What Is Lateral Phishing? Understanding the Latest Threat to Your Cyber Security

Phishing threats are nothing new, but some dangers are more insidious than others. After years of warnings to treat unsolicited and external emails with caution, a new threat is flying under the radar.

That threat is a new and particularly vicious type of phishing attack, one that plays on the trust of its victims to steal proprietary corporate data, ensnare top executives and even facilitate monetary transfers that could leave small businesses nearly bankrupt.

Lateral Phishing and Your Corporate Network

If you have not yet heard of lateral phishing, now is the time to educate yourself and your staff. By understanding how this unique type of phishing attack works and why it is so dangerous, you can work to protect yourself, your business and your network. Here is what you need to know about lateral phishing, along with some tips for protecting yourself from the latest threat to your cybersecurity.

Lateral phishing is a relatively new type of cyber attack, one that targets the email accounts of corporate insiders. But unlike other forms of email hijacking, this one uses its access to further target others in the company.

A Dangerous Insider Attack

Once the cybercriminal has gained access of the initial email account, they use a combination of psychological tactics and the natural trust employees have for one another. Specifically, the hacker begins to target the contacts inside the compromised email account, sending out targeted phishing messages designed to steal information and trick victims into giving up account information and corporate funds.

It is this insider approach that makes lateral phishing such a unique danger in the corporate world. Employees may be reluctant to click links in an unsolicited email, but they will likely show no such hesitation if the message comes from a fellow employee. By compromising an insider account, hackers can use this inherent trust to solicit information that would otherwise raise suspicions and trigger red flags.

How to Protect Yourself

Since lateral phishing is still a relatively new form of cyber crime, many businesses are unprepared for the dangers it presents. If you want to protect yourself, your network and the integrity of your company, you need to take a proactive approach to this emerging threat.

One of the most important steps you can take is education. Making your staff aware of this new danger is a key form of protection, and raising awareness can greatly reduce your risk.

Practicing good password hygiene is another key form of protection. If your password policy has been in place for some time, you want to revisit it and make sure it is up to date and follows current best practices.

Forcing changes to email passwords on a regular basis and disallowing variations on a single password can provide a basic level of protection, as can communicating the recommendations of cybersecurity experts. Implementing Two Factor Authentication (2FA) can not be overstated.

Employees should also be advised to check their outgoing messages on a regular basis. If the account has been compromised, the outbox could hold clues about what has been done and which contacts have been targeted. Workers who notice suspicious activity in their outgoing messages should contact the IT department immediately to report these activities.

Last but not least, businesses can protect themselves from the worst aspects of lateral phishing with a few key policy changes. Establishing additional verification requirements for monetary transfers, the release of proprietary information and other potentially damaging actions can blunt the impact of this new form of cybercrime. At the very least, these additional verification steps can give the targeted businesses more time to react, possibly stopping a devastating attack in its tracks. 

Sometimes it seems like there is a new form of cybercrime happening every single day, and that is only a slight exaggeration. Lateral phishing is only the latest example, and it is unlikely to be the last. In the meantime, staying vigilant, educating yourself and your staff and following best practices for network and cybersecurity can all reduce your chances of becoming a victim.