Some claim to be reporting an issue with your credit card account. Others have innocuous offers but hide something more nefarious—we’ve all seen phishing emails like these. According to a 2018 Symantec report, 71.4 percent of cyberattacks on enterprises used phishing emails. Meanwhile, Verizon says that 30 percent of phishing messages were opened in 2016. Not only are phishing emails common, they’re effective. But if you think that’s as bad as it gets, you should keep reading.
Inside Lateral Phishing Attacks
The FBI estimates that lateral phishing attacks have caused an estimated $12 billion in losses for businesses. Like most phishing attacks, they’re email-based, but they can create trouble worse than malware. These emails come from a compromised account inside your organization. Rather than a user receiving a fake email from a credit card company they don’t even have a card with, these emails look like requests from a boss or colleague.
These attacks take advantage of the trust and relationships users have with the people in their organization. Some of these emails urge recipients to open a contract (which is actually malware) or input their username and password to access something (compromising another account).
Stopping Lateral Phishing Attacks
Because they come from inside the organization, most email security platforms can’t spot lateral phishing emails. Systems that can are expensive and have high failure rates, meaning many legitimate emails won’t make it to their intended recipients. So, when it comes to lateral phishing, you must take action before accounts are compromised. Here are the things you can do.
- Use two-factor authentication at a minimum – Many orgs require at least two-factor authentication for users to access their accounts. This helps ensure that accounts aren’t compromised in the first place. Some orgs may even adopt a zero-trust model, which can beef up security even more.
- Develop protocols – Some lateral phishing emails appear to come from an employee’s boss and might ask them to transfer money, enter credentials, or what have you. It’s smart for companies to develop policies around moving money, signing contracts, or anything that involves sensitive data. Those who send emails with requests like these should follow up with a phone call or an in-person chat.
- Educate employees – Employees should know that phishing attacks may happen, what those attacks look like, how to spot them, and what to do if they’re not sure. If they think something looks phishy, it’s wise for them to double check with their IT professional or the sender of the email, just to be sure. Note that followups should happen over the phone or in person. Many cyber-scammers will reply back to confirm the validity of an email if the recipient asks about it via email.
- Conduct Phishing Tests – There are plenty of tools that allow you to simulate phishing attacks, but not necessarily lateral phishing attacks. To simulate these, IT pros might need to work with leaders at a company. Using the emails of one of the higher-ups, simulate the kind of email you would expect a cybercriminal to send (e.g. “open this contract” or “please see the document at this website”). In the email, put a link to a web page about phishing safety. If they click it, they’ll know they’ve been tricked. If they follow up with the sender, you’ll know they’re being watchful.
Phishing attacks will get more sophisticated. IT pros must be ready to adopt the latest tactics and technologies to thwart them. But remember, mistakes happen. No matter how hard you try, you can’t stop all attacks. But that doesn’t mean you can’t mitigate them. By taking regular backups, you get a reliable way to recover, even if someone falls victim to a phishing email.