Online fraudsters managed to fool an employee of photo-chat service Snapchat, convincing the unnamed worker to send information on several current and former employees to the attackers, the company said in a statement on Feb. 29.
On Feb. 26, an employee received a single phishing email to Snapchat's payroll department, requesting financial information on an undisclosed number of employees. The worker responded to the email, and "payroll information about some current and former employees was disclosed externally," the company stated.
"It's with real remorse—and embarrassment—that one of our employees fell for a phishing scam and revealed some payroll information about our employees," the company stated in its blog post. "The good news is that our servers were not breached, and our users' data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised."
The incident is the latest success for a scam of growing popularity. Known alternately as a business email compromise (BEC) or CEO fraud, the social-engineering attack sends a request for a money transfer or sensitive information to an employee from an email address that appears to come from the CEO or chief financial officer (CFO). Often the attackers actually have control of the executive's email account.
Because tax season is nearing, fraudulent requests for payroll information will likely increase, and companies should be on watch, Stu Sjouwerman, CEO of security awareness training company KnowBe4, told eWEEK.
"It started out with these scams attempting to initiate transfers of money, but now we are dealing with tax season, and suddenly there are waves of W–2 scams that suddenly popped up," he said.
While the Snapchat employee released sensitive payroll information, the incident could have been worse. Other victims have executed money transfers after receiving such an email, paying out millions of dollars.
Snapchat contacted the FBI, identified the affected employees and offered them a two-year subscription to an identity-theft monitoring and insurance service, the company said.
While many security firms focus on defending against sophisticated attacks using software vulnerabilities, phishing is often the way that attackers gain their first foothold inside a targeted company's network.
"Snapchat's employee data leak is yet another example of how easy it is to fall victim to a phishing attack," Grayson Milbourne, security intelligence director of Webroot, said in an email sent to eWEEK. "Even with the range of sophisticated hacking tactics, old-school techniques like phishing are still very prevalent, leaving online users more vulnerable to cyber-threats."
The best defense against phishing is still a matter of debate. Security awareness training companies, such as KnowBe4, argue that teaching workers to recognize phishing and report fraudulent email requests is the best way to improve defenses against social-engineering attacks. Other security firms argue that attackers can easily keep sending email messages until they get someone to fall for the scam, making education less than effective. Instead, technology that detects the leak of sensitive data or potentially malicious email attacks can minimize the risk.
Prudent companies tend to focus on both lines of defense. Snapchat has pledged to train its workforce more aggressively.
"When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong," the company said in its statement. "To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks."