New Phishing Threat – It’s Called Lateral Phishing

There’s a new and growing type of phishing attack. Infected emails come from a legitimate but compromised account within a business and then are innocently spread everywhere.

This type of attack is called lateral phishing and it’s much harder to spot as it starts from an email address from within, rather than outside, your business.

Attackers use hijacked accounts they’ve recently compromised to send phishing emails to an array of recipients, ranging from close contacts within the business to clients, suppliers and other outside organisations. The opportunities are endless.

Business Reputation Compromised

Lateral phishing represents a sophisticated evolution in the space of email-based attacks. Recent research has found that over 60% of organisations targeted by lateral phishing had multiple compromised accounts.

Some had dozens of compromised accounts that sent lateral phishing attacks to additional employee accounts and users at other organisations.

In total, researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 different recipients.

However, by targeting such a wide range of victims and external organisations, these attacks ultimately lead to increasingly large reputational harm for the business which initially fell victim to the cyber criminals.

Defence Against Lateral Phishing

There are three critical precautions businesses can take to help protect themselves against lateral phishing attacks: security awareness training for employees, advanced detection techniques, and two-factor authentication.

Businesses in NSW, QLD and the ACT are using Think Technology Australia’s low-cost and advanced detection solutions that use artificial intelligence and machine learning to automatically identify phishing emails without relying on users to identify them on their own.

We also advise our business clients that one of the most important things they can do to mitigate the risk of lateral phishing is to use strong two-factor authentication (2FA), such as a two-factor authentication app or a hardware-based token if available.

While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker’s access to compromised accounts.