How attackers exploit end-users’ psychology

At RSA Conference 2015, Proofpoint released the results of its annual study that details the ways attackers exploit end-users’ psychology to circumvent IT security.


Last year was the year attackers “went corporate” by changing their tactics to focus on businesses rather than consumers, exploiting middle management overload of information sharing, and trading off attack volume for sophistication. Human behavior, not simply system or software vulnerabilities, has significant implications on enterprise security.

Key findings include:

Every organization clicks. On average, users click one of every 25 malicious messages delivered. No organization observed was able to eliminate clicking on malicious links.

Middle management is a bigger target. Representing a marked change from 2013 when managers were less frequently targeted by malicious emails, in 2014 managers effectively doubled their click rates compared to the previous year. Additionally, managers and staff clicked on links in malicious messages two times more frequently than executives.

Sales, Finance and Procurement are the worst offenders. Sales, Finance and Procurement (Supply Chain) were the worst offenders when it came to clicking links in malicious messages, clicking on links in malicious messages 50-80 percent more frequently than the average departmental click rate.

Clicks happen fast. Organizations no longer have weeks or even days to find and stop malicious emails because attackers are luring two-out-of-three end users into clicking on the first day, and by the end of the first week, 96 percent of all clicks have occurred. In 2013, only 39 percent of emails were clicked in the first 24 hours; however, in 2014 that number increased to 66 percent.

Attacks are occurring mostly during business hours. The majority of malicious messages are delivered during business hours, peaking on Tuesday and Thursday mornings. Tuesday is the most active day for clicking, with 17 percent more clicks than the other weekdays.

Users learn, but attackers adapt faster than users can learn. The use of social media invitation lures, which were the most popular and effective email lures in 2013, decreased 94 percent in 2014. Email lures that employ attachments rather than URLs, such as message notification and corporate financial alerts, increased significantly as a vector. During select days in 2014, Proofpoint saw a 1,000 percent increase in messages with malicious attachments over the normal volume. The most popular email lures in 2014 included: e-fax and voicemails notifications, and corporate and personal financial alerts.

“The Human Factor research validates the critical value of threat information—and provides insight into how, when and where attacks are taking place,” said Kevin Epstein, Proofpoint’s vice president of Advanced Security & Governance. “The only effective defense is a layered defense, a defense that acknowledges and plans for the fact that some threats will penetrate the perimeter. Someone always clicks, which means that threats will reach users. Proofpoint’s approach is effective because our systems can determine who those users are, where they are, and what’s happening in real time—and actively protect organizations with real-time automated threat response.”