When an email came in last Friday from Snapchat CEO Evan Spiegel asking for employee payroll information, the payroll department dutifully complied.
Except the email wasn’t from Spiegel, but rather a sneaky cybercriminal who targeted the company in a spear-phishing attack.
Spear-phishing is a type of social engineering attack targeted at a particular individual or organization to make it more believable – in this case, by impersonating Snapchat’s CEO.
The attacker stole private payroll information of an unknown number of past and present Snapchat employees.
In a blog post published by “Team Snapchat” on Sunday, 28 February, the company apologized to employees and said it would be offering two years of “free” identity-theft insurance and monitoring.
Snapchat said it is “impossibly sorry” for the breach, which it called an “embarrassment.”
No Snapchat user data was stolen, and none of the company’s internal servers were compromised, Snapchat said.
Snapchat said it will “redouble our already rigorous training and programs around privacy and security,” in the hope that something like this never happens again.
Unfortunately for those affected employees, employee payroll information includes the necessary data that crooks could use to file fraudulent tax returns and request a refund.
Snapchat isn’t alone in suffering this type of attack.
Tax fraud scams are big business for cybercrooks, and spear-phishing attacks on businesses have occurred recently at the domain registration company Rightside, and at KnowBe4 – a security awareness training company whose CFO sniffed out the phish.
The fraudsters have also repeatedly targeted the US agency in charge of tax revenue collection – the Internal Revenue Service (IRS).
The IRS admitted last week that an August 2015 data breach – originally estimated to have affected 300,000 taxpayers – is now thought to have resulted in the theft of over 700,000 people’s personal information.
And the IRS says it has seen a 400% rise in phishing attacks in the last 12 months, targeting personal information for fraud purposes like Social Security Numbers (SSNs), income, filing status and PIN verifications.
Let these incidents act as a lesson to employees everywhere: if you get an out-of-the-ordinary request – even if it appears to come from inside the company – head off to HR and ask why you’re getting requests like that at all.
If you do, your CEO should thank you.
💡 READ NOW: Tips to avoid phishing and spear-phishing – stay #CyberAware! ►
Image of sorry note courtesy of Shutterstock.com.