Lateral Phishing: How to Protect Your Small Business

lateral phishing

Most business owners are familiar with phishing attacks. And this awareness has significantly reduced their success rate. However, as cybercriminals continually adapt and evolve, a new and increasingly common type of account takeover attack has emerged: Lateral phishing. This guide will explore how to safeguard your small business against lateral phishing along with other crucial insights.

Protecting You and Your Small Business Against Lateral Phishing

As the threat of lateral phishing grows, the importance of implementing protective measures becomes paramount. Businesses must not only understand the nature of this threat but also be equipped with the right tools and knowledge to counteract it.

According to Asaf Cidon, Vice President of Content Security Services at Barracuda Networks, more awareness is the key to defending against lateral phishing.

Although this advice seems obvious, double-checking your emails before opening them can prevent an attack. But lateral phishing has introduced another twist to the problem. Even if you double-check, you think you are opening an email from a colleague. So, increased awareness is in order.

Cidon has three recommendations: security awareness training, advanced detection techniques, and two-factor authentication.

Security Awareness Training

lateral phishing - security training class with instructor

Security awareness training shouldn’t be a one-off event because hackers are always evolving. Cidon says telling your staff to check the sender properties or email headers like regular phishing attacks will not work.

With lateral phishing, they have to check the actual destination of a link in any email.

Advanced Detection Techniques

lateral phishing - woman on PC with a lock icon against a blue computer background

Lateral phishing is making it much more difficult to detect an attack, even for trained users.

Your business needs to invest in advanced detection techniques and services. These solutions use artificial intelligence and machine learning to identify phishing emails automatically.

Two-factor Authentication

lateral phishing 2 factor authentication graphic for man on computer

Cidon says using a strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token is key. He goes on to say even non-hardware based 2FA can provide some protection.

As with any security measure, the goal is to put enough barriers between you and the attackers. If these barriers do the job, they will deter the majority of hackers. But as headline after headline show, the value of the information you hold will dictate the effort hackers put in.

Implementing Robust Email Security Measures

To fortify defenses against lateral phishing attacks, businesses must implement robust email security measures that go beyond basic filters and antivirus software.

Integrating advanced security solutions that utilize artificial intelligence (AI) and machine learning can significantly enhance an organization’s ability to detect and prevent sophisticated phishing attempts. Secure email gateways and DMARC policies are crucial for authenticating email senders and verifying that the emails originate from legitimate sources.

Additionally, employing email security solutions that offer behavioral analysis can help identify unusual patterns in email activity, flagging potential lateral phishing attacks before they reach the recipient. Training employees to recognize the signs of phishing and to report them promptly is equally important.

These technologies are crucial for staying ahead of cybercriminals. They foster continuous learning from the tactics attackers use and evolve to counteract new and future phishing threats.

Creating a Culture of Security Awareness

The human element is often the weakest link in cybersecurity. Creating a culture of security awareness within an organization can empower employees to act as the first line of defense against lateral phishing attacks.

This involves conducting regular, interactive training sessions that simulate phishing scenarios, helping staff to recognize and respond to threats effectively. Encourage employees to adopt a healthy skepticism towards emails, even those that appear to come from colleagues, and to verify the authenticity of requests through direct communication.

Promoting an environment where employees feel comfortable reporting suspicious emails can significantly reduce the risk and impact of successful phishing attacks.

Regular Monitoring and Incident Response Planning

Continuous monitoring of network and email activity is essential for early detection of lateral phishing and other cyber threats. Implementing a system that alerts IT personnel to suspicious behavior can help catch attacks in progress, minimizing damage.

An effective incident response plan is crucial for quickly containing and mitigating the impact of a security breach.

This plan should outline specific steps to isolate compromised accounts, notify affected parties, and conduct a thorough investigation to prevent future incidents. Regular security audits and vulnerability assessments are also vital for identifying and remedying potential entry points for attackers.

