KnowBe4 Security Awareness Training Blog

Lateral Phishing Affects One in Seven Organizations

Written by Stu Sjouwerman | Aug 22, 2019 10:58:11 AM

A survey by Barracuda found that one in seven organizations experienced lateral phishing attacks over the course of seven months, and that 42% of these attacks were not reported by recipients.

Lateral phishing is a type of attack that often follows email account takeover. After an attacker has successfully hacked one email account at an organization, they can use that account to send phishing emails to the victim’s co-workers. Since the emails are sent from an internal account, they’re usually trusted by security filters as well as recipients.

Barracuda says 63% of these attacks involved generic phishing lures that referenced account errors or claimed that a co-worker has shared a document. 30% of the incidents used more targeted templates that were relevant to a corporate environment. In 7% of the attacks, the attackers crafted highly targeted emails that were tailored to the specific organization. Additionally, some of the attackers would personally interact with their targets.

“Often, recipients of the lateral phishing emails replied to the hijacked account to ask whether the email was legitimate or intended for them,” Barracuda’s report says. “Across 17.5 percent of the hijacked accounts we studied, attackers actively responded to their recipients’ inquiries to assure the victim that the email was legitimate and safe to open (e.g., ‘Hi [Bob], it’s a document about [X]. It’s safe to open. You can view it by logging in with your email address and password.’).”

Overall, 60% of the organizations that experienced lateral phishing attacks were affected by more than one incident. Barracuda says that organizations can protect themselves against these attacks by implementing security awareness training, advanced detection mechanisms, and two-factor authentication. New-school security awareness training is critical for helping employees stay ahead of these threats.

Barracuda has the story: https://www.barracuda.com/spear-phishing-report-2