"We're battling thousands of years of evolution," says Kevin Epstein, vice president of the Threat Operations Center at Proofpoint. "It's natural to be curious about things. Unfortunately, with email scams, it's better to think before you click."
One more reason we – the collective “we,” that is – continue clicking on malicious links or downloading bogus attachments, despite being told not to: hackers have gotten much better at pretending to be someone they're not, using social engineering to slip past our guard by masquerading as someone else.
It's worked, too. An employees at Seagate was recently the victim of an email phishing scam that lead to the release of W-2s of past and current employees, W-2s that include Social Security numbers and salaries among other personal information. An employee at Snapchat was also just phished into sending out payroll information into the wrong hands.
"Criminals are getting a little bit more sophisticated," says Seth Hamman, assistant professor of computer science at Cedarville University. "The ones making the headlines now are probably not emails with bad grammar or infantile attempts to trick people."
Why it works
You'd think that, by 2016 we'd be smart enough to know not to download anything from anyone we don't know and not to click on links from unknown sources. And generally we are. But hackers are using social engineering to makes their true intentions - and even where those emails are coming from.
In its "The Human Factor 2016" report, Proofpoint found that last year, hackers were much more likely to use email scams to get at us, and that 99.7 percent of documents used in attachment-based campaigns relied on social engineering and macros to work. They also found that 98 percent of URLs in scam messages link to hosted malware. In both cases, criminals relyed on users to put the hack onto computers themselves.
"Attackers are leveraging what's been hard wired into our DNA," says Epstein. "Curiosity killed the cat. Curiosity also gets you malware."
Hackers also know when to go in for the kill. Proofpoint found that emails come in at from 9 to 10 a.m., and that Tuesdays are heaviest delivery days. These windows are chosen because that's a time when receivers of those emails may have their guard down: not on Monday when you're right back to work but Tuesday after you've caught up for the weekend, but at a time when you may not have had your coffee yet and are rushing to your first meeting.
Plus, the attachments tend to be what they say they are. "The attachment will claim to be a video file or a Word document and you open it and it will play a video or you will see a Word document. But it's also doing other things in the background," says Epstein.
Sign up for Computerworld eNewsletters.