Lateral Phishing: The Silent Threat to Your Small Business

lateral phishing

Most business owners know what a phishing attack is. And this awareness has lowered the success rate of many phishing attacks. But hackers, being hackers have adapted and evolved with a new and growing type of account takeover attack. It is called lateral phishing, and here’s what you need to know.

Here is a word from Barracuda about lateral fishing and 13 email threat types to know about right now:

Drive Traffic to Your Website

Win $100 for Vendor Insights

Sell Your Business

What is Lateral Phishing?

Regular phishing attacks generally send an email from an account designed to look like a legitimate business. With more people aware of this scheme, it is getting harder to fool people.

Hackers have found a workaround to this problem by first taking control of an account in an organization. Once they are successful, they leverage this account to launch the attacks.

The success rate of this type of attack is almost guaranteed because the recipient recognizes the email account. Everyone from contacts within the company to partners, vendors, and personal friends outside of the organization can be victimized.

Researchers from Barracuda, UC Berkeley and UC San Diego studied lateral phishing over the past year. The study and report looked at how this form of attack is becoming so pervasive. This large-scale study of lateral phishing attacks has a data set covering 113 million employee-sent emails from 92 enterprise organizations.

Of the 154 hijacked accounts the researchers identified, hackers were able to send hundreds of lateral phishing emails to more than 100,000 unique recipients.

Do You Know What a Lateral Phishing Attack Is?

image: Barracuda
The Researchers analyzed strategies attackers use in selecting their potential victims along with the content they use in the messages. Additionally, the report also highlights the sophistication and stealth this evolving attack exhibits.

Key Takeaways on Lateral Phishing

Lateral phishing attacks are increasingly becoming a significant cybersecurity concern for businesses. These covert attacks, which exploit compromised internal accounts to target unsuspecting employees and partner organizations, can have severe ramifications. Here are the key takeaways to understand the gravity and nuances of this threat:

  • Prevalence and Reach:
    • 1 in 7 organizations encountered lateral phishing in the past seven months.
    • Among these affected organizations, over 60% had multiple accounts compromised.

Do You Know What a Lateral Phishing Attack Is?

image: Barracuda

  • Attack Distribution:
    • When hackers initiate these attacks, they don’t hold back. A whopping 40% of the 100K recipients in the study were within the same company.
    • The external fallout is even greater, with 60K or 60% of these emails reaching partner organizations, potentially jeopardizing inter-company trust.
  • Reputational and Financial Impact:
    • The direct financial costs of such attacks are evident. However, there’s a lurking danger in the potential reputational damage that can lead to further financial strain. As trust erodes, partner organizations might question the security protocols in place.
  • Underreporting is a Concern:
    • An alarming 42% of these phishing incidents go unreported. This gap in reporting can lead to unchecked propagation of the phishing attack, not just within the company but potentially across its network of partner organizations.
  • Tactics Employed by Hackers:
    • They majorly employ two narratives to dupe victims:
      • Generic Messages (63%): These are broad-based lures and often include prompts like “account error” or a “shared document.”
      • Tailored Content (37%): A more insidious approach where the content is specifically tailored, often targeting enterprise-related topics or aspects unique to a specific organization.

Understanding these key takeaways offers a clearer perspective on the lateral phishing landscape and the urgency needed to address it.

Traditional Phishing vs. Lateral Phishing: A Comparative Analysis

Traditional Phishing vs. Lateral Phishing - graphic of sensitive, personal information being phished on a smartphone

This table provides a clear understanding of phishing and lateral phishing. It also highlights the unique dangers of both and how you can prevent them happening. It’s an excellent resource for businesses wanting to educate their employees on the differences and ensure they take the necessary precautions against both.

Feature/AspectTraditional PhishingLateral Phishing
Basic MechanismSend emails from accounts resembling legitimate businesses.First, take control of an organization's internal account and then launch attacks.
TrustworthinessLower success due to increasing awareness.Higher success rate since the email comes from a recognized internal account.
Primary TargetsGeneral public.Internal employees, partners, vendors, and friends linked to the compromised account.
Email Content TypeOften generic.Can be both generic and specifically tailored to the organization.
DetectionCheck sender properties or email headers.Requires checking the actual destination of a link in the email.
Defensive MeasuresBasic email-checking protocols might suffice.Requires advanced detection techniques, increased awareness, and two-factor authentication.

Protecting You and Your Small Business Against Lateral Phishing

As the threat of lateral phishing grows, the importance of implementing protective measures becomes paramount. Businesses must not only understand the nature of this threat but also be equipped with the right tools and knowledge to counteract it.

According to Asaf Cidon, Vice President of Content Security Services at Barracuda Networks, more awareness is the key to defending against lateral phishing.

Although this advice seems obvious, double-checking your emails before opening them can prevent an attack. But lateral phishing has introduced another twist to the problem. Even if you double-check, you think you are opening an email from a colleague. So, increased awareness is in order.

Cidon has three recommendations: security awareness training, advanced detection techniques, and two-factor authentication.

Security Awareness Training

lateral phishing - security training class with instructor

Security awareness training shouldn’t be a one-off event because hackers are always evolving. Cidon says telling your staff to check the sender properties or email headers like regular phishing attacks will not work.

With lateral phishing, they have to check the actual destination of a link in any email.

Advanced Detection Techniques

lateral phishing - woman on PC with a lock icon against a blue computer background

Lateral phishing is making it much more difficult to detect an attack, even for trained users.

Your business needs to invest in advanced detection techniques and services. These solutions use artificial intelligence and machine learning to identify phishing emails automatically.

Two-factor Authentication

lateral phishing 2 factor authentication graphic for man on computer

Cidon says using a strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token is key. He goes on to say even non-hardware based 2FA can provide some protection.

As with any security measure, the goal is to put enough barriers between you and the attackers. If these barriers do the job, they will deter the majority of hackers. But as headline after headline show, the value of the information you hold will dictate the effort hackers put in.

Whether you are aware of lateral phishing attacks or not, this is a worthwhile read. You can find the report here.

Image: 3 Comments ▼

Michael Guta Michael Guta is the Assistant Editor at Small Business Trends and currently manages its East African editorial team. Michael brings with him many years of content experience in the digital ecosystem covering a wide range of industries. He holds a B.S. in Information Communication Technology, with an emphasis in Technology Management.

3 Reactions
  1. Nice one. Michael.

    I perfectly agree with you. Lateral phishing is becoming the order of the day.

    But like you said, being security aware and using two-factor authentication are great strategies to stay protected.

    Thanks for sharing.


  2. Hi Emenike,
    You are more than welcome.

  3. It is important to know how to protect your business from this type of attack. Protection is always better than being problematic about it later.

Leave a Reply

Your email address will not be published. Required fields are marked *


Win $100 for Vendor Selection Insights

Tell us!
No, Thank You