The 2015 Human Factor Report revealed that last year,cyberattackers “went corporate” by focusing on businesses ratherthan consumers, exploiting middle managers' overload of informationsharing, and trading off attack volume for sophistication.

Proofpoint, Inc., a security and compliance company inSunnyvale, Calif., released the results of its second annual reportdetailing cybercriminals' shifting social engineering tactics to corporate targets. The Proofpointfindings emphasize how human behavior, not simply system orsoftware vulnerabilities, significantly impacts enterprisesecurity, and details what defenses are necessary in a world whereeveryone clicks.

On select days in 2014, Proofpoint saw a 1,000% increase inmessages with malicious attachments over the usual volume. The mostpopular email lures in 2014 included e-fax and voicemailnotifications, and corporate and personal financial alerts.

“The human element is one of the most critical aspects of yoursecurity program, yet it's often the most neglected,” a December2014 Forrester Research report titled “Reinvent Security Awarenessto Engage the Human Firewall” read. “However, this is the problem,security technologies that are critical to protecting yourenvironment are often rendered useless due to easily avoidablehuman factors.”

Yet many organizations still rely solely on legacy, gateway-onlytechnologies for protection, rather than utilizing a layereddefense strategy of blocking, detection and threat responsetechnologies, which are focused on people rather thaninfrastructure.

The 2015 Human Factor Report revealed that on average, usersclick one of every 25 malicious messages delivered. No organizationobserved was able to eliminate clicking on malicious links.

Also, in 2014, managers effectively doubled their click ratescompared to the previous year. Additionally, managers and staffclicked on links in malicious messages two times more frequentlythan executives did.

The report uncovered that sales, finance and procurementdepartment personnel are the worst offenders for clicking on linksin malicious messages – they click 50-80% more frequently than theaverage department personnel do.

In addition, organizations no longer have weeks or even days to find and stopmalicious emails. Attackers are luring two out of threeend-users into clicking on the first day, and by the end of thefirst week, 96% of all clicks have already occurred. Only 39% ofbogus email clicking occurred in the first 24 hours In 2013.However, in 2014, that number increased to 66%.

The majority of malicious messages arrived during businesshours, peaking on Tuesday and Thursday mornings. Tuesday is themost active day for clicking, with 17% more clicks than on theother weekdays.

The use of social media invitation lures, which were the mostpopular and effective type of email bait in 2013, decreased by 94%in 2014. Email lures that employ attachments rather than URLs, suchas message notification and corporate financial alerts, increasedsignificantly as a vector.

“The Human Factor research validates the critical value ofthreat information – and provides insight into how, when and whereattacks are taking place,” Kevin Epstein, Proofpoint's vicepresident of advanced security and governance, said. “The onlyeffective defense is a layered defense, a defense that acknowledgesand plans for the fact that some threats will penetrate theperimeter.

In April, IBM revealed a sophisticated bank funds transferscheme that uses a mixture of phishing, malware and phone calls toappropriate large sums of money from U.S. companies. According toIBM, the attackers have been targeting people working in companiessince last year by sending spam email with unsafe attachments inorder to inject a variation of Dyre malware into as many computers as possible.