A study by Proofpoint found that in 2016 99 percent of email-based financial fraud attacks required a person to click on a link or attachment to download the malware.
A study by Proofpoint found that in 2016 99 percent of email-based financial fraud attacks required a person to click on a link or attachment to download the malware.

It would seem people are their own worst enemy when it comes to protecting their data and cybercriminals have fully taken advantage of this fact.

A study by Proofpoint found that in 2016 99 percent of email-based financial fraud attacks required a person to click on a link or attachment rather than use an automated exploit kit to download the malware. Within that total an interesting breakdown occurred with certain types of attack taking precedence on certain days of the week and that more people tend to click on malicious URLs during the middle part of the work day.

Why certain malicious behaviors happened on certain days was not full explained, but breakout is intriguing.

  • Monday: keyloggers and backdoors favor the first day of the work week
  • Tuesday: ransomware is at its highest level
  • Wednesday: a peak day for Banking Trojans
  • Thursday: cybercriminals “throwback” to malicious email attachments
  • Friday: point-of-sale campaigns are delivered before the weekend

However, more detail on why the bad guys time their emails to arrive at certain times of the day was revealed.

“The data suggests attackers are very aware of human behavioral weakness. For example, many office workers are attempting to catch up on email on mobile devices at lunchtime; it's more likely that they'll click without pausing to consider warning signs, context, and ramifications when they're distracted and under time pressure,” Kevin Epstein, Proofpoint's vice president of threat operations, told SC Media.

The report showed that those who do fall victim to these attacks do so rather quickly with 25 percent clicking within 10 minutes, which helps explain targeting lunch time. Meanwhile, 87 percent of the clicks on malicious files take place within 24 hours of receipt. Knowing these details is important, Proofpoint noted, because it tells companies that they have to very quickly identify malicious emails.

“Quickly detecting malicious messages that are delivered and clicked is vital to reducing their potential impact. Organizations should deploy solutions that can proactively flag already-delivered messages and block clicked URLs found to be malicious after delivery,” the report states.

Another indicator discovered was that while email threats arrive every day, cybercriminals favor Wednesday and Thursday as a delivery day, while Thursday and Friday are almost exclusively the times when point-of-sales campaigns are initiated, as people look to buy stuff for the weekend. 

"“It's likely that Point of Sale malware is similarly delivered at a time when not only are targeted recipients less discriminating – end of week – but that the timing enables PoS malware to then be installed and collect data during peak retail times – weekend – which are also likely to be times when IT SOCs are less well staffed," Epstein said..

And since the majority of the scams are targeting a business Saturday and Sunday are traditionally quite slow.

Proofpoint was also able to show that those creating the phishing emails are smart enough to stick with what works. The top five lures used to entice a victim into opening and clicking in an email remained consistent between 2015 and 2016. Emails claiming to be about a person's Apple account were used 25 percent of the time, Microsoft OWA 17 percent, Google Drive, 12.9 percent, USAA accounts 12.4 percent and PayPal 10.6 percent.

“As was the case the year before, 2016 delivery volume did not correlate to click rates. Phishing messages designed to steal Apple ID were the most sent, for example, but Google Drive phishing links were the most clicked. Accounts used to share files and images—such as Google Drive, Adobe Creative Cloud, and Dropbox—are the most effective lures,” the report said.

Click rates on the various lures also varied greatly depending upon the size of the campaign. For smaller attacks that contained around 100 messages an email supposedly from the local post office was most effective, with a 78.6 percent click rate, followed by WeTransfer and Metro Shared Document.

When the number of emails sent in a campaign was ramped up into the 20,000 range this changes those using a Dropbox account lure become the most clicked at 13.6 percent, followed by Adobe and Google Drive.

While the type of lures used has not changed much over the last few years, what is different is that people are now more likely to click on a mobile device and not a desktop. In 2014 91 percent of user clicks were done on desktops running a Windows OS, but in 2016 this figured dropped to 44.7 percent with Android devices, at 37 percent, and Mac iOS, 5.2 percent, now almost matching Windows.

What all this means is corporations have to focus their cybersecurity efforts on very specific items that will stop the malicious emails before they appear in a worker's inbox. Such as having countermeasures in place to find malicious attachments and URLS, provide security on employee's mobile devices and employ a cloud-based sandbox analysis service.