The good news is that Internet users are getting smarter. Compared to 2013, individuals today are less likely to fall for common phishing scams—from unsolicited emails to social media invites. The bad news: attackers have also become more sophisticated, and they have shifted their focus to businesses. POS system breaches dominate the headlines, but new research shows the weakest point of most organizations’ IT security is human, not mechanical.
As found in a new report conducted by Proofpoint, titled “The Human Factor 2015,” while every department is a target, the supply chain is among the most vulnerable. Sales, finance and procurement departments are the most likely to fall victim to email scams, clicking on 50 to 80 percent more malicious links than other departments.
Members of the supply chain may click more often, but the truth is, everybody clicks. Proofpoint’s research revealed that not a single company surveyed was able to completely stop employees from clicking malicious links. For attackers, it’s a numbers game. One out of every 25 malicious messages delivered are clicked.
The messages themselves have also become more advanced. Click rates for graphical emails are about six times higher than plain text messages. When asked why they clicked, users said the emails didn’t have any of the characteristics of fraudulent email they had been trained to look for. Attackers are now using attachments and piggybacking on legitimate email messages, making it harder for recipients to identify false messages on sight alone. Switching to attachments sent through third-party URLs also makes it harder for automated screening tools to catch potential attacks. Most are tuned to filter directly malicious URLs, not false attachments linked to trusted ones.
Lures are also specifically targeted at businesses. According to the report, the most common lures are communication notifications (alerts for voicemails or faxes) and financial messages (ACH or wire transfer information). Financial lures rank the highest by volume of messages sent, but lowest in click-through rate. Although rare, a successful wire transfer fraud can net thieves hundreds or millions of dollars. The opportunity for a big payoff compensates for the low rate of success.
Organizations checking for or quarantining suspicious messages on a weekly basis are already too late. Two-thirds of users click a malicious message within the first 24 hours after it is received. By the end of the first week the click-rate jumps to 96 percent. Just one year ago, the first-day click-through rate was less than 40 percent.
The majority of malicious emails are sent and clicked during business hours, meaning employees are accessing the messages as part of their daily tasks. Message delivery peaks on Tuesday and Thursdays, reflecting the average delivery rates for emails. Tuesday is also the most popular day for clicking.
Despite attackers altering the schedule to better reflect the overall rhythm of business, a significant number of clicks still happen outside of standard business operating hours and weekends. This creates a larger challenge to preventing attacks once employees are off-network. On average, 20 percent of clicks happen away from the office. A complete protection strategy will need to cover employees both while on the company’s network and after they’ve gone home for the night.
The attackers may be evolving, but so are corporate security measures. Educational efforts to warn employees of the danger of phishing emails that preyed upon social media or financial account information spurred a decline in the effectiveness of those scams in 2013 and 2014. Employee training is important, but is also the last line of defense. Proofpoint’s research shows that relying on end-users to identify phishing messages are not enough. Attackers have changed their approach, focusing on tactics aimed to subvert the system, attaching phishing messages to legitimate emails and designing messages to better mimic ordinary business requests, often involving procurement matters.
Experts agree that while the situation is serious, posing a threat to businesses across all sectors, the technology to fight back is also improving. A modern approach uses all of the tools available including the cloud, mobility and Big Data to incorporate real-time, end-to-end detection. The groundwork is being laid as more companies begin to take a layered approach to security. But there is still a large opportunity to do better, and a significant gap in the B2B security market to combat these lower profile, but just as harmful, corporate cyberattacks.