Online threats in the context of GDPR

Aug 15, 2022

In the modern way of communicating and doing business, an increasing number of individuals encounter various hacker attempts of online fraud. From the first naive messages full of grammar and spelling mistakes from some princes and princesses from exotic geographical locations, who see in you the right person through whom they can transfer their multi-million dollar inheritance, today’s hacking attempts have become sophisticated in every possible way and spread in almost all areas.

It is an indisputable fact that the level of awareness and knowledge about malicious attempts, as well as the ability to recognize them and behave in such situations, are key in preventing possible and most often financial losses for individuals, but also for the business of the entire company. Due to the variety and frequency, it is almost impossible to list and analyze each specific attempt of fraud, but there are forms that show certain common similarities, which is why it is good to know them and know how to react.

An unexpected email or phone call in which the hacker presents himself as a supplier or partner of the company, and when he knows the situation in the company well, also as a director. In the email, he requests the transfer of funds or payment to a new account, where he emphasizes that, due to the urgency, the existing protocols and checks are bypassed during payment.

A similar request may arrive via email from a company that is not in a business relationship with your company, and which requires opening an attachment or clicking on links in the email.

Common to such attempts is that, to a greater or lesser extent, they deviate from established internal procedures of communication and agreed protocols and contain a specific request from the recipient.

In addition to the above, it is no longer so rare that we receive unexpected emails from hackers posing as banks, courier services, humanitarian organizations and asking for clicking on links, opening attachments and/or providing our card and/or personal information.

Although any hacking attempt is malicious and can have a significant negative strategic, financial and regulatory impact on the company, it is not good to develop the belief out of fear and ignorance that it is best that such an attempt never happens to us. On the contrary, employees who had the opportunity to be in situations of malicious emails and calls developed a higher level of caution and suspicion of any future such attempts.

Regardless of whether the theft of data, money or the activation of malicious software in the company’s IT system is hidden behind hacker attempts, the best protection for companies is to take appropriate measures that include internal procedures in communication, payment and education of all employees of the company.

When we talk about GDPR, companies and organizations are obliged to take appropriate technical and organizational protection measures (Articles 24, 25 and 35) in order to adequately protect personal data and reduce the risk of misuse and violation of personal data to the minimum possible extent. If there is a violation of personal data that may pose a risk to the fundamental rights and freedoms of individuals, the company is obliged to report such violations to the supervisory authority. An example of such a violation can be responding to a malicious email through which an employee can, for example, reveal the company’s employee account numbers and other personal data, thinking that the bank is looking for that data.

Instead of concluding, it is good to emphasize that, in addition to sophisticated technological protection systems, one of the most important links in protecting companies and business from online attack attempts is an appropriately educated and trained employee.

And rightly so, regular and high-quality employee education is one of the important measures to protect personal data.

Authors: Ines & Marko Krečak, Feralis Center

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more