A new study by Barracuda sheds light on the rise of lateral phishing campaigns in which one or more compromised employee accounts in an organization are used to target other employees in the same organization. Lateral phishing is similar to business email compromise (BEC), but while the latter is usually about getting victims to carry out fraudulent wire transfers, the main goal of the former is usually credential theft.
The report found that 11% of lateral phishing attacks resulted in the attackers compromising additional employee accounts. In 42% of these successful attacks, the department in charge of account security was not notified of the breach, which made it possible for threat actors to use the newly compromised accounts for further attacks. 45% of lateral phishing attacks were agnostic / opportunistic in terms of the accounts they targeted, while 29% targeted a specific account, 25% targeted all accounts in a given organization, and the remaining 1% targeted a partner organization .
Read more: Lateral Phishing Attacks: A Growing Threat to the Enterprise