Hook, line and sinker: a lesson from Snapchat’s phishing incident

ID NotifyThe popular video messaging app, Snapchat, recently announced a phishing attack that has compromised the identities of a number of its current and former employees.

Snapchat disclosed on their blog that their payroll department was targeted by an isolated phishing scam, where a scammer impersonated the company’s CEO and asked for employee payroll information. As a result of the scam going undetected, personal information about some current and former employees was released.

Due to the sensitive nature of the information released, it could likely include everything from salary data and Social Security numbers, to bank details and addresses. However, Snapchat has not disclosed the specific information that was released.

Phishing attacks continue to plague businesses, as unsophisticated hackers now have access to the tools needed to orchestrate these attacks with ease. According to a report from PhishLabs, “basic, even free, phishing kits now contain a variety of clever functions, as well as obfuscation and anti-analysis techniques.” While more sophisticated attackers are selling phishing kits for anywhere between $1 and $50, others are making them available for free.

The FBI has coined the term “business email compromise” to describe the growing category of phishing attacks targeting American companies. As of August 2015, the Bureau estimated that “since 2013, the total dollar losses to American companies exceeded $740 million, while only hitting around 7,000 targets. When international victims are added in, the losses total $1.2 billion.”

Just like in the case with Snapchat, attackers frequently impersonate executives from the company in order to hack into company networks. These attacks are often hard to detect, which is why it’s essential that companies invest time in educating their employees on safe email practices, including:

  • Using strong, unique passwords and enable two-factor authentication whenever possible
  • Keeping all systems up-to-date with the latest security patches and updates
  • Avoiding sharing sensitive information over email, or utilizing code words to verify that the person requesting the information is indeed that person and not an attacker
  • Not clicking on any suspicious links
  • Deploying SPAM filters

For more information on how to keep your identity safe, visit our Tips page.