back to article It's official: David Brents are the weakest link in phishing attacks

Middle management are increasingly becoming the focus of phishing attacks, according to a new study. Managers received more malicious emails and doubled their click rates year-on-year, according to a study by security company ProofPoint. Senior staff seemed more clued up about dodgy emails, meaning managers and staff clicked …

  1. Richard Taylor 2
    Devil

    Senior management super powers widely misunderstood

    Senior staff seemed more clued up about dodgy emails, meaning managers and staff clicked on links in malicious messages two times more frequently than executives.

    Senior staff frequently in my experience have a clued up secretary (aka admin assistant) to do that for them (and print out the emails they need to read). Nothing to do with innate sense, other than that to understand where an activity is above (below?) their pay grade.

    1. king of foo

      Re: Senior management super powers widely misunderstood

      Absolutely. They don't read emails on screen and they certainly don't type/click anything. Dictation all the way.

      1. hplasm
        Angel

        Re: Senior management super powers widely misunderstood

        Jebus. What a boring way to live.

        I'm not surprised they have to get paid so much.

    2. Anonymous Coward
      Anonymous Coward

      Re: Senior management super powers widely misunderstood

      Senior staff frequently in my experience have a clued up secretary (aka admin assistant) to do that for them (and print out the emails they need to read). Nothing to do with innate sense, other than that to understand where an activity is above (below?) their pay grade.

      Not always. We (who shall remain unnamed) survived at the time the "I love you" virus entirely unscathed because we had lots of tech developers around who wouldn't touch uncleared attachments, and we were using Lotus Notes where sheer usability challenges (that's an understatement) pretty much stopped people opening files.

      However, 2 weeks later we suddenly had one alert come up - a machine had been quarantined after this virus had been detected. Turned out to be the CFO secretary who had just returned from holiday and opened the email regardless (she was working backwards in time, and thus missed the warning email). We didn't make much fuss over it, because it should not have gotten to her inbox in the first place - clearly we had not been fast enough with the filters.

      Personally, I find blaming people for IT and security failures not only weak, but pointless. Your job is not to whinge at people, it is taking into account that we're all human (don't tell me you've never made a mistake) and MANAGE that risk. Sorry if that goes against established behaviour, but I cannot blame a secretary for not being an IT security expert. Training and gently making them think may help, but I find it frankly arrogant to label them as a problem. They work there, they form an established risk, factor it in and deal with it.

      In my opinion, it's not users or management that is the biggest risk - it's attitude. Try seeing the world from their side, and the quality and perception of the IT and security you offer will rise spectacularly.

      IMHO, of course :)

      1. Jedit Silver badge
        Coat

        "it's not users or management that is the biggest risk "

        But you acknowledge that management aren't users, at least.

  2. Anonymous Coward
    Anonymous Coward

    Time for a Register checklist?

    One I can print out and put on the wall, I'll take suggestions but mine roughly starts like this (one shot for every wrong answer, anyone who opens an email with more than three shots is will need to justify their actions). If the user phones you up questioning the wording from about 6 on they should not have an email account.

    1 Are you expecting this mail?

    2 Is it addressed to your email address? (not a group)

    3 Does the body contain your name (correctly spelt/formatted)?

    4 Is the mail in the format you expect from this sender?

    5 Is this a sender one you do business with (I.E. not a Bank you have no account with)?

    6 is the mail free of attachments like zips, scr or other vague or unexpected types?

    7 is it free of links that present vastly different to the actual destination? (at foot of the window on hover)

    8 is it asking you to just click here?

    9 Despite being suspicious did it come up clean on a web search (google/snopes) for content?

    10 Did you get this at home as well but not want to "risk it" there?

    1. sandman

      Re: Time for a Register checklist?

      "10 Did you get this at home as well but not want to "risk it" there?" - Brilliant! :-) Please tell me there aren't people who do that!

    2. Anonymous Coward
      Anonymous Coward

      Re: Time for a Register checklist?

      Perhaps:

      - Does the mail have a lot of typos or grammatical errors (more than you would expect from this type of organisation)?

      - are identical errors repeated throughout the mail?

      - If an individual, is the writing style familiar from previous mails?

      I find the above the easiest to spot quickly, particularly if the sender is supposedly UK but errors are recognisably linguistically diffferent.

      1. Doctor Syntax Silver badge

        Re: Time for a Register checklist?

        "Does the mail have a lot of typos or grammatical errors"

        But can the recipient recognise these?

        1. chr0m4t1c

          Re: Time for a Register checklist?

          I read somewhere that the grammar any typographical mistakes are deliberate.

          Supposedly it makes people who wouldn't fall for the scam ignore the email in the first place as they correctly identify it as dodgy, thus allowing you to end up with a barrel of "easy mark" fish that you can then shoot.

          I guess it's a bit like those police sting operations where they catch people on the run by telling them they've won something and then arresting them when they come to collect.