Encouraging Reporting and Open Communication

To combat lateral phishing effectively, organizations must foster a culture where reporting suspicious emails is encouraged and straightforward. Providing clear instructions on how to report phishing attempts, whether through a dedicated email address, reporting button, or IT hotline, can facilitate this process.

Open communication about the importance of reporting and the role it plays in protecting the organization can help to ensure that employees do not hesitate to flag potential threats. Recognizing and rewarding vigilant behavior can further reinforce the value of proactive reporting.

Partnering with Cybersecurity Experts

Given the sophistication of lateral phishing attacks, many businesses, particularly small and medium-sized enterprises, may benefit from partnering with external cybersecurity experts. These specialists can offer advanced email security services, tailored advice, and continuous monitoring to guard against phishing and other cyber threats.

Leveraging the expertise of managed security service providers can provide businesses with access to the latest security technologies and threat intelligence, enhancing their overall cybersecurity posture.

Such partnerships can also free up internal resources, allowing companies to focus on their core activities while ensuring their defenses against lateral phishing are as strong as possible.

Here is a word from Barracuda about lateral fishing and 13 email threat types to know about right now:

Understanding Lateral Phishing

So what is lateral phishing? To be proactive in regards to protecting your business from it, it’s critical to first understand it. Lateral phishing is a sophisticated cyber threat where attackers first gain control of an internal account within an organization.

This method is more insidious than traditional phishing attacks, which often involve sending emails from an account that appears to belong to a legitimate business. With the increasing awareness and training on spotting phishing attempts, attackers have adapted their strategies.

The Mechanism of Attack

Upon securing control over an internal account, attackers use this position to launch phishing attacks. These can target a wide range of individuals associated with the account holder, including colleagues within the company, external partners, vendors, and even personal contacts. The trust typically afforded to internal communications dramatically increases the likelihood of these attacks succeeding, making them exceptionally effective.

Research Insights

A comprehensive study conducted by researchers from Barracuda, along with UC Berkeley and UC San Diego, has provided valuable insights into lateral phishing. Over the course of a year, they examined a dataset of 113 million emails sent by employees from 92 different enterprise organizations.

Their findings revealed 154 compromised accounts through which attackers launched lateral phishing campaigns targeting over 100,000 unique recipients. This large-scale analysis underscores the prevalence of lateral phishing within the corporate environment.


Do You Know What a Lateral Phishing Attack Is?
                                                                                                           image: Barracuda

The Tactics of Attackers

The research conducted by Barracuda, UC Berkeley and UC San Diego provides an in-depth analysis of how attackers orchestrate their lateral phishing campaigns. Specifically, it sheds light on the strategic approach attackers take in pinpointing their potential victims and constructing phishing emails.

Key to their strategy is the sophisticated application of social engineering techniques, which allows them to imitate the communication styles expected by their targets convincingly.

By exploiting the inherent trust within professional and personal relationships, these cybercriminals manage to craft messages that are not only compelling but also highly relevant to the recipients. This attention to detail significantly raises the likelihood of recipients interacting with the phishing content, thereby increasing the chances of the attackers’ success in achieving their malicious objectives.

Implications and Defense Strategies

The implications of lateral phishing are profound, threatening not only the security of organizational data but also the integrity of business operations. The subtlety and sophistication of these attacks make them challenging to detect with conventional security measures. It highlights the critical need for advanced detection systems, continuous employee education on the evolving nature of phishing threats, and the implementation of robust security protocols to mitigate the risk of compromise.

The Importance of Regular Patch Management

Considered the holy grail of cybersecurity is a robust patch management strategy. It is essential for strengthening defenses against lateral phishing and other cyber threats.

Patching involves regularly updating software and systems with the latest patches and security updates provided by vendors. This process addresses security vulnerabilities that attackers could exploit to gain unauthorized access to an organization’s network.

