Who’s clicking on what, when and where are they clicking and why on earth are they doing it?

Those were all questions Proofpoint were looking to answer in its recent The Human Factor white paper, developed using three months data from the company’s Targeted Attack Protection product.

During the last 12 months, according to Proofpoint, seventy-six percent of IT security and operations staff said that their organisation had been impacted in some way by malware that had circumvented their intrusion detection system and antivirus solution.

Meanwhile, the Verizon 2013 DBIR had discovered that 95% of targeted and APT-driven threats had begun with an email-based spear phishing attack which indicates that social engineering, targeted email attacks and other sophisticated email approaches are becoming the dominant form of attack against organisations.

Why are such attacks successful?

The main issue, of course, is the fact that people keep on clicking on things that the security team would rather they left well alone.

Proofpoint’s own data shows that the lowest click-rate on malicious emails within any organisation was 1% whilst the worst offender had a click through rate of fifty percent!

Who is clicking?

The company discovered that it wasn’t just a few serial offenders clicking on everything though – around 40% of the malicious links were accessed by one-off clickers which goes to show how widespread a problem this can be for business.

Interestingly, the research also went some way in dispelling a myth I have often heard which is that C-level employees are targeted more often by phishing attacks on account of the fact that they generally have a larger level of access to the firm’s systems. Instead, it seems, low level employees are far more likely to receive attention from those with malicious attempt, perhaps because they have the ability to move laterally through the network.

Proofpoint also discovered that every business sector is attacked. Whilst areas such as finance and healthcare certainly continue to attract a high level of attention, other less thought about sectors also experience a high volume of attacks. Also, the size of an organisation was found to have little bearing on the average number of phishing attempts made per user.

What are they clicking on?

The white paper ascertained that emails with a social bent are the juiciest fruit with many corporations allowing messages from the likes of LinkedIn to flow into their email accounts. The trust level and relevance associated with LinkedIn in a business setting ensures that spoofed emails from the brand receive twice as many clicks as from any other template.

When do people click?

Many people think that attackers send phishing emails to businesses at the end of the working day or just before the weekend so as to encourage a hurried member of staff to open them up without sparing too much time for thought.

This research, however, has found that the opposite is true – malicious links are sent at all times of the business day, and users have even been found to have clicked on them up to a month after their initial delivery.

Where does the clicking occur?

Contrary to what you may think, only 10% of clicks come from mobile devices, despite a report from Venturebeat.com which suggests that 65% of email is first accessed on such devices. The remaining 90% come from user’s computers, though 1-in-5 of those clicks occur when the machine is outside of the corporate firewall.

So why are people still clicking?

Since the advent of email, humans have been conditioned to open messages and click on links because thats how the system is supposed to work (in the absence of threats).

Interestingly though, the Proofpoint research found that users may have developed some security awareness in this area – if they received an average of one suspect email per month they were quite unlikely to click on the link. However, when the number of malicious emails received per month increased, so did the likelihood that they would be effective, perhaps because the user’s own ability to filter diminished with volume. More surprising, perhaps, was the increased risk of a user clicking when they received phishing emails far less often which I can only imagine is down to them forgetting their training due to the lack of need to actually fall back on it.

So what can be done to limit the likelihood of employees clicking on malicious links?

Proofpoint’s report makes several fine recommendations including the use of a variety of technical and automated methods to mitigate the associated risks, via a combination of controls and on-going monitoring.

More so, as you would imagine, the report focuses on the human element that often proves to be the key to a successful phishing campaign.

Whilst technical solutions are a must (and I’m sure you all have your favourites), the threat posed by malicious email links is one that can also be mitigated by the implementation of an engaging security training and awareness campaign that focuses on the people at all levels within an organisation.

The fact that the report found no organisation had a zero click rate shows, however, that such a strategy needs to be ongoing, and not used in isolation, in order to be effective.

Thanks to Mark Sparshott, EMEA Director of Channels, Alliances & OEM at Proofpoint. Read the full report here.