As companies and consumers have become more aware of phishing, hackers have refined their techniques and are now launching a more advanced form of attack known as lateral phishing. This technique is highly convincing and, consequently, highly effective.
Hackers are no longer phishing in the dark
Millions of individuals have had their personal information exposed in recent breaches at companies like DoorDash, PCM Inc., and Nordstrom. When email addresses, dates of birth, names, and other sensitive information is left exposed, it fuels cybercriminals with the resources they need to execute successful phishing campaigns. This is because breached personally identifiable information (PII) can be used by cybercriminals to execute highly targeted and convincing attacks that are far more likely to trick their victims.
While the above is true of regular phishing schemes, the point becomes particularly salient when one considers lateral phishing attacks. Like regular phishing, a lateral phishing attack has the goal of gaining access to private information and begins with a user receiving an email that is attempting to extract login credentials or PII. However, the main differentiator between the two attack methods is that lateral phishing is conducted from a compromised email address within an organization. Once a hacker gains access to a legitimate email account, whether it belongs to a CEO or an intern, the hacker can then use it to target individuals within the company.
Lateral phishing techniques are highly effective. When hackers impersonate someone that the recipient knows and trusts, said recipient tends to lower her or his guard, making it more likely that sensitive information will be surrendered.
While many individuals have the misconception that phishing emails are easy to identify because they will always contain broken English or come from a stranger, advanced lateral phishing attacks come directly from a known sender’s email account, and attackers have become far more sophisticated in crafting convincing email messages. Unfortunately, these attacks may breach PII as well as confidential company information, placing individuals and organizations alike at risk.
How enterprises can put a ban on phishing
Below are strategies that companies can and must implement in order to protect their data and prevent lateral phishing attacks:
1. Utilize email providers whose products have built-in security measures. For example, the ability to proactively flag suspicious emails from outside of an organization’s corporate domains, as well as improved email filtering and malicious URL and attachment detection. While not foolproof, these capabilities can be effective in thwarting the majority of phishing attacks. However, as attackers continuously become more sophisticated and better at crafting malicious emails that are almost indistinguishable from those that are legitimate, more is needed in order to truly protect your organization.
2. Adopt advanced security solutions with capabilities that identify suspicious logins and take action before a breach can occur. These solutions allow organizations to verify users’ identities, detect potential intrusions, and enforce security measures like multi-factor authentication, limiting an attacker’s access to accounts in real time; for example, if an employee’s credentials are used to log in from multiple locations in an impossibly small period of time. This type of functionality is incredibly important, as lateral phishing is aimed at gaining access to legitimate credentials in order to steal sensitive data.
3. Employee education is critical in all cybersecurity matters, and email security is no different. While employee education should not be seen as a replacement for having proper security controls and technologies in place, it should be a part of everyday company culture. Organizations should educate employees about how they can best identify lateral phishing attacks as well as what they should do if they suspect an email they’ve received may be fraudulent – even if it appears to come from a known sender. All employees should know the role that they play in keeping their company’s sensitive information safe, and company culture centered around cybersecurity should flow from the top down.