Save content
Have you found this content useful? Use the button above to save it to your profile.
iStock_duncan1890_CS

Cybersecurity: Say no to your CEO

by
14th Mar 2016
Save content
Have you found this content useful? Use the button above to save it to your profile.

Last month one of Snapchat’s payroll staff may have wished they could disappear as fast as their messages, as it was revealed that they had accidentally emailed confidential employee data to a scammer.

In a blog about the incident the social media company stated that despite being “a company that takes privacy and security seriously”, one of its employees had been duped by a fake email purportedly sent by company CEO Evan Spiegel.

The ‘spear phishing’ email appeared to be from the Snapchat CEO, but actually came from an external e-mail address disguised to look like genuine internal correspondence.

The employee didn’t recognise the email as fake and subsequently sent over a copy of Snapchat’s payroll database.

“The good news is that our servers were not breached, and our users’ data was totally unaffected by this,” Snapchat outlined in their blog. “The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.”

‘Whaling’ attacks on the rise

These types of attack, which are also known as ‘whaling’, have been steadily increasing. Fraudsters use business networking sites like LinkedIn to collect basic information about high-value executives within a company, then target employees who deal with confidential information or have access to company funds.

The scammers then create emails appearing to be from company executives such as a CEO or chief financial officer compelling finance department employees to transfer money to an account for an urgent deal or invoice payment, or send personal details (which was the case in Snapchat’s ‘incident’).

Several AccountingWEB members have reported receiving these emails, with member GSPANESER commenting that the correspondence “gave the appearance that the message originated from the MD.

“Even the email address was similar (and the difference was only spotted once going into Outlook properties. To be absolutely sure I had to interrupt a meeting the MD was in just to confirm my suspicions. It was very fortunate (for me especially) that I did!”

Invoice Dragon stated: “received a fake email from our chairman asking me if I could make an immediate payment and when I said yes an invoice was supplied. 

“I saw nothing untoward in the emails and they looked perfectly legitimate.  It was only our internal controls which stopped the payment i.e. the chairman had to physically sign authorisation for the payment. I thought I'd never get fooled by one of these scams but, believe me, they are extremely effective and appear to be authentic.

Companies should foster a ‘different kind of response’

According to cybersecurity expert Graham Cluley, it takes just one employee to make a mistake to comprise a company’s entire operational integrity. They may realise seconds later that they’ve made a mistake, but the damage is already done.

Cluley recommends that to avoid such incidents organisations need to “foster a different kind of response; a different way of thinking about security.

“Whenever anyone asks you for information which may be sensitive or confidential – even if they’re the CEO – you need to say no. And that’s got to be alright in your company culture.

“You need to say ‘we’ve got a way of transmitting you that sort of information, or a way for you to access it. But if you want it to your Yahoo! address or somewhere unofficial then that’s a problem.’”

Leaks like the Snapchat payroll data, which was sent from the company e-mail system, can also be blocked by e-mail filtering and data loss prevention (DLP) tools.

DLP tools scan for dates of birth, national insurance numbers and other confidential information and can block the message based on pre-set policies, or at least alert the emailer that the data is being sent outside the company before allowing it to happen.

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.