    3. frank ly

      Re: Time for a Register checklist?

      "7 is it free of links ....."

      Especially the ones that have a long 'random' alphanumeric string that is obviously intended to flag the fact that it was _you_ who clicked the link.

    4. Dr Paul Taylor
      Headmaster

      Re: Time for a Register checklist?

      Good list but I don't understand 9 and you may also want to reword (negate) 8 and 10.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time for a Register checklist?

        Fair cop but it was a sort of stream-of-thought typed rant, inviting input and didn't want to spend too long (company time) composing it.

        Snopes one was pointing at those who get the idea something is wrong but then don't take any unusual part of the wording and look for that out in the real world, often the body is copy pasted from previous emails so it should come up on a web search.

        The other post comment about grammar is 99.9% true but then once they employ someone with half a clue it's less of huge flag. I have seen a couple of perfectly formated emails pretending to come from our own domain with the correct layout, fonts, disclaimer, images etc.

        1. Jamie Jones Silver badge

          Re: Time for a Register checklist?

          Or - call me old fashioned - but how about an email system that doesn't hand over the keys to the kingdom just by opening an email!

  3. All names Taken
    Paris Hilton

    Just thinking ...

    I'd guess that newly created corporate email accounts are close to top of the list too

    1. Rich 11

      Re: Just thinking ...

      Yeah. We see a disproportionate number of new staff falling prey to phishing, usually the ones who haven't yet been to an induction day.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just thinking ...New Staff

        If they are new staff and have only just appeared on your email server then the real question is how the spammers are hitting your new accounts so quickly or your training is so slow.

        It might be worth considering if everybody and their dog needs external email and internet access, does you company promote employees watching TV and chatting on the company telephones during work hours as well?

        The whole point of the electronic office was to reduce the number of employees who do not bring in revenue and to speed up communications. The business email system as it stands even ignoring it being an overused attack vector is costing companies millions in lost man hours as employees wade through pages of emails that typically should never have been sent in the first place. In the UK we now have huge HR and management overflow who's contribution is to sit spamming your productive employees with what is normally useless/redundant information.

        How about instead just cut HR back to wages clerks and have competent managers who can filter and channel the information flow to where it is needed, no need to wait for a HR indoctrination or training the managers can do it when the employee joins the company and update as the employees need it. Much better than a bunch of faceless broadcasters who bring in not one penny in revenue and could not replace one of your productive workers who do.

      2. Doctor Syntax Silver badge

        Re: Just thinking ...

        "We see a disproportionate number of new staff falling prey to phishing, usually the ones who haven't yet been to an induction day."

        There's an obvious fix for that. Do I really need to spell it out?

  4. Doctor_Wibble
    Flame

    Timing

    > "and Tuesday is the most active day for clicking, with 17 per cent more clicks than the other weekdays."

    The spam surges tend to happen on the first Monday of any academic term, with additional surges on Tuesdays if there has been a bank holiday so this does make sense even if it's only a proportional increase because 'spam scanning fatigue' kicks in and mistakes happen. Or as above 'risking it' because it is not your problem to fix...

    Simplest solution : ban HTML email for the evil that it is, and then string up whoever it was that made "omg lol beer at 6" turn into 300K of crappy codes to specify that the message appears exactly like it would if it was still just plain fckn text and you can also string up all those people who are too dense to stop sending winmail.dat even after you have told them how to fix it for the 50th time and no I will not post the attachment to some unknown conversion website that turned up on a search WTF is wrong with you...?

    1. Trixr

      Re: Timing

      No, the simplest solution is to use decent RBLs (like Spamhaus) and a proper anti-spam solution at the gateway, and let in as little as possible.

      It's all very well fulminating against HTML in email - although personally, having more complex text look something like printed material rather than your grandma's typewriter suits me (yes, MS's code is shite) - but if you receive a hyperlink in plain text email in clients like Outlook, it "helpfully" linkifies it for you anyway.

      To be fair, a link with some kind of GUID or misdirection in it will show up properly, but you know the idiots will click on those anyway.

  5. Khaptain Silver badge
    Windows

    PHB united

    Most of them don't get into their positions because of their IT skills....

    1. LucreLout

      Re: PHB united

      Most of them don't get into their positions because of their IT skills....

      I'd go further than that, and state that if you work in a large company or any non-IT business [1] then none of the senior management will be there because of their IT skills. They won't be there for any skill at all save two - networking, and managing upwards. There is no beginning to their talents.

      [1] non-It business as the CEO thinks about the business, as opposed to what it actually does. Run a bank? Yep, you're an IT business that makes trades or hawks mortgages. Run a bookies? Guess what, you're an IT business that estimates risk and takes then lays off bets. Run a marketing comany? You get the idea......

      1. Alistair
        Coat

        Re: PHB united

        Wait --

        I think you have banks and bookies mixed up.......

