As companies and consumers have become more aware of phishing, hackers have refined their techniques and are now launching a more advanced form of attack known as lateral phishing. This technique is highly convincing and, consequently, highly effective.
Hackers are no longer phishing in the dark
Millions of individuals have had their personal information exposed in recent breaches at companies like DoorDash, PCM Inc., and Nordstrom. When email addresses, dates of birth, names, and other sensitive information is left exposed, it fuels cybercriminals with the resources they need to execute successful phishing campaigns. This is because breached personally identifiable information (PII) can be used by cybercriminals to execute highly targeted and convincing attacks that are far more likely to trick their victims.
While the above is true of regular phishing schemes, the point becomes particularly salient when one considers lateral phishing attacks. Like regular phishing, a lateral phishing attack has the goal of gaining access to private information and begins with a user receiving an email that is attempting to extract login credentials or PII. However, the main differentiator between the two attack methods is that lateral phishing is conducted from a compromised email address within an organization. Once a hacker gains access to a legitimate email account, whether it belongs to a CEO or an intern, the hacker can then use it to target individuals within the company.
Lateral phishing techniques are highly effective. When hackers impersonate someone that the recipient knows and trusts, said recipient tends to lower her or his guard, making it more likely that sensitive information will be surrendered.