1. Support
  2. Glossary
  3. Lateral Phishing

Lateral Phishing

What is Lateral Phishing?

Attackers use recently hijacked or compromised accounts to send phishing emails to unsuspecting recipients, such as close contacts in the company and partners at external organizations. Because these lateral phishing attacks come from a legitimate email account and appear to be from a trusted colleague or partner, they tend to have a high success rate.

See which threats are hiding in your inbox today.

Our free Email Threat Scan has helped more than 12,000
organizations discover advanced email attacks.

How Lateral Phishing Works

Lateral phishing begins with an account takeover attack. This is one of the fastest growing email security threats, and attackers are coming up with many new ways to exploit compromised accounts—lateral phishing is one of them.

Hackers use compromised accounts to learn about the organization, its employees, and its partners. They use this information to carefully craft targeted email messages and send them directly from compromised accounts.

Why Lateral Phishing is Important

The impact of lateral phishing is significant. In fact, one in seven organizations surveyed reported that they experienced account takeover and lateral phishing over a seven-month period.

Due to the implicit trust in the legitimate accounts they’ve compromised, attackers often use compromised accounts to send lateral phishing emails to dozens, if not hundreds, of other organizations so they can spread the attack more broadly. And because they target such a wide range of victims and external organizations, these attacks ultimately lead to increasing reputational harm for the initial victim organization.

These attacks prove particularly insidious because they come from a compromised but legitimate account. As a result, many users and existing email protection systems assume these lateral phishing emails are legitimate, because phishing emails have historically come from spoofed or external accounts.

How to Protect Against Lateral Phishing

There are a number of steps you can take to protect your users against lateral phishing:

Security awareness training

Improving security awareness training and making sure users are educated about this new class of attacks will help make lateral phishing less successful. Unlike traditional phishing attacks, which often use a fake or forged email address, lateral phishing attacks are sent from a legitimate — but compromised — account. As a result, checking the sender properties or email headers for a fake or spoofed sender doesn’t work.

In many cases, carefully checking the actual destination URL (and not just the URL text that is displayed) of any link within the email can help users identify a lateral phishing attack. It’s also very helpful to contact the apparent sender to confirm that any unusual request is in fact legitimate.

Advanced detection techniques

Lateral phishing represents a sophisticated evolution in the space of email-based attacks. Because these phishing emails come from a legitimate email account, they are more difficult for even well-trained users to detect.

For this reason, it’s important to invest in advanced detection techniques and services that use artificial intelligence and machine learning to automatically identify phishing emails without relying on users to identify them on their own.

Account takeover protection

Lateral phishing attacks originate from compromised accounts, so be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.

Two-factor authentication

Finally, one of the most important things that you can do to mitigate the risk of lateral phishing is to use strong two-factor authentication (2FA). Today’s two-factor authentication apps and hardware-based tokens can be very effective. While non-hardware based 2FA solutions remain susceptible to phishing, they can help limit and curtail an attacker’s access to compromised accounts.

Learn More About Lateral Phishing

Related Terms

Further Reading

How Barracuda Can Help

Barracuda Email Protection is a comprehensive, easy-to-use solution that delivers gateway defense, API-based impersonation and phishing protection, incident response, data protection, compliance and user awareness training. Its capabilities can prevent lateral phishing:

Barracuda Impersonation Protection protects against business email compromise, account takeover, spear phishing, and other cyber fraud. It combines artificial intelligence and deep integration with Microsoft Office 365 into a comprehensive cloud-based solution.

Impersonation Protection’s unique API-based architecture lets the AI engine study historical email and learn users’ unique communication patterns. It blocks phishing attacks that harvest credentials and lead to account takeover and enables real-time remediation.

Barracuda Security Awareness Training is an email security awareness and phishing simulation solution designed to protect your organization against targeted phishing attacks. Security Awareness Training trains employees to understand the latest social engineering phishing techniques, recognize subtle phishing clues, and prevent email fraud, data loss, and brand damage. Security Awareness Training transforms employees from a potential email security risk to a powerful line of defense against damaging phishing attacks.