The breach exposed nearly 10,000 former and current Seagate employees, according to a statement from the data storage firm. The breach was discovered March 1 on the heels of a similar attack on photo-sharing app Snapchat.
Seagate stock fell 3.5% Tuesday as the news made headlines and fell a fraction Wednesday before rising 2.2% Thursday, and shares were up nearly 2% early Friday. Seagate confirmed the breach in an email to IBD.
“The information was sent by an employee who believed the phishing email was a legitimate internal company request,” Seagate said. Released information includes Social Security numbers and addresses of anyone employed by Seagate in 2015.
Phishing attacks on businesses are becoming more prevalent, Ryan Kalember, Proofpoint senior vice president of cybersecurity strategy, told IBD. He refers to it as “impostor fraud.” The W-2 attack is just the most recent iteration, he said.
Snapchat admitted to a similar attack on Feb. 28 in a blog post titled “An Apology to Our Employees.” The scammer impersonated CEO Evan Spiegel, successfully asking for payroll information. Internal systems and user information remained secure.
Both Seagate and Snapchat reported the attacks to the FBI, which recorded more than $215 million lost in phishing attacks between October 2013 and December 2014, according to a report in January. Both firms also offered two years of credit monitoring for the victims.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected and learn from what went wrong,” Snapchat wrote.
Tax fraud phishing is seasonal, Kalember noted. Wire transfer requests are also popular — and thrifty — modes of generating a lot of money. Networking firm Ubiquiti Networks (UBNT) found that out the hard way last August after a phisher tricked it into wiring $46.7 million overseas.
And scammers are becoming more sophisticated, says Slawek Ligier, Barracuda Networks’ (CUDA) vice president of product development. “Spear-phishing” and “whaling” involve targeting someone with either money or access.
Tricky email tactics — changing the “N” in Barracuda Networks to “M” or spoofing a CEO’s email address — tend to reap the most success, Ligier told IBD. From there, scammers indulge in a series of social engineering measures.
“They don’t want to waste their time on people who won’t fall for it,” he said. “But the scammer will really invest a lot of time and effort to slowly reel their victim in.”
Stickier yet, there are legitimate reasons to spoof a CEO’s email, Kalember says. A company will allow a third-party to spoof an email — make it appear as if the email is coming from that CEO — for marketing purposes. A spoof can use any display name that the spoofer chooses.
Traditional email protection services can’t deal with spoofs, Kalember says.
“Defenses are looking for malware, and they are not equipped for this,” he said. “There is no malware. There is no payload. And the tricky part is, there’s also legitimate business emails from people who need their W-2s.”
Agari CEO Patrick Peterson says his privately held company aims at this problem. Cisco Systems(CSCO) IronPort business veterans (Cisco bought IronPort in 2007) founded Agari, which uses proprietary technology to filter out phishing emails, Peterson told IBD. It differs from Proofpoint, which plans this quarter to flag phishing emails in the same vein as spam and “adult content.”
“When (executives) see these stories about Seagate, I imagine they break out into a cold sweat, thinking they have no solution,” Peterson said.
Spear-phishers differ from mass phishers. The latter sends a blast email hoping to dupe a few vulnerable people. The former involves more research and relies on social engineering to persuade a target of its legitimacy.
“The best defense we have today — which is a pretty crappy one — is telling people to be careful,” he said.
At the annual cybersecurity RSA Conference last week in San Francisco, Calif., executives were most concerned about phishing scams, he said. Malware detection has become so sophisticated that scammers have been forced to rely on the weak human link.
So far, it’s working. Recent breaches of the Office of Personnel Management, Anthem (ANTM),Sony (SNE) Pictures Entertainment and Target (TGT) also began with a phishing email; they account for about 90% of all attacks, Peterson said.
“This really serves as a wake-up call to the tech industry to dig deep and find solutions,” he said. “Unfortunately, my crystal ball says we’re going to see a lot more of these notices.”