Email-borne threats: Watch your inbox closely on Thursdays

Malicious email attachment message volume spikes more than 38% on Thursdays over the average weekday volume. Ransomware attackers in particular favor sending malicious messages Tuesday through Thursday. On the other hand, Wednesday is the peak day for banking Trojans. Point-of-sale (POS) campaigns are sent almost exclusively on Thursday and Friday, while keyloggers and backdoors favor Mondays.

In general, cyberattackers are relying more than ever on exploiting people instead of software flaws to install malware, steal credentials/confidential information, and transfer funds, says Proofpoint.

Email-borne threats analyzed, categorized

The company’s annual Human Factor report, based on analysis of attack attempts across more than 5,000 worldwide enterprise customers throughout 2016, has also revealed that:

Business email compromise (BEC) attack message volume rose from 1% in 2015 to 42% by the end of 2016 relative to emails bearing banking Trojans.
BEC attacks, which have cost organizations more than $5 billion worldwide, use malware-free messages to trick recipients into sending confidential information or funds to cybercriminals. BEC is the fastest growing category of email-based attacks.

Someone will always click—and fast.
Nearly 90% of clicks on malicious URLs occur within the first 24 hours of delivery with 25% of those occurring in just ten minutes, and nearly 50% of clicks occur within an hour. The median time-to-click (the time between arrival and click) is shortest during business hours from 8 a.m. to 3 p.m. EDT in the U.S. and Canada, a pattern that generally holds for the U.K. and Europe as well.

More than 90% of malicious email messages that featured nefarious URLs led users to credential phishing pages.
And a full 99% of email-based financial fraud attacks relied on human clicks rather than automated exploits to install malware. Phishing messages designed to steal Apple IDs were the most sent, but Google Drive phishing links were the most clicked.

Half of the clicks on malicious URLs occur on devices that are outside the purview of enterprise desktop management.
Forty-two percent of clicks on malicious URLs were made from mobile devices, double the long-running rate of 20%. And 8% of clicks occur on potentially vulnerable versions of Windows for which security patches are no longer available.

Social media fraudulent support account phishing increased 150% in 2016.
During these attacks cybercriminals create a lookalike social-media account posing as the customer-service account of a trusted brand. When someone tweets to a company looking for help, the attacker swoops in.

Attackers understand email habits and send most email messages in the 4-5 hours after the start of the business day, peaking around lunchtime.
Users in the U.S., Canada, and Australia tend to do most of their clicking during this time period, while French clicking peaks around 1 p.m. Swiss and German users don’t wait for lunch to click; their clicks peak in the first hours of the working day. U.K. workers pace their clicking evenly over the course of the day, with a clear drop in activity after 2 p.m.