Though it appears that middle managers are in the crosshairs, Sjouwerman wonders if they are simply victims rather than targets.
"The bad guys don't really care who they send the phishing attacks to they just find a bunch of email addresses for a particular organization and they send it to everyone," Sjouwerman says. "The first person who clicks gets the bonus of being infected with a Trojan that tunnels into the network. It's more likely that middle managers are under the highest pressure. They start clicking on everything quickly and don't take those two seconds to think is this a scam or not?"
Persistence also pays off for scammers. Malicious emails are rarely sent in isolation--with some arriving faster than others. A campaign of just 10 emails yields a greater than 90% chance that at least one person will become the criminal's prey, according to Verizon's 2015 Data Breach Investigations Report. Middle managers may click on links and attachments just to make the emails stop, industry-watchers say.
[ ALSO: Deconstructing an IRS Phishing scam ]
Inside an organization, attackers are evenly targeting all departments, but finance, sales and procurement staff clicked on malicious links 50-80% more on average than other departments, according to the Proofpoint study. These groups have access to payments and funds transfers an appealing target for phishing scammers.
In Verizon's data breach report, workers in communications, legal and customer services were the most likely culprits to open a phishing email, but the report did not identify the bad clickers by their titles.
Verizon also illustrated how quickly an attacker can get a foot in the door. It examined over 150,000 e-mails sent as part of sanctioned tests by two of its security awareness partners and measured how much time had passed from when the message was sent to when the recipient opened it, and if they were influenced to click or provide data, which is where the real damage is done. The data showed that nearly 50% of users open e-mails and click on phishing links within the first hour.
Regardless of whether middle managers are targets or victims, companies must protect them and all employees from the risks, security experts say.
Sjouwerman calls for a six-layer plan, starting with awareness education that includes simulated phishing attacks to continually remind employees of the risks. Security must also be addressed at the firewall, network, computer, application and data layers, he adds.
"Antivirus these days gives you a false sense of security and it's not able to block a lot of these ransomware attacks because they're sitting inside a zip file within a zip file," for instance, Sjouwerman says. "It's the human that's being social engineered" to open these files, and so awareness programs are critical, he adds.
Sign up for MIS Asia eNewsletters.