According to the European Union Agency for Cybersecurity (ENISA), there has been a strong increase in so-called 'phishing attacks'. Cyber criminals are taking advantage of the widespread uncertainty regarding COVID-19 and are trying to gain access to confidential information.

What do you need to know?

Phishing attacks are fraudulent procedures to induce users to reveal confidential information (eg, any kind of access data or bank and credit card details).

To do this, cyber criminals typically send emails or messages that appear to come from a legitimate source such as a bank, well-known e-commerce provider or government institution. These messages regularly contain links or attachments that the user is supposed to open. The links or attachments then redirect the user to manipulated websites which are designed to retrieve the confidential information.

Unfortunately, the authenticity of these messages is becoming increasingly difficult to determine, leading more users to be deceived and reveal confidential information. In the case of access data, entire systems can be compromised. Companies have also been victims of phishing attacks on several occasions. At the moment, for example, an English-language email allegedly originating from the World Health Organisation (WHO) is being sent to several companies. It claims that the WHO has compiled a free e-book on important COVID-19 protection measures, which is also attached to the email as a zip archive. The WHO has now clarified that this is a phishing email.

Incoming emails can be identified as phishing emails if any of the following apply:

  • Does the e-mail come from a fake sender address?
  • Is confidential data requested?
  • Is urgent need for action feigned?
  • Does the email contain a link to fake websites?
  • Is the email characterised by linguistic inaccuracies (eg, impersonal salutations) and spelling mistakes?

Why should you care?

Binding or non-binding?

The guidance from the ENISA is non-binding. However, data protection authorities may consider their recommendations as a best practice when preparing for and responding to phishing attacks.

Consequences in case of non-compliance?

Data protection authorities may impose fines of up to €20 or 4% of annual turnover under Articles 83 and 84 of the EU General Data Protection Regulation (GDPR). Data subjects may claim compensation under Article 82 of the GDPR. From an EU perspective, it is unclear whether competitors may send cease-and-desist letters. Companies may also face indirect costs such as damage of reputation or management costs.

How actively enforced?

So far, the level of enforcement efforts against phishing attacks has been low.

Any examples of other companies experiencing non-compliance issues?

Whereas there has been a high number of companies experiencing non-compliance issues with regard to data security in general, there do not appear to be any cases specifically relating to phishing attacks.

What should you do now?

Several national authorities (eg, the German Federal Office for Information Security) have published recommendations on precautionary measures, which include the following:

  • Under no circumstances should anyone click on links in dubious emails. If unsure, an attempt should be made to reach the page mentioned in the suspect email via the homepage of the organisation concerned (ie, without clicking and typing the link address directly into a browser).
  • If it is possible that an email legitimately asks for confidential data, contact the provider mentioned via telephone.
  • Under no circumstances should parties disclose personal information such as passwords, credit card or transaction numbers via email. This is not the policy of reputable senders.
  • Do not use download links contained in emails unless it is clear that there is no danger deriving therefrom. For a download, visit the provider's homepage directly and start the download there.
  • Handle personal data with care. If anything seems dubious, immediately break off the connection and contact the website operator.
  • Never open any attachments of a suspicious email.
  • Regularly check the turnover and balance of bank accounts. Contact banks immediately in case of anomalies.
  • Be careful not to disclose personal data on websites with an unencrypted connection (ie, it has 'https://' in the address line and the padlock symbol next to the browser's address line).
  • Make sure that antivirus software is up to date and firewalls are activated.

If companies or employees have been the victim of a successful phishing attack, they must immediately take protective measures to restore data security. In addition, they must immediately check whether the security incident constitutes a reportable 'data breach' within the meaning of Article 33 of the GDPR and whether the responsible data protection supervisory authority must be informed within 72 hours.