companies are targeted via a mail whose subject is a complaint from a client concerning compliance with the GDPR.
This scam is already known, but here the method seems different and very effective. “If we pause a few seconds on this document, the title of the company – European Data Protection Committee CFFE – seems to take the name of the European Data Protection Committee ECPD, present in the text of the RGPD section 3 of Chapter VII (Articles 68 to 76)” explains Sebastien Gest, Tech Evangelist of Vade Secure.
He continues, “the address associated with said committee is in fact a domiciliation address located in the 8th arrondissement of Paris. Contacted, the interlocutor of the company explains that it is drunk under the calls for the same subject for 15 days. A telephone number is then provided for the purpose of handling this complaint. The person at the end of the line then develops an effective argument in order to sell a compliance audit service in order to resolve this situation. ”
Following this call, the company receives a new e-mail containing a link to make a payment by credit card to purchase the compliance service. We find the same sender name as on the first mailing. Amount required: 1194 €.
“Domains use .eu and .online extensions and are registered via the namecheap US registrar.
In signing this email also appears the name of a French company expert in the areas of the GDPR. It is not possible for us to certify a possible implication of this company in this scam, so we wished not to quote it “details Sébastien Gest.
Vade Secure does not give a figure on the number of companies affected but reports that “the number of reports on anti-scam sites are increasing day by day.”