Effective patch management not only secures the infrastructure against direct exploits but also supports the overall security posture by minimizing the risk of an initial compromise. Given that lateral phishing often requires the attacker to have compromised an internal account first, securing all entry points through timely patch updates is a critical preventative measure.

Organizations should prioritize patches based on the severity of the vulnerabilities they address and ensure that critical systems and applications are updated as a priority. Automating the patch management process, where possible, can help maintain the currency of security updates across the organization’s digital assets, thereby providing an additional layer of security against sophisticated cyber-attacks.

Key Takeaways on Lateral Phishing

Lateral phishing attacks are increasingly becoming a significant cybersecurity concern for businesses. These covert attacks, which exploit compromised internal accounts to target unsuspecting employees and partner organizations, can have severe ramifications. Here are the key takeaways to understand the gravity and nuances of this threat:

  • Prevalence and Reach:
    • 1 in 7 organizations encountered lateral phishing in the past seven months.
    • Among these affected organizations, over 60% had multiple accounts compromised.

Do You Know What a Lateral Phishing Attack Is?

image: Barracuda

  • Attack Distribution:
    • When hackers initiate these attacks, they don’t hold back. A whopping 40% of the 100K recipients in the study were within the same company.
    • The external fallout is even greater, with 60K or 60% of these emails reaching partner organizations, potentially jeopardizing inter-company trust.
  • Reputational and Financial Impact:
    • The direct financial costs of such attacks are evident. However, there’s a lurking danger in the potential reputational damage that can lead to further financial strain. As trust erodes, partner organizations might question the security protocols in place.
  • Underreporting is a Concern:
    • An alarming 42% of these phishing incidents go unreported. This gap in reporting can lead to unchecked propagation of the phishing attack, not just within the company but potentially across its network of partner organizations.
  • Tactics Employed by Hackers:
    • They majorly employ two narratives to dupe victims:
      • Generic Messages (63%): These are broad-based lures and often include prompts like “account error” or a “shared document.”
      • Tailored Content (37%): A more insidious approach where the content is specifically tailored, often targeting enterprise-related topics or aspects unique to a specific organization.

Understanding these key takeaways offers a clearer perspective on the lateral phishing landscape and the urgency needed to address it.

Traditional Phishing vs. Lateral Phishing: A Comparative Analysis

Traditional Phishing vs. Lateral Phishing - graphic of sensitive, personal information being phished on a smartphone

This table provides a clear understanding of phishing and lateral phishing. It also highlights the unique dangers of both and how you can prevent them from happening. It’s an excellent resource for businesses wanting to educate their employees on the differences and ensure they take the necessary precautions against both.

Feature/AspectTraditional PhishingLateral Phishing
Basic MechanismSend emails from accounts resembling legitimate businesses.First, take control of an organization's internal account and then launch attacks.
TrustworthinessLower success due to increasing awareness.Higher success rate since the email comes from a recognized internal account.
Primary TargetsGeneral public.Internal employees, partners, vendors, and friends linked to the compromised account.
Email Content TypeOften generic.Can be both generic and specifically tailored to the organization.
DetectionCheck sender properties or email headers.Requires checking the actual destination of a link in the email.
Defensive MeasuresBasic email-checking protocols might suffice.Requires advanced detection techniques, increased awareness, and two-factor authentication.

By addressing these critical aspects, businesses can significantly improve their resilience against lateral phishing attacks, safeguarding their data, reputation, and relationships with clients and partners.

Implementing comprehensive email security measures, fostering a security-aware culture, maintaining vigilance through regular monitoring, and seeking expert guidance are all essential strategies in the fight against this evolving cyber threat.

Whether you are aware of lateral phishing attacks or not, this is a worthwhile read. You can find the report here.


Michael Guta Michael Guta is the Assistant Editor at Small Business Trends and has been with the team for 9 years. He currently manages its East African editorial team. Michael brings with him many years of content experience in the digital ecosystem covering a wide range of industries. He holds a B.S. in Information Communication Technology, with an emphasis in Technology Management.