Day one at the RSA Conference. While this week’s theme of threat intelligence is still the key coverage point, something happened recently at Snapchat that's worth discussing - so here's a quick recap from the show floor.
On Sunday, Snapchat reported that their payroll department was the victim of a Phishing attack that led to the compromise of employee data. There have been a number of similar attacks of this nature this month, as criminals seek staff records for tax-related fraud.
The company outlined the incident on their blog:
“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information. Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.
“Needless to say, we responded swiftly and aggressively. Within four hours of this incident, we confirmed that the phishing attack was an isolated incident and reported it to the FBI. We began sorting through which employees–current and past–may have been affected. And we have since contacted the affected employees and have offered them two years of free identity-theft insurance and monitoring.”
Snapchat isn’t alone. Every organization, from large enterprises to the Bay Area’s brightest unicorns can fall victim to a Phishing attack.
Last week, Salted Hash covered a number of successful Spear Phishing, or in this case BEC (Business Email Compromise) attacks, including what they are and why they’re popular with criminals.
The type of attack that worked against Snapchat isn’t new, but it’s effective, because people (for the most part) are helpful and employees are (even with training) hesitant to refuse a request that comes from the CEO.
But something in the Snapchat disclosure stands out as harmful (at least in my opinion):
“…So it’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees….”
No Snapchat, you were the victim of a crime. Awareness training is great, and it does work to a certain degree, but it isn’t perfect and everyone will eventually fall for a targeted attack like this.
Don’t be embarrassed. Learn from this incident, work to protect your staff, and move forward. No matter how large or small, no company should ever be ashamed of being a victim.