Phishing is the use of impersonation to trick another person into disclosing sensitive information. Phishing can take place over the Internet, telephone, or via text message, but email is the most common attack vector.
There are many reasons for compromising email accounts and a variety of tactics are used depending on the end goal. With Business Email Compromise (BEC) the aim is to gain access to the CEO’s email account and use it to send requests for fraudulent wire transfers to the finance department.
Another common tactic is lateral phishing. Lateral phishing is the use of a compromised email account to send further phishing emails to other individuals in the organization and business contacts. The aim is to harvest as many credentials as possible.
This means that when a phishing attack is discovered by an organization, often after suspicious activity is detected in an employee’s email account, the investigation reveals multiple accounts have been compromised.
A study of the practice of lateral phishing was recently conducted by researchers at the University of California Berkeley, University of San Diego, and Barracuda Networks. The researchers looked at phishing attacks on 100 organizations and examined the tactics used by the attackers and the actions they took after accounts were compromised. In total, 180 lateral phishing attacks were analyzed.
1 in 7 healthcare organizations had experienced a lateral phishing attack and 11% resulted in multiple email account compromises. Of concern is the failure of employees to detect and report these phishing emails. 42% of phishing messages went unreported.
Once an account is compromised, the most common tactic is to send phishing emails to individuals with a personal or business relationship with the account holder. That was the case in 55% of the attacks. 45% of attacks involved sending standard phishing emails to groups of individuals in the user’s contacts. 29% involved the use of tailored messages, and in 7% of cases, the messages were highly targeted.
The types of lures used were highly varied. The most common were emails claiming an individual wanted to share a document. Messages warning of account problems were also common.
While many threat actors do not interact with senders of emails, 17.5% of attacks involved some communication. The attackers had email conversations with the recipient and provided reassurances that the recipient is genuine. In 19.5% of cases, the attackers took steps to cover their tracks and deleted phishing emails and message threats from the compromised account and the recipient’s account.
The researchers recommend three measures to take to improve resilience against lateral phishing attacks.
- Implement multi-factor authentication – If credentials are obtained, a second factor is required before account access is granted
- Implement technologies that can identify and block phishing emails and detect phishing attacks in progress.
- Ensure all employees receive training on cybersecurity threats and how to identify and deal with them. Keep staff up to date on the latest threats and test awareness through phishing simulations.