42% of targeted email attacks against larger companies involve lateral phishing: Barracuda Threat Spotlight
Barracuda Networks has unveiled a new Threat Spotlight which states that large organizations with several thousand employees or more are the most likely to be affected by lateral phishing, where attacks are sent to mailboxes across the organization from an already compromised internal account. Lateral phishing accounts for just under half (42%) of targeted email threats against organizations with 2,000 employees or more, but just 2% of attacks against companies with up to 100 employees.
The findings, which are based on an analysis of targeted email attacks between early June 2023 and the end of May 2024, show that smaller companies are the most likely to be hit with external phishing attacks. These account for 71% of targeted email threats in 12 months, compared to 41% for the largest companies.
Smaller companies also experience around three times as many extortion attacks as their larger counterparts. Extortion attacks comprised 7% of targeted incidents for the smallest businesses, compared to 2% for those with 2,000 employees or more.
The prevalence of business email compromise (BEC) and conversation hijacking remained relatively consistent regardless of company size.
“All companies, regardless of their size, are vulnerable to email threats, but they are vulnerable in different ways,” said Olesia Klevchuk, director, product marketing at Barracuda. “Larger companies, with many mailboxes and employees, offer attackers more potential entry points, multiple communication channels to disseminate malicious messages across the business, and employees who are likely to trust email messages that appear to come from within the organization, even if the sender is unfamiliar to them. Smaller companies, on the other hand, are less likely to have layered security in place and more likely to have misconfigured email filters due to a lack of in-house skills and resources.”
Barracuda recommends implementing regular security awareness training for employees that includes lateral phishing to keep everyone informed and alert so they can easily spot suspicious emails. Multi-layered, AI-powered defenses are key to detecting and remediating advanced attacks to contain and minimize the impact. Smaller companies may also wish to consider turning to a managed service provider for additional expertise and support in hardening their security environment against all threats.