Over the past several weeks, as the GDPR deadline of May 25 loomed, thousands of organizations sent individuals, including U.S. citizens, notices requesting consent and opt-in to receive further communications. Riding on that wave of confusion and inundating emails, criminals have used the implementation of GDPR to their advantage by impersonating legitimate businesses, including financial firms, and sending what purport to be GDPR notices to customers. However, the notices request that consumers to provide their banking information, and other personal information which is then being used criminally. There is also the possibility of opt-in links being infected with malware and ransomware.

Amid the email GDPR notice overload last week, UK Finance, a representative of the financial services industry, issued a warning to consumers to be vigilant about opt-in notices and links, and to be “wary of any requests out of the blue asking for your personal or financial details.” A GDPR notice should not request banking information, credentials or personal information, and a legitimate bank will never contact a customer asking for their PIN, password, or to transfer funds to another account.

This is an unfortunate opportunity for fraudsters to dupe consumers by using GDPR compliance to their advantage. The same recommendations apply to these opt-in emails as any others, and continued vigilance is necessary.