Most business owners know what a phishing attack is. And this awareness has lowered the success rate of many phishing attacks. But hackers being hackers they have adapted and evolved with a new and growing type of account takeover attack. It is called lateral phishing.
What is Lateral Phishing?
Regular phishing attacks generally send an email from an account designed to look like a legitimate business. With more people aware of this scheme, it is getting harder to fool people.
Hackers have found a workaround to this problem by first taking control of an account in an organization. Once they are successful, they leverage this account to launch the attacks.
The success rate of this type of attack is almost guaranteed because the recipient recognizes the email account. Everyone from contacts within the company to partners, vendors, and personal friends outside of the organization can be victimized.
Researchers from Barracuda, UC Berkeley and UC San Diego studied lateral phishing over the past year. The study and report looked at how this form of attack is becoming so pervasive. This large-scale study of lateral phishing attacks has a data set covering 113 million employee-sent emails from 92 enterprise organizations.
Of the 154 hijacked accounts the researchers identified, hackers were able to send hundreds of lateral phishing emails to more than 100,000 unique recipients.
How prevalent is lateral phishing? According to this particular study, 1 in 7 organizations experienced this form of attack in the past seven months. And of those who experienced an attack, more than 60% say they had multiple compromised accounts.
Besides the financial cost to your business, the reputational damage can also add more financial costs as partner organization question your security.
Another concerning data point from the study is 42% of the lateral phishing incidents didn’t get reported. This means it can potentially continue to propagate across the company and all partner organizations.
When these attacks take place, they use two types of narratives to trick the victims. Most of the messages or 63% are generic and the remaining 37% are tailored content.
The generic message is generally along the lines of “account error” and “shared document.” The tailored content is more sophisticated because it goes after enterprise-oriented or something specific to a particular organization.
Protecting Yourself and Your Small Business Against Lateral Phishing?
According to Asaf Cidon, Vice President of Content Security Services at Barracuda Networks, you have to be more aware.
Although this advice seems obvious, simply double-checking your emails before you open them can prevent an attack. But lateral phishing has introduced another twist to the problem. Even if you double-check, you think you are opening an email from a colleague. So, increased awareness is in order.
Cidon has three recommendations: security awareness training, advanced detection techniques, and two-factor authentication.
Security Awareness Training
Security awareness training shouldn’t be a one-off event because hackers are always evolving. Cidon says telling your staff to check the sender properties or email headers like regular phishing attacks will not work.
With lateral phishing, they have to check the actual destination of a link in any email.
Advanced Detection Techniques
Lateral phishing is making it much more difficult to detect an attack, even for trained users.
Your business needs to invest in advanced detection techniques and services. These solutions use artificial intelligence and machine learning to identify phishing emails automatically.
Cidon says using a strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token is key. He goes on to say even non-hardware based 2FA can provide some protection.
As with any security measure, the goal is to put enough barriers between you and the attackers. If these barriers do the job, they will deter the majority of hackers. But as headline after headline show, the value of the information you hold will dictate the effort hackers put in.
Whether you are aware of lateral phishing attacks or not, this is a worthwhile read. You can find the report here.