snapchat logoSnapchat has admitted that employee details were accidentally sent to a scammer after a staff member fell for a phishing email that purported to come from the CEO.

The incident underlines the growing trend among scammers to send emails appearing to come from senior employees to functions such as HR, payroll and accounts in an attempt to get requests responded to quickly and without question.

Snapchat explained the circumstances of the attack in a blog post: “Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our CEO and asked for employee payroll information.

“Unfortunately, the phishing email wasn’t recognised for what it was – a scam – and payroll information about some current and former employees was disclosed externally. To be perfectly clear: none of our internal systems was breached, and no user information was accessed.”

Snapchat alerted the FBI to the incident and contacted those employees who could be affected to offer free identity theft insurance and monitoring. The company will also improve efforts to train staff about this threat.

“We will redouble our already rigorous training programmes around privacy and security in the coming weeks,” the firm said.

The trend of using emails claiming to be from senior executives is described as ‘whaling’. NCC Group revealed last year that it was targeted by such a scam, although it was spotted before any information was compromised.

Others were not so lucky. The executive director of finance at a New Zealand finance institution called Te Wananga o Aotearoa left her job when she sent $118,000 to an offshore bank account after receiving an email that appeared to be from the firm’s chief executive telling her to move the money.

Wieland Alge, general manager for EMEA at Barracuda Networks, explained that this type of scam is very likely to succeed because the position of the apparent sender of the email often stops people thinking.

“Some of the most successful phishing attacks are those that successfully impersonate a person, particularly if that person is well known to the recipient,” he said.

“While the Snapchat payroll team probably don’t have a daily correspondence with the CEO, they clearly know who and how important he is, hence why they fell for the scam.”

Alge noted that HR teams in particular should be given training about this threat, and have the necessary security tools in place.
“HR and payroll are flooded with emails containing all types of attachments and they are encouraged and even obliged to open them. IT security teams must implement countermeasures against targeted attacks against this channel,” he said.

Digital security padlock red imageTo hear more about security challenges, the threats they pose and how to combat them, make sure you sign-up for the Computing Enterprise Security and Risk Management conference on 24 November.