Snapchat Employees Fell for a Phishing Scam, Here's How They Responded
In an official letter directed to its employees, Snapchat announced on Sunday that its employees were victimized by a phishing scam that ultimately revealed information pertaining to its employees. In it, the letter, dated February 28 said, “We’re a company that takes privacy and security seriously. So it’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.”
According to the blog post, an employee inadvertently divulged sensitive information via an “isolated email” masquerading to have come from the company’s Chief Executive Officer Evan Spiegel. Assuming that it was a legitimate request, the employee fell for the scam and readily divulged sensitive information, which includes payroll information of a number of employees.
Snapchat, the photo and video sharing app, has gained immense popularity since its 2011 release and now has over 100 million active users daily. The multimedia sharing platform has attracted more than 60% of the total number of smartphone users aged 13 to 34 in the U.S. alone, with a total number of video views amassing to 7 billion a day.
The company owned up to the lapse in judgement by one of its employees, but highlighted that the incident has been promptly dealt with. Further, no internal systems or servers have been breached and no user information was accessed by threat actors. While no further information has been disclosed as the incident is currently under investigation, the company declared that the successful phishing scam was an isolated incident that was dealt with “within four hours” after its discovery.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks,” the note states.
Phishing attacks aren’t necessarily new, but it makes for an effective attack tactic for cybercriminals. This age-old trick normally lures a target into trusting content sent their way, feigning legitimacy in order to get sensitive information. A week before the Snapchat incident, it was reported that four other organizations admitted to have fallen for phishing attacks preying on employee data—three of which led to successful breaches and one was a failed attempt.
[More: How phishing schemes lead to hacked accounts and identity theft]
Otherwise known as Business Email Compromise, schemes as the ones that took hold of Snapchat data has been targeting business to steal information and of course, money. The FBI notes that BEC scams have already cost US victims nearly $750 million dollars and affected more than 7,000 people between October 2013 and August 2015. On a global scale, scammers using this scheme have succeeded in stealing more than $50 million dollars from their victims.
[More: How BEC schemes work, and why they're effective]
As of this writing, Snapchat shared that employees whose information have been exposed have been duly notified. In addition, two years of free identity-theft insurance and monitoring have been afforded the concerned parties.
“Our hope is that we never have to write a blog post like this again,” the Snapchat entry ended.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases