Snapchat falls for BEC scam, leaks employee payroll info

A successful email phishing attack aimed at Snaptchat’s payroll department has resulted in the compromise of payroll information about some current and former employees, the company has announced on Sunday.

The scammer impersonated Snapchat’s CEO, and asked for the aforementioned info. Unfortunately, one of the employees was tricked into believing the email was legitimate, and sent it.

“The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry,” Team Snapchat noted.

The company reacted swiftly. They notified the FBI about the incident, and set up to discover which employees have been affected. Once the list was compiled, they contacted them and offered them two years of free identity-theft insurance and monitoring.

“In the fast-changing universe of cybersecurity, phishing may seem like yesterday’s news. But the unfortunate reality is that hackers and cyber crooks continue to engage in phishing expeditions because they often work,” Todd Thibodeaux, president and CEO of CompTIA, commented for Help Net Security.

“The Snapchat incident is also the latest example of why technology alone isn’t enough to keep organizations secure. The best security technologies and the most comprehensive policies and processes won’t work without appropriate human preparation and action. Spreading cybersecurity awareness, knowledge and training throughout the entire organization, from the receptionist at the front desk to the CEO in the corner officer, is essential,” he noted.

“Companies can no longer ignore the need for cybersecurity training, or treat it as a one-and-done activity, or as something that’s only relevant to the IT department. Cybersecurity training for all workers needs to be an ongoing initiative. Fire drills are conducted several times a year. HR policies and practices are reviewed annually with all employees. Why shouldn’t cybersecurity training have the same profile, visibility and frequency? Companies that ignore this reality run the very real risk of becoming, like Snapchat, the next cyber victim.”

Snapchat already has privacy and security training programs in place, but it has vowed to redouble them.

A similar attack has recently recently been attempted against security awareness training company KnowBe4, but the attacker was unsuccessful.

The email was again made to look like it was coming from the company’s CEO. But the firm’s controller who received the email asking for employee information luckily didn’t have access to the asked-for info, and asked the CFO for help.

As it happens, the company had recently hired a new CFO, who had just finished all of the company’s awareness trainings and identified the email for what it was – a phishing attempt. A simple face-to-face conversation with the CEO confirmed their suspicions: the request was bogus.

In business email compromise (BEC) scams like these, the attackers usually try to trick companies’ CFOs into transferring company funds to an account controlled by them. But requests for information that can be used to make money are also not unusual.