New report reveals significant email attack vulnerabilities based on company size
Large organisations with several thousand employees or more are most likely to be targeted by lateral phishing attacks, according to a new Threat Spotlight from Barracuda Networks. These attacks, initiated from an already compromised internal account, target mailboxes across the organisation. The report reveals that lateral phishing accounts for 42 per cent of targeted email threats against organisations with 2,000 employees or more, compared to just 2 per cent for companies with up to 100 employees.
The findings, based on an analysis of targeted email attacks from early June 2023 to the end of May 2024, indicate that smaller companies are more susceptible to external phishing attacks. These attacks comprised 71 per cent of targeted email threats in the past 12 months, compared to 41 per cent for larger companies.
Smaller companies also face approximately three times as many extortion attacks as larger firms. Extortion attacks accounted for 7 per cent of incidents for the smallest businesses, compared to 2 per cent for those with 2,000 employees or more. The prevalence of business email compromise (BEC) and conversation hijacking remained relatively consistent regardless of company size.
“All companies, regardless of their size, are vulnerable to email threats, but they are vulnerable in different ways,” said Olesia Klevchuk, director of product marketing at Barracuda. “Larger companies, with many mailboxes and employees, offer attackers more potential entry points and multiple communication channels to disseminate malicious messages across the business. Employees are likely to trust email messages that appear to come from within the organisation, even if the sender is unfamiliar. Smaller companies, on the other hand, are less likely to have layered security and more likely to have misconfigured email filters due to a lack of in-house skills and resources.”
Report recommends implementing regular security awareness training for employees that includes lateral phishing to keep everyone informed and alert to suspicious emails. Multi-layered, AI-powered defences are crucial for detecting and remediating advanced attacks to minimise impact. Smaller companies may also consider using a managed service provider for additional expertise and support in strengthening their security environment against all threats.
