Yet another internet communications company has fallen for a scam and seeing customer data lost as a result. Twilio has just disclosed a data breach.
The company, which provides the tools for phone and text communication, notified the public that it has become aware of unauthorized access to “information related to a limited number of Twilio customer accounts” on August 4th.
It was a phishing attack, meaning that Twilio employees were tricked into providing their credentials, rather than the company software itself being hacked. Sadly, phishing is on the rise, with retail and wholesale businesses together seeing increases of more than 400% in phishing attempts in the past year.
How the Twilio Phishing Scam Worked
Twilio is still early in its investigation, but the company painted a clear picture of how the social engineering hack went down in its announcement. If you're familiar with common phishing attempts, it won't be a surprise, but it's an easy trick to fall for even when you know what to look for.
Both current and former employees have reported getting text messages impersonating the company's IT department, Twilio explains. These texts might claim a password has expired or a schedule has changed — anything to prompt the would-be victim to try to log into their account. Then, they're sent to a URL controlled by the phisher.
“The URLs used words including ‘Twilio,' ‘Okta,' and ‘SSO' to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page,” Twilio says. “The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.”
The company notes that the threat actors in question appeared to have the “sophisticated abilities” to be able to match employee names with phone numbers in order to send the texts to the correct people. Unlike the weird text message phishing scammers most of us get in our SMS services or messaging apps, these ones were tailor-made.
Can You Survive a Phishing Attack?
Twilio's response was the right one: The company made the attack public, but not before notifying affected customers and working with them.
The best approach would be prevention of a phishing attack at all, of course. If you're worried about the issue at your company, there are a few mitigating precautions you can take.
- First, invest in a few security measures. Remote work software can ensure your employees know which services and website logins are legitimate. Well, provided your employees remember not to click on outside links, no matter how official they might appear. Check out the top options here.
- Second, employee training courses can help to drive home the importance of preventative safety measures like checking for misspellings in email addresses or unannounced changes in how the IT team contacts employees.
- Finally, a good company-wide password management tool can flag suspicious or unknown website logins, giving employees one final chance to notice something's amiss before giving away their login credentials for good.
We've rounded up the top options when it comes to enterprise password security tools, and given the escalating phishing attacks on companies, we'd recommend getting a password manager sooner rather than later.