Most business owners know what a phishing attack is. And this awareness has lowered the success rate of many phishing attacks. But hackers, being hackers have adapted and evolved with a new and growing type of account takeover attack. It is called lateral phishing, and here’s what you need to know.
Here is a word from Barracuda about lateral fishing and 13 email threat types to know about right now:
What is Lateral Phishing?
Regular phishing attacks generally send an email from an account designed to look like a legitimate business. With more people aware of this scheme, it is getting harder to fool people.
Hackers have found a workaround to this problem by first taking control of an account in an organization. Once they are successful, they leverage this account to launch the attacks.
The success rate of this type of attack is almost guaranteed because the recipient recognizes the email account. Everyone from contacts within the company to partners, vendors, and personal friends outside of the organization can be victimized.
Researchers from Barracuda, UC Berkeley and UC San Diego studied lateral phishing over the past year. The study and report looked at how this form of attack is becoming so pervasive. This large-scale study of lateral phishing attacks has a data set covering 113 million employee-sent emails from 92 enterprise organizations.
Of the 154 hijacked accounts the researchers identified, hackers were able to send hundreds of lateral phishing emails to more than 100,000 unique recipients.
Key Takeaways on Lateral Phishing
Lateral phishing attacks are increasingly becoming a significant cybersecurity concern for businesses. These covert attacks, which exploit compromised internal accounts to target unsuspecting employees and partner organizations, can have severe ramifications. Here are the key takeaways to understand the gravity and nuances of this threat:
- Prevalence and Reach:
- 1 in 7 organizations encountered lateral phishing in the past seven months.
- Among these affected organizations, over 60% had multiple accounts compromised.
- Attack Distribution:
- When hackers initiate these attacks, they don’t hold back. A whopping 40% of the 100K recipients in the study were within the same company.
- The external fallout is even greater, with 60K or 60% of these emails reaching partner organizations, potentially jeopardizing inter-company trust.
- Reputational and Financial Impact:
- The direct financial costs of such attacks are evident. However, there’s a lurking danger in the potential reputational damage that can lead to further financial strain. As trust erodes, partner organizations might question the security protocols in place.
- Underreporting is a Concern:
- An alarming 42% of these phishing incidents go unreported. This gap in reporting can lead to unchecked propagation of the phishing attack, not just within the company but potentially across its network of partner organizations.
- Tactics Employed by Hackers:
- They majorly employ two narratives to dupe victims:
- Generic Messages (63%): These are broad-based lures and often include prompts like “account error” or a “shared document.”
- Tailored Content (37%): A more insidious approach where the content is specifically tailored, often targeting enterprise-related topics or aspects unique to a specific organization.
- They majorly employ two narratives to dupe victims:
Understanding these key takeaways offers a clearer perspective on the lateral phishing landscape and the urgency needed to address it.
Traditional Phishing vs. Lateral Phishing: A Comparative Analysis
This table provides a clear understanding of the two main types of fishing and highlights the unique dangers of lateral phishing. It’s an excellent resource for businesses wanting to educate their employees on the differences and ensure they take the necessary precautions against both.
|Send emails from accounts resembling legitimate businesses.
|First, take control of an organization’s internal account and then launch attacks.
|Lower success due to increasing awareness.
|Higher success rate since the email comes from a recognized internal account.
|Internal employees, partners, vendors, and friends linked to the compromised account.
|Email Content Type
|Can be both generic and specifically tailored to the organization.
|Check sender properties or email headers.
|Requires checking the actual destination of a link in the email.
|Basic email-checking protocols might suffice.
|Requires advanced detection techniques, increased awareness, and two-factor authentication.
Protecting You and Your Small Business Against Lateral Phishing
As the threat of lateral phishing grows, the importance of implementing protective measures becomes paramount. Businesses must not only understand the nature of this threat but also be equipped with the right tools and knowledge to counteract it.
According to Asaf Cidon, Vice President of Content Security Services at Barracuda Networks, more awareness is the key to defending against lateral phishing.
Although this advice seems obvious, double-checking your emails before opening them can prevent an attack. But lateral phishing has introduced another twist to the problem. Even if you double-check, you think you are opening an email from a colleague. So, increased awareness is in order.
Cidon has three recommendations: security awareness training, advanced detection techniques, and two-factor authentication.
Security Awareness Training
Security awareness training shouldn’t be a one-off event because hackers are always evolving. Cidon says telling your staff to check the sender properties or email headers like regular phishing attacks will not work.
With lateral phishing, they have to check the actual destination of a link in any email.
Advanced Detection Techniques
Lateral phishing is making it much more difficult to detect an attack, even for trained users.
Your business needs to invest in advanced detection techniques and services. These solutions use artificial intelligence and machine learning to identify phishing emails automatically.
Cidon says using a strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token is key. He goes on to say even non-hardware based 2FA can provide some protection.
As with any security measure, the goal is to put enough barriers between you and the attackers. If these barriers do the job, they will deter the majority of hackers. But as headline after headline show, the value of the information you hold will dictate the effort hackers put in.
Whether you are aware of lateral phishing attacks or not, this is a worthwhile read. You can find the report here.