A growing threat targeting the enterprise are phishing scams targeting users from compromised email accounts in the same organization. This type of attack is called lateral phishing as it is conducted from an email address within, rather than outside, the organization.
When attackers perform a phishing attack, the goal is to convince the target that the email is legitimate so as to coerce them into performing a particular action. What better way to convince a user that an email is legitimate then using a hacked email account from someone they normally correspond with?
In a new report conducted by Barracuda, UC Berkeley and UC San Diego, researchers analyzed lateral phishing attacks conducted against nearly 100 organizations and the tactics and outcomes of these campaigns.
Unlike BEC scams, that also utilize compromised email accounts, lateral phishing scams are typically used for credential theft rather than to convince an organization to wire money to fraudulent bank accounts.