Snapchat, the popular ephemeral messaging application, just announced a phishing attack that has compromised the identities of a number of its current and former employees.
According to a blog post from the company, Snapchat’s payroll department was targeted by an isolated phishing scam, where a scammer impersonated the company’s chief executive officer and asked for employee payroll information. The email was not recognized as a scam and as a result, personal information about some current and former employees was disclosed.
Snapchat has not revealed the specific information that was released, but because it is sensitive payroll information, it could likely include everything from salary data and Social Security numbers, to bank details and addresses.
The frequency of phishing attacks continues to rise, and even unsophisticated hackers now have access to the tools needed to orchestrate an attack. According to a report from PhishLabs, “basic, even free, phishing kits now contain a variety of clever functions, as well as obfuscation and anti-analysis techniques.” While more sophisticated attackers are selling phishing kits for anywhere between $1 and $50, others are making them freely available.
In 2015, the FBI coined the term “business email compromise” to describe the growing category of phishing attacks targeting American companies. As of August 2015, the Bureau estimated that “since 2013, the total dollar losses to American companies exceeded $740 million, while only hitting around 7,000 targets. When international victims are added in, the losses total $1.2 billion.”
As with the case of Snapchat, attackers frequently impersonate executives from the company in order to hack in to company networks. These attacks are often difficult to detect. It’s essential that companies invest time in educating their employees on safe email practices, including:
- Using strong, unique passwords and enable two-factor authentication whenever possible
- Keeping all systems up-to-date with the latest security patches and updates
- Avoiding sharing sensitive information over email, or utilizing code words to verify that the person requesting the information is indeed that person and not an attacker
- Not clicking on any suspicious links
- Deploying SPAM filters