Phishing scammers have infiltrated the enterprise and they're finding easy prey, but it's not in the C-suite as previously thought. Attackers are exploiting the multitasking, often overloaded middle management ranks, according to research by security and compliance firm Proofpoint.
"2014 was clearly the year that attackers went corporate, and they targeted middle management because it's profitable," says Kevin Epstein, vice president, advanced security and governance. The study examined more than a million workers' email and social media activities at work over a one-year period.
The study found that managers doubled their click rates on malicious emails in 2014 compared to the previous year -- a marked change from 2013 for managers, who were much less frequently targeted by malicious emails in the past.
What makes middle managers an easy target? "Our suspicion is they're under pressure to move through emails faster or the email itself is more compelling" than in previous scams, Epstein says.
Middle managers are also clicking on emails more quickly. In 2013, 40% of middle managers would click on the first day that a malicious email appeared and 25% took a week. In 2014, two out of three end users clicked on the first day, according to the study. What's more, managers and staff clicked on links in malicious messages two times more frequently than executives.
When employees click on a malicious email within the first 24 hours, "as a defender you don't have much time," he says. "If the email makes it through that gateway, bad guys start pulling data out of your company within hours of it being installed."
Proofpoint used data gathered from its own technology that includes exact user information about which users clicked on bad links. Billions of incoming and outgoing emails and social media content were collected from a subset of its corporate customers. While Proofpoint doesn't usually have access to this data, the customer group provided the job titles of the bad clickers for the study. Using that data, "we're able to see trends in what sort of functions and levels are being targeted," Epstein says.
Cybercriminals are indeed targeting the enterprise, says Stu Sjouwerman, CEO of security awareness training company KnowBe4. "I can certainly see why [middle managers] would have a click load increase. The average person gets 40 emails a day. Middle management gets 100 to 200 [emails] a day. That would get double or triple click-through rates compared to the average worker in an office," he says.
Some of the bad guys' tactics include choosing a time of day when email traffic is busiest, which increases the likelihood of a mindless click onto a malicious email. Tuesday mornings are a favorite for scammers with 17% more clicks that day, according to the Proofpoint study. Managers are also falling for simple tactics, such as bogus voicemail attachments marked urgent or fax attachments. Sjouwerman says email spoofs appearing to come from the company's IT department requiring a change of password or updated email information are also popular workplace phishing scams.
Sign up for CIO Asia eNewsletters.