You’ve heard of the classic phishing attack where cybercriminals send rogue emails purporting to be from legitimate entities such as large corporations and government agencies. You may have also heard of hackers using voice calls and text messages to victimize more unsuspecting users. But have you heard of a phishing attack that uses real but compromised business email accounts?
Lateral phishing: A method that takes advantage of trust
Lateral phishing relies strongly on the idea that if an email comes from within the corporate network, then it’s not deemed as suspicious, compared to when it comes from anywhere else. Hackers take over an account inside your organization and use it to send phishing emails to others within the same domain, as well as to contacts outside the company. These emails can contain malware-infected attachments, phishing URLs, or fake payment requests that masquerade as sensitive company documents.
Unlike business email compromise (BEC) scams that also utilize compromised email accounts, lateral phishing is typically used for credential theft rather than to convince a business to wire money to fraudulent bank accounts.
How dangerous is it for your small business?
According to a study by Barracuda Networks, UC Berkeley, and UC San Diego, one in seven organizations experienced lateral phishing attacks over the past seven months. Of the companies that were victimized, more than 60% had multiple compromised accounts. The researchers found 154 hijacked accounts that collectively sent hundreds of rogue emails to more than 100,000 unique recipients. Among these are corporate accounts, personal email addresses, and accounts of employees of third-party organizations.
By targeting such a wide range of victims, hackers can also significantly damage the reputation of the victim organization.
How do you protect yourself?
Cybercriminals are constantly devising new ways to trick unsuspecting users into handing out confidential data. The good news is, there are effective ways to protect your organization from lateral phishing. Let’s take a look at some of them:
#1. Security awareness training
Lateral phishing attacks are much harder to spot than traditional ones, as hackers make use of compromised business email accounts and bank on the trust that company employees have in them. This means that checking sender properties or email addresses to identify scam messages will not be effective.
Check the links within emails to see if they are safe to open. Verify them by doing a quick search for the company’s official website. When you hover the mouse over deceptive links, they will likely lead to a fake version of a legitimate company’s website. For instance, the URL www.paypal.com in a rogue email can lead to www.pay-pal.com to lower suspicions. Do not submit any login credentials or personal information on these websites, as the data will only be sent to hackers.
Remember that you and your employees will play a large part in protection against lateral phishing, so awareness will always be an important step in keeping your business safe.
#2. Use multifactor authentication (MFA)
MFA uses more than one method to verify a user’s identity such as a fingerprint or facial scan, or a one-time code sent to the account owner’s smartphone. MFA acts as a secondary lock, so even if criminals get a hold of the primary login credentials, their hacking attempts will be futile without fulfilling the succeeding security procedures.
#3. Sign up with a managed IT services provider (MSP)
Our cybersecurity experts at F1 Solutions can help you reduce your exposure to lateral phishing by monitoring your IT infrastructure and looking out for unusual behavior. We can stop threats from infecting your systems before they can cause bigger issues. What’s more, our services cost less than paying a full-time salary to an in-house employee.
