What is a lateral phishing attack? A lateral phishing attack occurs when “one or more compromised employee accounts in an organization are used to target other employees in the same organization. Lateral phishing is similar to business email compromise (BEC), but while the latter is usually about getting victims to carry out fraudulent wire transfers, the main goal of the former is usually credential theft.” I suppose it means the attack occurs laterally across the org chart.
Lateral phishing attacks are generally effective because it’s easy for the hackers to convince the target the email is legitimate. Afterall, it’s coming from someone inside the company.
How big of a problem is this? A new report by Barracuda, in conjunction with researchers at UC Berkeley and UC San Diego, “found that 1 in 7 organizations experienced lateral phishing attacks over the past seven months.” In the past seven months!
The lateral phishing attack is the new Trojan horse. The Trojan horse is the story of how the Greeks snuck soldiers into the city of Troy inside a giant wooden horse. Ultimately, the soldiers in the horse opened the gates of the city to let the rest of the Geek army in. The Greeks entered and destroyed the city of Troy, ending the war.
The first employee at a company to get phished is the Trojan Horse. They’re the one that lets all the other phishing emails in. The way you keep them all out is to keep the first one out—keep the Trojan horse out.
An article on Bleeping Computer discussed the report. “While studying 180 lateral phishing attacks, the researchers determined that 11% of the attacks were successful in compromising other victims in the same organization. Furthermore, of these attacks, 42% were not reported to the organizations IT department or security team, which may have allowed the accounts to be used for multiple attacks.”
Lateral attacks are a great example of why security awareness training is ineffective. We know from research that the best awareness training is only 98% effective. That means if 50 employees at an organization receive a phishing email, at least one of them is getting phished. And with lateral phishing, they didn’t just get phished, they let in the Trojan horse.
If you want to protect your organization from lateral phishing attacks, from today’s Trojan horse, you’re going to need more than awareness training. You’re going to need email security with real-time link click protection. You’re going to need DuoCircle. Our email security services block malicious websites. It protects against ransomware. And you can try it risk free for 30 days.
Keeping the new Trojan horse out of your organization is job #1 today.