The Human Factor 2015: Attackers drive business end-user clicks

April 22, 2015

Last year, Proofpoint published The Human Factor research report, which described and quantified the role that end-users play in email-borne threats. The report offered a unique, data-driven look at who was clicking on malicious links in emails, what email templates were most effective, when they were most likely to click, where they were clicking, and why they clicked on malicious URLs at such a high rate. In short: company Staff were clicking on social media invitation phishing messages delivered in a wave before the start of business, and 20% of these clicks were happening off the corporate network.

This year, Proofpoint threat researchers revisited these questions and analyzed message and click data from 2014, and captured the results in The Human Factor report for 2015. The new findings reveal that in 2014, widespread end-user education succeeded in raising awareness of phishing as a threat, enabling end-users to recognize the most common phishing templates – such as social media invites – and become more wary of unsolicited messages in general. One result of this was a 94% year-over-year decrease in the use of social media invitation email lures.

In response, 2014 was the year attackers ‘went corporate,’ with explicit shifts in approach clearly designed to exploit middle-management and exfiltrate cash. By the end of 2014, cybercriminals were targeting subtly different user populations and employing tactics that looked very different from what users – and automated defenses – had adapted to recognize, specifically:

  • Campaigns focused on businesses and financial access, with less reliance on social media invitations and other personal communication templates.
  • Significant increases in attachment usage, disguised as e-fax, voicemail, or document formats
  • Balanced attacks that mixed high-volume longline campaigns with strategic web compromises, attachment-based campaigns, and corporate communication and financial email lures.
  • Changed time of distribution to blend in with business high mail-flow times.
  • Designed campaigns that cut off the “long tail” of clickers in favor of more immediate payoff to get around faster-adapting defenses.
  • Refocused on “traditional’ endpoint platforms that predominate in business IT environments, such as PCs running Windows and Internet Explorer.

The result? It worked. Every company still clicks; every department and industry is still at risk (though financial industries and sales and marketing continue to be the top target areas); and attackers continue to shift tactics to play on human weaknesses as they siphon money and data from organizations.

The central lesson of 2014 for CISO’s is that while user education may have an impact, attackers can always adapt and adjust their techniques more rapidly than end-users can be educated.

Visit www.proofpoint.com/humanfactor to download and read the full report.