Barracuda Threat Spotlight: 42% of Targeted Email Attacks on Major Companies Involve Lateral Phishing

Singapore, 31 July 2024 — Organisations with several thousand employees or more are most susceptible to lateral phishing attacks, where threats are disseminated across the organisation from an already compromised internal account, as highlighted in a new Threat Spotlight from Barracuda.

The analysis, which examined targeted email attacks between early June 2023 and the end of May 2024, reveals that smaller companies are more likely to be targeted by external phishing attacks. These constitute 71% of targeted email threats over the past year, whereas, for the largest companies, the figure is 41%.

Moreover, smaller companies face approximately three times more extortion attacks than their larger counterparts. Extortion incidents account for 7% of targeted attacks on the smallest businesses, in contrast to 2% for those with 2,000 employees or more. The occurrence of Business Email Compromise (BEC) and conversation hijacking remained fairly consistent across different company sizes.

Mark Lukie, Director of Solution Architects (APAC), Barracuda Networks, stated, “All companies, regardless of their size, are susceptible to email threats, but their vulnerabilities differ. Larger companies, with numerous mailboxes and employees, provide attackers with more potential entry points and various communication channels to spread malicious messages. Employees are more likely to trust emails appearing to come from within the organisation, even if the sender is unfamiliar. Conversely, smaller companies often lack layered security and may have misconfigured email filters due to limited in-house skills and resources.”

Barracuda advises regular security awareness training for employees, which includes lateral phishing, to keep everyone informed and vigilant against suspicious emails. Implementing multi-layered, AI-powered defences is crucial for detecting and mitigating advanced attacks to reduce their impact. Smaller companies should also consider partnering with managed service providers to enhance their security posture and protect against all threats.