We're getting more transparent about your data [PHISHING attack?]

[REDACTED]

Here's the text of an email - with the subject line "We're getting more transparent about your data" - that appeared in my Inbox approx. 13 hours ago:-

We’re making some changes   
 
We noticed you haven’t logged into your account in a while.

We just updated our privacy policy to make it more transparent and comply with new EU General Data Protection Regulations (GDPR), so If you want to keep your account active, you need to click the button below. If you don’t log in within 14 days, we’ll be forced to shut down your account.

If you keep your account active, we will also send you the latest online security news and product updates   
 
KEEP MY AVAST ACCOUNT [web button]
 
Thanks for your time,
The Avast Team

It looks quite legitimate to me except for one thing - it was sent to an email address that I don't believe Avast has. Thoughts?

[DavidR]

I have yet to receive this but it seems strange that this comment was made.

"If you don’t log in within 14 days, we’ll be forced to shut down your account."

I have received lots of these EU General Data Protection Regulations (GDPR) as everyone who does business within the EU has to comply with them.  I don't believe it is necessary for you to actually keep something active other than to acknowledge receipt and acceptance, etc.

This EU General Data Protection Regulations (GDPR) is certainly an opportunity for Phishermen to step out.

However, the simple content of the email doesn't give enough information, that can come from the email headers and would need to be analysed to determine who it actually came from.

[REDACTED]

Thanks for your reply DavidR. Helpful and appreciated.

I considered posting the relevant email headers, but perhaps this is unwise on such an open forum (?)

Naturally I won't be acting on the email. Will keep the forum posted if anything futher happens.

Best wishes

[DavidR]

You're welcome.

[REDACTED]

Hello Complex and DavidR

I also received the same email as Complex and I was struck by the phrase "If you do not do it within 14 days, we will be forced to close your account".

I clarify that I am in Argentina

I do not trust this email, so, like Complex, I will not do anything and wait for Avast to have news or communications.

I thank both of you for the publication of the topic and its treatment.

Friendly greetings for both

[DavidR]

No problem and welcome to the Avast forum.

[REDACTED]

This is my first visit to the forum and I also came here to find out if this email is real or not.  The part about shutting down my account made me really suspicious.  Thanks for any input.

[DavidR]

You're welcome.

[REDACTED]

Lo acabo de recibir, estoy en Panamá y al igual estoy muy sospechosa.

[REDACTED]

I too have received the same email and am very suspicious.
I logged into my account via my browser and checked the privacy policy.
I would have thought that there would have been an "Accept" button to click to accept the changes if there was a need to do so.
I have tried the support section but no mention of this.
Be interesting to see how it pans out.

[MartinZ]

The email is legitimate. It's being sent to email addresses that aren't active on Avast account and we want to be sure before deletion that user doesn't want to keep the account. If user clicks on the button in email or logs in into Avast account we take them as active and won't delete the Avast Account.

[DavidR]

The email is legitimate. It's being sent to email addresses that aren't active on Avast account and we want to be sure before deletion that user doesn't want to keep the account. If user clicks on the button in email or logs in into Avast account we take them as active and won't delete the Avast Account.

I have to say it is poorly worded (or example) as I don't believe the EU General Data Protection Regulations (GPRD) information should be combined with anything else, like logging on, etc. 

That just looks like a phishing exercise, as there should be no requirement to have to do anything else to comply on the part of the user.

I have had many emails about GPRD and all they have done is let the person know that they comply with the GPRD rules.

Also the "If you keep your account active, we will also send you the latest online security news and product updates" is essentially authorisation to spam.  Again I don't feel this should be a part of any GPRD compliance notification.

[MartinZ]

Yeah I agree that the wording isn't good and shouldn't be related to GDPR. We should have done this cleanup even before GDPR. The email should be just friendly reminder if you still need the account. Other option would be that we delete the account automatically, but that's not really user friendly.

[DavidR]

Yeah I agree that the wording isn't good and shouldn't be related to GDPR.

We should have done this cleanup even before GDPR. The email should be just friendly reminder if you still need the account.

Other option would be that we delete the account automatically, but that's not really user friendly.

Agreed, the cleanup could/should have been done at a different time.

I'm not sure auto deletion is a good idea, regardless of it not being very user friendly.  The user may no longer be active (for an indeterminate period) but if they have made a contribution to the forums what happens to their posts.  Not only that people change AVs and could well come back to Avast and the forum only to find their account deleted.