GDPR: What is it, and Should Credit Union Members Care?
You have probably seen, read, or received information recently about GDPR, the new European privacy regulation meant to protect consumers. While GDPR doesn’t directly affect credit unions in the United States, there are ancillary concerns that could compromise your own data security. The myriad notices sent from all sorts of companies have given hackers and cybercriminals a new opportunity to disguise phishing scams.
In addition to cybercrime, many people may be unknowingly unsubscribed from email newsletters and marketing updates that they wish to continue to receive.
What is GDPR?
The European privacy standard known as General Data Protection Regulation, or GDPR, went into effect on Friday, May 25, 2018.
GDPR is a set of rules passed by the European Union (EU) that require companies to offer greater data safeguards, to provide more transparent notifications and communications, and to give people more control over how their data is used. It also meant to standardize data privacy laws across Europe. The law covers any entity in the EU that collects and uses data – financial institutions, government, retailers, social media companies, etc. It also covers non-EU entities that offer goods or services to influence or monitor citizens of the EU.
Does GDPR effect credit unions?
Credit Unions are not international financial institutions. They were established during the Great Depression by the Federal Credit Union Act, which, “authorized the formation of federally chartered credit unions in all states, helping to make more credit available, and promote the principle thrift through a national system of nonprofit, cooperative credit unions.”
Because U.S. credit unions operate only within the country, they ordinarily would be not subject to European regulations. However, some experts have suggested that any credit union that has any member who moved to Europe will need to follow the law.
- Credit Union Times – EU Regs (GDPR) Arrive to Impact U.S. Businesses & Credit Unions: “Credit unions better be ready to deal with GDPR even if they think they don’t have to.”
Moreover, it has been suggested that any company that reaches EU residents through the internet should heed GDPR regulations.
- Credit Union Journal – To comply or not to comply: How should credit unions approach GDPR?: “Any U.S. company offering goods or services to EU residents, such as a company with a website, is likely required to comply.”
Should credit union members care about GDPR?
At least some credit unions in the United States will have to respond to GDPR. More importantly, however, is how does GDPR effect credit union members?
Credit union members shouldn’t necessarily have a particular concern about GDPR, but GDPR should be a concern to everyone. That’s because GDPR has become a magnet for phishing scams and cybercrime.
GDPR scams
According to PYMNTS.com, the same principle that criminals and pickpockets use in crowds applies to GDPR.
“GDPR has led to a barrage of new terms and conditions released by companies eager to meet the terms of the rule — as any internet user knows — and criminals are using all those notices as cyber camouflage.”
For example, Security Boulevard, a network for security bloggers, reported about the frequency of an Apple phishing scam.
The phishing message says, “For Your Safety, Access To Your Apple ID Has Been Restricted.”
Security Boulevard says the message:
“[P]rompts users to update account information before being allowed back in. This particular campaign was designed to capitalize on fatigue from the myriad of [sic] updated terms of agreement and privacy policy notifications internet users have encountered in the weeks leading up to GDPR, hoping to catch them off guard. The idea behind the scam is that potential victims are less alert and more likely to agree to and click through anything related to updated terms and conditions.”
Although the Apple phishing scam is one of the more well-reported scams (here on Threatpost, IT Governance, Kaspersky Lab Daily, and Hacker Combat), it isn’t the only one.
CIO Dive, which covers the technology industry, posted a news brief, Hackers are using GDPR to disguise phishing schemes. “Phishers are taking advantage of customer trust on a whole new level with hackers now working to profit off of [GDPR].” The brief said, “hackers are disguising email phishing schemes as legitimate emails from companies like Airbnb.”
- “The emails sent impersonating Airbnb typically use a ‘bogus variation’ of an email address meant to look legitimate like "@mail.airbnb.work.”
Another scam has targeted customers of the NatWest. The fraudsters used used bogus emails claiming to come from the bank. The fake emails tell customers their accounts will be terminated if they don’t update their records.
In an astute observation, PYMNTS.com says scams and cybercrime, “could reasonably stand as one of the ongoing unintended consequences of the GDPR.”
Kaspersky Lab Daily observed, “After all, millions of people worldwide are blindly clicking ‘Yes, I agree’ in countless messages and entering personal info on multiple sites without a second thought.”
Protect yourself against phishing
The good news is that any company that must abide by GDPR (think worldwide social media companies, big financial institutions, news organizations, etc.) must alert consumers when their data has been hacked. According to ZDNet, “Organisations will be required to notify the appropriate national bodies as soon as possible in order to ensure EU citizens can take appropriate measures to prevent their data from being abused.”
That’s fine after your data has been lost, stolen, or otherwise compromised. But what about before? How can you prevent your data from getting into the wrong hands in the first place?
Unfortunately, much of your personal information is already in the databases of countless companies. BUT, you can still protect yourself against phishing scams with a few simple steps.
Don’t get caught in a phishing scam
The best way to avoid a phishing scam is to think before you click. If the email doesn’t look right, use caution.
- Don’t click on any links within the email. If you want to check the validity, go directly to the website in question. For example, on nuvisionfederal.com you can log into your online banking and check to see if you have any messages.
- Look for “https” at the beginning of the website address before you enter any login, password, personal, or financial information.
- Make sure your computer firewall is active.
- Use antivirus software.
Phishing emails often include telltale signs that it might be fake. These aren’t iron-clad indicators of a scam, but they should cause you to be suspicious and at least double-check.
- The email includes bad spelling and grammar.
- Look at the graphics. If the branding, colors, logo, etc. don’t look consistent with the real company, it may be a fake email.
- The message includes a sending email address that doesn’t exactly match other emails from the same purported sender that you know are legitimate.
- The address to which the email is sent is incorrect or is not linked to the company sending the email (people often use different emails for different accounts).
- Does the salutation include your name, or just, “Hello,” “Hi,’ or “Greetings”? Companies with which you’ve done business (e.g. provided credit card information) will have your name.
- Is the email from a company or organization with which you have never done business or created an account? If so, it’s highly unlikely that you would be asked to reset a password or confirm any personal information. Use caution.
Phishing tied to current events is on the rise. So, it’s no surprise that GDPR has become a lure for cybercriminals. Being a member for a credit union doesn’t increase the likelihood that you’ll become the target of a GDPR phishing scheme. Simply being online means you belong to the universe of potential victims.
You don’t have to become a victim, however. Pay attention to the privacy notices you receive, don’t click without thinking, and take a little extra time to make sure that email is legitimate.
You’ll be happy you did.
Stay connected
To stay on top of Nuvision alerts and information related to the risks of fraud and identity theft, financial and data protection, and cybersecurity, check our Fraud Protection blog or follow Nuvision on Facebook and Twitter to receive updates when new articles are published.