Snapchat yesterday acknowledged that one of its employees had fallen for a spear phishing scam and revealed employee payroll information.
“The good news is that our servers were not breached, and our users’ data was totally unaffected by this,” the company stated in a blog post. “The bad new is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.”
On February 26, the company says, an email claiming to come from the CEO and asking for payroll data was sent to Snapchat’s payroll department. “Unfortunately, the phishing email wasn’t recognized for what it was — a scam — and payroll information about some current and former employees was disclosed externally.”
All those affected have been offered two years of free access to an identity theft monitoring service, and the company says it will “redouble our already rigorous training programs around privacy and security in the coming weeks.”
“Unfortunately for those affected employees, employee payroll information includes the necessary data that crooks could use to file fraudulent tax returns and request a refund,” Sophos’ John Zorabedian noted in a blog post.
Tripwire directory of IT security and risk strategy Tim Erlin told eSecurity Planet by email that criminals continue to use phishing because it works. “While training employees can definitely help, phishing tactics evolve continuously to beat the training,” he said.
A recent Mimecast survey of 600 IT security professionals found that 65 percent of respondents don’t feel fully equipped to defend against email-based attacks, and one third of respondents believe their email is more vulnerable today than it was five years ago.
Fifty-five percent of respondents reported an increase in whaling attacks on their companies.
“Organizations are target-rich environments for cybercriminals,” Mimecast cybersecurity strategist Orlando Scott-Cowley told eSecurity Planet by email. “Whaling or CEO fraud uses effectively simple social engineering to trick employees into handing over critical data or making fraudulent financial transactions.”
“This Snapchat email fraud is a prime example of fraudsters getting hold of valuable data in order to launch secondary attacks,” Scott-Cowley added. “These attacks usually do not include any malware and evade traditional email security techniques.”