Phishing scammers have infiltrated the enterprise and they’re finding easy prey, but it’s not in the C-suite as previously thought. Attackers are exploiting the multitasking, often overloaded middle management ranks, which include the finance manager, senior accountant, and tax manager, among others.
Inside an organization, attackers are evenly targeting all departments, but finance, sales and procurement staff clicked on malicious links 50-80% more on average than other departments, according to the Proofpoint study. These groups have access to payments and funds transfers – an appealing target for phishing scammers.
Today, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.
According to recent Hong Kong Security Watch Report, the number of server related security events increased dramatically from 5,867 to 16,338 (increased by 178%) in Q2 2015. The number of phishing events increased dramatically by 168% and reached a record high.
Studies found that managers doubled their click rates on malicious emails in 2014 compared to the previous year -- a marked change from 2013 for managers, who were much less frequently targeted by malicious emails in the past.
Middle managers are also clicking on emails more quickly. In 2013, 40% of middle managers would click on the first day that a malicious email appeared and 25% took a week. In 2014, two out of three end users clicked on the first day, according to the study. What’s more, managers and staff clicked on links in malicious messages two times more frequently than executives.
Tactics of the bad guys
Some of the bad guys’ tactics include choosing a time of day when email traffic is busiest, which increases the likelihood of a mindless click onto a malicious email. Tuesday mornings are a favorite for scammers with 17% more clicks that day, according to the Proofpoint study. Managers are also falling for simple tactics, such as bogus voicemail attachments marked urgent or fax attachments.
Sjouwerman says email spoofs appearing to come from the company’s IT department requiring a change of password or updated email information are also popular workplace phishing scams.
Though it appears that middle managers are in the crosshairs, Sjouwerman wonders if they are simply victims rather than targets.
"The bad guys don’t really care who they send the phishing attacks to – they just find a bunch of email addresses for a particular organization and they send it to everyone,” Sjouwerman says. “The first person who clicks gets the bonus of being infected with a Trojan that tunnels into the network. It’s more likely that middle managers are under the highest pressure. They start clicking on everything quickly and don’t take those two seconds to think – is this a scam or not?"
Persistence also pays off for scammers. Malicious emails are rarely sent in isolation—with some arriving faster than others. A campaign of just 10 emails yields a greater than 90% chance that at least one person will become the criminal’s prey, according to Verizon’s 2015 Data Breach Investigations Report. Middle managers may click on links and attachments just to make the emails stop, industry-watchers say.
In Verizon’s data breach report, workers in communications, legal and customer services were the most likely culprits to open a phishing email, but the report did not identify the bad clickers by their titles.
Verizon also illustrated how quickly an attacker can get a foot in the door. It examined over 150,000 e-mails sent as part of sanctioned tests by two of its security awareness partners and measured how much time had passed from when the message was sent to when the recipient opened it, and if they were influenced to click or provide data, which is where the real damage is done. The data showed that nearly 50% of users open e-mails and click on phishing links within the first hour.
Regardless of whether middle managers are targets or victims, companies must protect them and all employees from the risks, security experts say.
Verizon calls for a three-point approach to protecting employees from phishing scams, including better e-mail filtering before messages arrive in user in-boxes, a security awareness program, and improved detection and response capabilities.