Lateral phishing attacks can be devastating for users and organisational IT teams as these originate from legitimate, but compromised, email accounts that benefit from the implicit trust between sender and recipients. In this paper, we begin to explore the human-centred space of lateral phishing attacks through interviews with 5 security practitioners and 17 employees from the UK and India. We report how security practitioners predominantly rely on employees to alert them to compromised accounts, and how this can create a delay during which the attack can continue. Our interviews with employees, on the other hand, found that individuals may not be reliable; they struggled to detect slight changes to messages, and over-relied on markers that cannot identify lateral attacks. We discuss the symbiotic relationship between security practitioners and employees for combatting lateral phishing attacks within organisations, and present recommendations for improving resistance to these attacks.
|Number of pages||25|
|Publication status||Accepted/In press - 15 Aug 2023|
|Event||EuroUSEC 2023: The 2023 European Symposium on Usable Security - Copenhagen, Denmark|
Duration: 16 Oct 2023 → 17 Oct 2023
|Period||16/10/23 → 17/10/23|