If you work in the infosec profession you most likely know that humans are the widely accepted weak point in any security setup, but a new report from Proofpoint has reiterated how attackers employ psychology to improve the chances of their attacks succeeding.
The company’s Human Factor Report (sign-up required) provides in-depth analysis of how humans can be exploited by targeted attacks, and reveals just how many dodgy emailed links are clicked by unthinking fingers.
While the overall gist of the report is much as expected, some of the figures are interesting to say the least.
Take, for instance, the number of malicious email links that are clicked on. Personally I would have said that an organisation that does little to educate its staff might be horrified if one percent of the phishing links it receives are given any kind of attention.
In companies that provide training and security awareness, I would expect that figure to be much lower.
But the reality, according to Proofpoint’s research, is that around 4% of malicious links are clicked on by users.
The report reveals how the volume of phishing emails has little bearing on the proportion that are opened and not one organisation had a zero click-through rate.
Unsurprisingly, malicious emails are non-discriminating, finding their way into firms in all industries. But, as you may already suspect, sectors such as banking and finance receive more than their fair share, getting 41% more that the average for all industries.
Where emails are sent to named individuals or departments they most likely end up in the inboxes of sales, finance or procurement who receive them 50-80% more often that other groups within the company.
Members of the management team are also most likely to be on the receiving end of a phishing campaign which may be because Proofpoint discovered they are twice as likely to click than executives, a situation that has deteriorated significantly since the company completed a similar study last year.
As for the lures that are working, Proofpoint says message alerts, social media invites and order confirmation emails are all popular, as are messages employing infected attachments rather than embedded URLs.
What are the attackers after?
Proofpoint specifies the usual suspects – bank account and user account information – but also points out how credit card data, health records and even intellectual property are becoming of interest to online thieves. Moral of the story here: if something has value, someone will want it.
How to stop such an attack?
The report notes how the time between a phishing email being received and acted upon is relatively short with the majority of clicks happening on the day of receipt. Of all malicious links that were clicked, 96% were tapped on within a week of being received.
So, to protect your business you need to act relatively quickly.
That means technical controls to limit the amount of such email that reaches your employees in the first place but it also means having a workforce that knows the risks of clicking on phishing links and, indeed, how to spot such messages in the first place.
Kevin Epstein, Proofpoint’s vice president of Advanced Security & Governance, says:
The only effective defense is a layered defense, a defense that acknowledges and plans for the fact that some threats will penetrate the perimeter. Someone always clicks, which means that threats will reach users.
Here at BH Consulting we suggest security awareness training as the appropriate counter as it can be used to inform your staff of what to look out for and how to, ultimately, protect your business (and the lessons they learn can ultimately be put use to protect themselves away from the work environment too of course).