Lateral phishing represents a sophisticated evolution in email-based attacks, with 1 in 7 organisations targeted in this way in the past seven months, according to researchers at Barracuda Networks and the University of California, Berkeley.
Account takeover continues to be one of the fastest-growing email security threats, but attackers are starting to adapt, introducing new ways to exploit compromised accounts, such as lateral phishing, which uses hijacked accounts to send phishing emails to an array of recipients in the account’s contact list, ranging from close contacts in the company to partners at other organisations.
Out of the organisations targeted by lateral phishing, more than 60% had multiple compromised accounts.
Some had dozens of compromised accounts that sent lateral phishing attacks to additional employee accounts and users at other organisations.
In total, researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients.
A recent benchmarking report by security awareness training firm KnowBe4 shows that the average phish-prone percentage across all industries and sizes of organisations at 29.6% – up 2.6% since 2018.
Large organisations in the hospitality industry have the highest phish-prone percentage (PPP) of 48%, and are therefore most likely to fall victim to a phishing attack, while the transportation industry is at the lowest risk, with large organisations in the sector scoring a PPP of just 16%.
Because lateral phishing exploits the implicit trust in the legitimate accounts compromised, these attacks ultimately lead to increasingly large reputational harm for the initial victim organisation, the researchers said.
To defend against lateral phishing attacks, the researchers said there are three critical precautions organisations can take.
1. Security awareness training
Improving security awareness training and making sure users are educated about this new class of attacks will help make lateral phishing less successful.
Unlike traditional phishing attacks, which often use a fake or forged email address to send the attack email, lateral phishing attacks are sent from a legitimate – but compromised – account.
As a result, telling users to check the sender properties or email headers to identify a fake or spoofed sender no longer applies. Instead, the destination of all links should be checked carefully.
2. Advanced detection techniques
Because lateral phishing emails come from a legitimate email account, these attacks are becoming increasingly difficult for even trained and knowledgeable users to detect.
Organisations should invest in advanced detection techniques and services that use artificial intelligence (AI) and machine learning to identify phishing emails automatically without relying on users to identify them.
3. Two-factor authentication
One of the most important things that organisations can do to help mitigate the risk of lateral phishing is to use strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token if available.
Another recently published study by Barracuda showed that 94% of organisations surveyed believe that email it is still the top security vulnerability.
The survey also found that 87% of respondents expect email threats to increase in the coming year, and 75% reporting a steady increase in email attacks in the past three years.
Almost half (47%) of respondents said they had been hit by email-borne ransomware attacks, 31% were victims of a business email compromise attack, but the majority (75%) said they had been hit by brand impersonation attacks, also known as brandjacking.