Human-centric exploration of lateral phishing attacks in organisations

Abstract

Phishing attacks, particularly in the form of targeted phishing, remain prevalent threats in the cybersecurity landscape, exploiting individuals' reliance on email communication. Lateral phishing is a form of targeted phishing attack that involves bad actors sending phishing emails from compromised accounts to colleagues within an organisation or its external partners. Current studies have shown a rise in lateral phishing attacks and a rapid increase in employee account compromises in organisations. Very little work has focused on lateral phishing and its role in facilitating further compromises as compared to targeted phishing attacks from spoofed accounts appearing to be legitimate. Moreover, current technology solutions do not, and in some cases cannot, address human vulnerabilities which are routinely exploited in targeted phishing attacks.

This thesis comprises three qualitative studies with diverse user groups, including cyber security practitioners and employees, to understand the effectiveness of organisational defences against lateral phishing attacks. The first study explores the security practitioners’ experiences of dealing with targeted phishing attacks, in particular lateral phishing, in their organisations. The findings suggest that lateral phishing attacks are devastating, and practitioners heavily rely on employee reporting for identifying email account compromise. Instead of depending on automated tools, these attacks need manual investigation which is more time consuming. The second study focused on how social interactions in the workplace affect the detection and response to targeted phishing attacks. The findings revealed that emails from lesser-known colleagues are deemed as suspicious and personal information requests are deemed as suspicious for known colleagues by employees in an organisation. Employees were found doing autonomous investigations when a lateral attack was suspected rather than reporting at first instance. The final study focused on how employees evaluate if email messages from known colleagues are genuine. The findings illustrated that for identifying the sender, employees relied predominantly on markers that are easily spoofable (e.g., sender name and email address). Employees were not accurate when detecting a slight change in the messages raising concerns over their ability to detect a lateral phishing attack.

The organisational defence against lateral phishing attacks does not appear optimal as practitioners heavily rely on employees' reports and do not find the automated tools useful enough, consequently doing manual investigations consuming more time. On the other hand, employees' processes for responding to and evaluating potentially suspicious emails from colleagues makes them vulnerable in detecting lateral phishing messages.
Date of Award25 Jul 2024
Original languageEnglish
Awarding Institution
  • Northumbria University
SupervisorJames Nicholson (Supervisor) & Lynne Coventry (Supervisor)

Keywords

  • cybersecurity practitioners
  • account compromise
  • incident response
  • sophisticated phishing and spear phishing
  • organisational reporting

Cite this

'