Payroll data from messaging app maker Snapchat, Inc. has fallen into the wrong hands after an employee was fooled into emailing it to a person who was pretending to be an employee of the company.

According to a post from Snapchat Sunday, the scammer impersonated Chief Executive Officer Evan Spiegel and sent a spear-phishing email asking for payroll information to an employee in the department.

Despite the email coming from an external address, neither the company’s security system nor the employee realized it was fake, and the data was then sent to the scammer.

“Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally,” the post reads. “To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.”

Snapchat said that after discovering what had occurred they responded “swiftly and aggressively” and reported it to the Federal Bureau of Investigation (FBI), and began sorting through which employees, past and present, may have been affected.

“We have since contacted the affected employees and have offered them two years of free identity-theft insurance and monitoring.”

Bypassing security

Mimecast, Inc. Cybersecurity Strategist Orlando Scott-Cowley shared his thoughts with SiliconANGLE on the attack, saying that “organizations are target-rich environments for cyber criminals. Whaling or spear-phishing fraud uses effectively simple social engineering to trick employees into handing over critical data or making fraudulent financial transactions.

“This Snapchat email fraud is a prime example of fraudsters getting hold of valuable data in order to launch secondary attacks. These attacks usually do not include any malware and evade traditional email security techniques.”

“Advanced analysis of domains, email addresses, and email content is required to start tackling this threat.”

While we agree with Scott-Cowley that spear-phishing is not always easy to guard against because it can evade traditional security techniques, it is clear however that Snapchat has failed at the very least in providing adequate security training to its employees.

Given that these sorts of attacks bypass traditional gateway protections, employees need to be trained to question the veracity of any email they receive requesting confidential information held by the company, and clearly the payroll details of Snapchat’s employees past and present should have immediately drawn a great big red flag, even if they had come directly from the Chief Executive Officer.

At the very least the employee here could have picked up the phone and confirmed with the Chief Executive Officer’s office (assistant of similar) that the request was legitimate; it may sound old school to pick up a phone to confirm a request, but that’s one safeguard malicious actors can’t manipulate.

Image credit: 27825503@N04/Flickr/CC by 2.0