Lateral phishing attacks present a growing threat to corporate organizations. Here’s how you can protect your business.
Barracuda Networks researchers recently teamed up with researchers from UC Berkeley and UC San Diego in the U.S to study email account takeover and lateral phishing attacks which has become a growing threat to enterprise organizations.
Lateral phishing are a type of phishing scams that targets users from an already compromised email account in the same organization. The attack is conducted from an email address within, rather than outside, the organization. The primary goal of phishing attacks is to fraudulently obtain sensitive information such as usernames, passwords and payment card details by disguising oneself as a trustworthy entity in an email communication. What better way to fool unsuspecting users that an email is legitimate than using an email account from someone they usually communicate with? The attackers use the compromised email accounts to send lateral phishing emails to a variety of recipients, ranging from close contacts within the organization to partners at other organizations.
The researchers studied 180 lateral phishing incidents and identified the following patterns organizations and individuals should be aware of:
- One in 10 of the lateral phishing attacks succeed
- 42% don’t get reported to the organization’s IT or security team
- Over 55% of the attacks in the study target recipients with some personal or work relationship to the hijacked account
- 98% of the lateral phishing incidents occurred during a weekday
You would think that most lateral phishing would take the form of sophisticated and highly personalized messages, but in most cases that’s not true. When performing the attacks, the researchers found that majority of lateral phishing attacks rely on two old deceptive approaches:
- Messages that falsely alert the user of a problem with their email account
- Messages that provides a link to a fake ‘shared’ document
To avoid being detected by the owner of the hacked email account used for the attack, some attackers would quickly delete the phishing emails they send and the replies they receive. Another surprising discovery was that recipients of the lateral phishing emails often replied to the hijacked account to ask whether the email was legitimate or intended for them. The attackers would reply the messages on behalf of the actual account owners, assuring recipients that the email and its content are legitimate.
While effective enterprise attacks can ultimately bring quick returns, lateral phishing attack are also targeting personal email accounts. For example, an attacker could hack a personal email account and then send emails out to all of their contacts stating that they are stranded abroad and asking for financial assistance.
How to defend against lateral phishing attack
The research recommended three critical safeguards to help guard against lateral phishing attacks. Firstly, improving security awareness training and making sure users are educated about this new tactic and can apply this knowledge in their day-to-day job will help make lateral phishing less successful. This is important because users and employees are usually the weakest link in the security chain.
Secondly, organizations should invest in advanced detection tools and services that use artificial intelligence and machine learning to automatically identify phishing emails without relying entirely on the discretion of users to identify them. Lastly, the researchers also recommend the use of two-factor authentication (2FA) in which an extra layer of security that requires not only a username and a password but also something that the user has on them such as a security token or smartphone to confirm users’ claimed identities.