It's official: David Brents are the weakest link in phishing attacks

Middle managers are infosec's biggest problem, says study

Middle management are increasingly becoming the focus of phishing attacks, according to a new study.

Managers received more malicious emails and doubled their click rates year-on-year, according to a study by security company ProofPoint.

Senior staff seemed more clued up about dodgy emails, meaning managers and staff clicked on links in malicious messages two times more frequently than executives.

ProofPoint’s Human Factor Report study provides details on the percentage of malicious links in emails that actually get clicked on, and the industries and job roles that are most heavily targeted with phishing.

On average, one of every twenty-five malicious messages delivered are clicked by users. The volume of messages an organisation receives has little to no impact on the click rate: every organisation clicks, and the rate of clicking for an organisation was never zero.

All industries are being targeted with malicious messages, but workers in banking and finance received more then their fair share (41 per cent more than the average). Elsewhere, the higher value of personal health records and insurance cards on the black market are pushing hackers towards targeting organisations in health care and insurance.

Intellectual property theft and the opportunity for direct financial transfers means cybercriminals are attacking previously untouched sectors such as manufacturing, shipping, energy, utilities and even construction.

While malicious messages are largely targeted very evenly across organisational departments, staff in sales, finance and procurement departments clicked on links in malicious messages 50-80 per cent more often than the average departmental click rate. Attackers are targeting corporate financial users with access to payments and funds transfers, rather than indiscriminately spamming all and sundry.

The most-clicked email lures were communication notification lures such as e-fax and voicemail message alerts. Use of social media invitation and order confirmation lures – the most popular and effective email lures last year – decreased dramatically. Email lures that employ attachments rather than URLs, such as invoice and account statement lures, increased significantly as a vector of hacking attacks.

The majority of malicious messages are delivered during business hours – peaking on Tuesday and Thursday mornings – and Tuesday is the most active day for clicking, with 17 per cent more clicks than the other weekdays. ®

Biting the hand that feeds IT © 1998–2021