enterprisesecuritymag

Snapchat's Lesson Learned: Avoid Falling for Phishing Attack

By Salo Fajer, CTO, Digital Guardian

Salo Fajer, CTO, Digital Guardian

February saw Snapchat fall victim to one of the most popular popular cyber scams—phishing attacks. In the incident, Snapchat’s payroll department was targeted by an isolated email scam in which a hacker impersonated the company’s CEO to ask for employee payroll information. Unfortunately, since the communication appeared to be from a familiar recipient, employees fell for the bait, releasing salary data, Social Security numbers, bank details and much more. 

"Phishing is most often initiated through email, but there are ways to distinguish suspicious emails from legitimate messages"

According to Snapchat, no user data was affected, but the phishing attack is one that could cause long-lasting headaches and security risks for the company’s employees. To alleviate the distress, Snapchat has offered its affected workers two years of identity theft insurance and monitoring for free. 

This attack is evidence that any business—regardless of size, industry type or location—is at risk of falling victim to a phony phishing scheme. While many companies are introducing staff to basic cybersecurity best practices like regular security training, are they able to stop the next employee from opening an email that appears to be from the company’s CEO? Sadly, the answer is likely a resounding “no.” 

Phishing 101 

Phishing attacks are a form of social engineering that use targeted email, malicious websites and even phone calls (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity. The goal of a phishing attempt is to trick the recipient into taking the attacker’s desired action, such as providing login credentials or entering personal information into a fraudulent website. Phishing websites may also contain malicious code which executes on the user’s local machine when a link is clicked from a phishing email to open the website. 

Small to medium-sized businesses can be especially vulnerable to these types of threats, as many of these organizations lack the full-featured network and data security processes and protocols that large organizations employ. However, big brands are not in the clear either, as Snapchat recently demonstrated. Remaining vigilant will help ensure that any individual or organization—regardless of size—won’t fall victim to a phishing attack, putting sensitive personal and corporate data at risk.  

Phishing attempts most often take the form of an email that seemingly comes from a company or individual the recipient knows or does business with. USA.gov. lists some widespread phishing scams reported from agencies and corporations, revealing that phishing emails can take many forms. Five of the most popular forms of phishing attacks are: 

1.Emails from people claiming to be stranded in a foreign country, asking you to wire money so that they can travel home.  

2.Emails claiming to be from reputable news organizations capitalizing on trending news. These emails generally ask recipients to click a link to read the full story, which in turn leads the user to a malicious website. 

3.Emails claiming to be from organizations like the FTC and FDIC, referencing complaints filed or asking recipients to check their bank deposit insurance coverage. 

4.Emails threatening to harm recipients unless sums in the thousands of dollars are paid. 

5.Emails claiming to be a confirmation of complaints filed by the recipient. Not having logged any complaints, recipients are inclined to click on these links to find out what is being referenced. The links and attachments, of course, contain malicious code. 

Phishing emails can take other forms. For example, Snapchat’s phishing attack appeared to look like an email from the company’s CEO to the payroll department—but it was just a clever hacker, manipulating internal staff behind-the-scenes.  As these hackers become more sophisticated in nature, it makes it even more difficult for recipients to filter out phishing emails from legitimate messages. 

 How to Identify Phishing Attacks 

Phishing is most often initiated through email, but there are ways to distinguish suspicious emails from legitimate messages. Training yourself and employees on how to recognize these malicious emails is a must for companies who wish to prevent sensitive data loss. Often, these data leaks occur because employees were not armed with the knowledge they need to help protect critical company data. The following may be indicators that an email is a phishing attempt rather than an authentic communication from the company it appears to be: 

• Generic greetings: Phishing emails often include generic greetings, such as “Hello Bank Customer” rather than using the recipient’s actual name.  

 Requests for personal information: Most legitimate companies will never email customers and ask them to enter login credentials or other private information by clicking on a link to a website. This is a safety measure to protect consumers and help customers distinguish fraudulent emails from legitimate ones. 

 Desires an urgent response: Most phishing emails attempt to create a sense of urgency, leading recipients to fear that their account is in jeopardy or they will lose access to important information if they don’t act immediately. 

• Spoofed links: Does a hyperlink in the message body actually lead to the page it claims? Never click on these links to find out; instead, hover your mouse pointer over the link to verify its authenticity.  

If the content of an email is concerning, call the company in question to find out if the email was sent legitimately. If not, the company is now aware and can take action to warn other customers and users of potential phishing attempts appearing to come from their organization. 

With these best practices in place, businesses will be better equipped to identify legitimate versus phony communications via email. The reality is, phishing attacks will continue to occur, but by properly educating employees and remaining vigilant, a company is less likely to fall for the bait.

Read Also

October is National Cyber Security Awareness Month

October is National Cyber Security Awareness Month

Michael Dent, CISO, Fairfax County Government
Inaccurate Data Creating a False Sense of Security

Inaccurate Data Creating a False Sense of Security

Larry Hurtado, President &CEO, Digital Defense, Inc.
Establishing a Best-in-Class Global Security Infrastructure

Establishing a Best-in-Class Global Security Infrastructure

Tim Callahan, SVP, Global Security, and Global Chief Security Officer (CISO), Aflac

Weekly Brief