Cybersecurity Trend: Lateral Phishing

In this blog, we’ll be highlighting an emerging threat known as lateral phishing.

While account takeover has been one of the most common and fastest growing email security threats in recent years, researchers have uncovered a new type of account takeover attack they’ve coined, “lateral phishing”. 

What is lateral phishing? 

Using hijacked accounts they’ve recently compromised successfully, attackers send out phishing emails to a variety of recipients. Recipients of the phishing emails will range from close contacts with a company or organization, to clients or partners at other companies or organizations.

As researchers continue to dive into this new form of account attack, a study completed by joint efforts with UC Berkeley and UC San Diego discovered that 1 in 7 organizations have experienced lateral phishing attacks over the past seven months (Source).

In addition to the frequency, this emerging trend has a surprisingly large effect on the victim of the attack, sometimes hijacking over 100,000 email recipients. Attackers are able to do this in large part because emails are going to trusted recipients, leading to a greater level of success for attackers. 

How can your business protect against lateral phishing? 

1. Two-factor authentication

We’ve touched on the importance of two-factor authentication for many reasons before, and it is no exception when it comes to the risk of lateral phishing. Make sure your employees and anyone with access to sensitive data within your organization is properly utilizing two-factor authentication.

2. Cybersecurity Awareness Training for Employees

More often than not, a breach begins from an employee uneducated on the inherent cybersecurity risks within your organization. The best prevention techniques begin with educating your employees to identify “red flags” and report concerns to your IT team whenever they notice something suspicious. The same goes for lateral phishing.

3. Establish Detection Techniques

You may no longer be able to rely solely on your employees and IT team to identify lateral phishing in progress. It’s recommended that your company install advanced detection techniques and services. These techniques will utilize artificial intelligence and machine learning to automate the detection process, successfully identifying phishing emails risks and eliminating the need for human detection entirely.

If you have questions about lateral phishing prevention at your organization, or would like to learn more about installing automated detection techniques, please reach out to PK Tech