        1. Khaptain Silver badge

          Re: PHB united

          They are both the same business really, they spend their time extracting sums of money from their punters.

  6. Doctor Syntax Silver badge

    Time for training

    Engage an outside agency to send emails with such dubious links which, when clicked, order the recipient to report to security PDQ. When they do that they will receive a good bollocking. The second time they're told to clear their desk & report to security.

  7. Zog_but_not_the_first
    Facepalm

    People click on links in "unknown" emails???

    Really?

    1. NotWorkAdmin

      Re: People click on links in "unknown" emails???

      Much as it pains me at times...if users weren't retards I'd be out of a job.

  8. Anonymous Coward
    Anonymous Coward

    Oh well, the current Vodafone CEO PC was compromised years ago when it was working as a CEO for a different company through a phishing email sent as coming from the company IT tech support...

    But I too believe it is true a lot of this skew depends on who and how open emails - most executive mails are filtered by an assistant, and probably they read more mail on mobile devices today than on theirs PCs.

    But years ago, while working for another company, the Kournikova virus spread thanks two people: an executive, and a developer...

  9. iranu

    I love you virus

    In 2000 I worked for an engineering company that got infected through email with the Valentines Day "I love you" virus. It caused mayhem. When they finally got things back to normal every employee was sent an email by some upper management bod stating that they would face a disciplinary hearing and potentially lose their job if they opened that "I love you" email.

    My how we laughed when two days later the entire system was paralysed for the second time by someone opening that email. The culprit? None other than the author of the email threatening everyone with the sack!

  10. Anonymous Coward
    Anonymous Coward

    So, bored people who spend a lot of time in front of a computer and some decision-making power will inevitably do stupid things? Whodathunk it?

  11. Anonymous Coward
    Anonymous Coward

    head of manufacturing in an international company

    This guy had a very particular way to read/write emails, which he explained to us, just to make sure our email migration would disrupt it.

    The guy was literally living in planes, traveling from site to sites in the US, Europe, Asia, scanning every manufacturing site, then repeat the cycle.

    He had 1 secretary that was staying in one site in Europe.

    When he was in site X, here is how it went:

    - secretary reads emails, print them, fax all of them to him to site X

    - he would read them, write the responses by hand on them, and fax them back to the secretary

    - the secretary would then reply with his email account

    That was just as mad as a box of mad frogs. Surely he never clicked on a wrong link as he never even approach any email client !

  12. Elmer Phud

    For a long time now my email has been set up to display only in text - no pictures, no hyperlinks.

    Attatchments come through but my head can filter these.

    I just remember those heady days of corporate Outlook set to show everything.

    Also remember working on a helldesk and informing internal middle managers they can rant all they like but if they thought it was clever to open an email they knew did funny things to the screen - just to show it to a collegue - then it was self-inflicted and they would never get anything higher than a Cat3 fault. After all, some of them worked and signed off the mail security policy, ffs!

    My own middle-manager was happy to finally get one over on the bean-counters.

  13. Anonymous Coward
    Anonymous Coward

    Bad Grammar

    Is an intentional device placed in the email to filter the people most likely to spot a scam out.

    The poor grammar in spam emails is there to narrow the attack to the daftest and most vulnerable targets. Sad but true.

    The only reliable way to mitigate phishing attacks is whitelisting. Not everyone needs to receive external mail and the majority that do only receive email from specific places / clients.

    I dont understand why email systems cant automatically whitelist people you send to. That way only people you have contacted can get past the spam filter.

    I think full inbound and outbound email is unecessary for a lot of people in their place of work.

    "Send As" should be abolished as well. Wake up execs everyone knows you dont send your own email...its pointless trying to hide it.

    Actually lets just get rid of email. It sucks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bad Grammar

      Whitelisting only removes the possibility of unknowns/unwelcomed sending you email.

      Just today our company has been hit by a flood on emails containing Nasty Links and Infected Zip files that have been sent from an "internal" account. The full analysis has not been run yet so for the moment the origin/cause/root point is still unknown.. I work for a very large company and internal email relates over 100 000 accounts.... so whitelisting doesn't help at all...

      Fortunately only 2 losers have so far clicked the links or zipfiles and BSODed their pcs... Damage has spread no further....phew

      No other choice than A/C..

      1. Vic

        Re: Bad Grammar

        emails containing Nasty Links and Infected Zip files that have been sent from an "internal" account

        I get thousands of mails like that hitting my servers. My SPF record obviates the problem entirely...

        Vic.

    2. Terry 6 Silver badge

      Re: Bad Grammar

      "Send As" should be abolished as well. Wake up execs everyone knows you dont send your own email...its pointless trying to hide it."

      I wish.

      Admins log in to the account with the username and password that the exec should be using. And if said admin is busy/on leave/ill/ having lunch etc. someone else is given the credentials to use.Unless they're already on a post it note next to the screen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like