How to prevent email account takeover attacks
Phishing is all about the bad guy and fooling the victim, says Kevin Mitnick, founder, Mitnick Security Consulting. Mitnick knows about bad guys-he used to be one.
Businesses beware: Hackers are increasingly using email account takeover attacks to leverage legitimate accounts and send phishing emails to employees, clients, and other partners, according to Barracuda’s Spear Phishing: Top Threats and Trends Vol. 2 report, released Thursday.
In email account takeover attacks, hackers gain entry to a business account and send lateral phishing emails. Because these emails come from a legitimate account, they are more likely to fool victims, the report noted.
One in seven organizations studied experienced lateral phishing attacks within a seven-month timespan, the report found. Of those organizations that fell victim to this attack, more than 60% experienced multiple incidents.
Email account takeover and lateral phishing attacks are effective: More than 11% of attacked studied in the report successfully compromised additional employee accounts. And more than 42% of such attacks do not appear to have been reported to the organization’s IT or security team.
Once a corporate email account has been compromised, 55% of attackers target victims with a personal or work relationship to the person whose account was hijacked. The majority (63%) of lateral phishing attacks used generic messages, such as those discussing an “account error” or “shared document.” But, 37% of attackers tailored their message content to be more specific to the particular organization or victim, the report found.
How to prevent lateral phishing attacks
Organizations and employees can do the following to protect against lateral phishing attacks, according to the report:
1. Security awareness training
Ongoing, updated security training is now a necessity for every organization. This training should include lessons on how to identify email takeover attacks and lateral phishing attacks, including carefully checking the URL and destination of any link in an email before clicking.
2. Advanced detection techniques
Lateral phishing attacks can be difficult to detect since they originate from a legitimate corporate email account. Advanced detection techniques and services that leverage artificial intelligence (AI) and machine learning to automatically identify phishing emails can potentially help.
3. Two-factor authentication
Two-factor authentication (also known as multi-factor authentication) is a key security step to mitigate risks of lateral phishing and other attacks. You can use an app or hardware-based token to limit an attacker’s access to accounts.