Organisations with several thousand employees or more are the most likely to be affected by lateral phishing, where attacks are sent to mailboxes across the organisation from an already compromised internal account, according to a new Threat Spotlight from Barracuda.

Lateral phishing accounts for just under half (42%) of targeted email threats against organisations with 2,000 employees or more, but just 2% of attacks against companies with up to 100 employees.

The findings, which are based on an analysis of targeted email attacks between early June 2023 and the end of May 2024, show that smaller companies are the most likely to be hit with external phishing attacks. These account for 71% of targeted email threats in 12 months, compared to 41% for the largest companies.

Smaller companies also experience around three times as many extortion attacks as their larger counterparts. Extortion attacks comprised 7% of targeted incidents for the smallest businesses, compared to 2% for those with 2,000 employees or more.

The prevalence of business email compromise (BEC) and conversation hijacking remained relatively consistent regardless of company size. 

“All companies, regardless of their size, are vulnerable to email threats, but they are vulnerable in different ways,” said Olesia Klevchuk, director, product marketing at Barracuda.

‘“Larger companies, with many mailboxes and employees, offer attackers more potential entry points, multiple communication channels to disseminate malicious messages across the business, and employees who are likely to trust email messages that appear to come from within the organisation, even if the sender is unfamiliar to them.

“Smaller companies, on the other hand, are less likely to have layered security in place and more likely to have misconfigured email filters due to a lack of in-house skills and resources.”

Barracuda recommends implementing regular security awareness training for employees that includes lateral phishing to keep everyone informed and alert so they can easily spot suspicious emails. Multi-layered, AI-powered defenses are key to detecting and remediating advanced attacks to contain and minimise the impact.

Smaller companies may also wish to consider turning to a managed service provider for additional expertise and support in hardening their security environment against all threats.

To read the blog: https://blog.barracuda.com/2024/07/24/threat-spotlight-company-size-email-threats