Hackers are shifting their attacks to middle-managers in a bid to steal more cash from corporations, according to the security vendor Proofpoint.
Despite starting last year reliant on social media lures, the cybercriminals were found orienting their campaigns towards business and financial access, with schemes involving social media falling by 94%.
Kevin Epstein, VP of advanced security and governance at Proofpoint, said: "The only effective defence is a layered defence, a defence that acknowledges and plans for the fact that some threats will penetrate the perimeter.
"Someone always clicks, which means that threats will reach users."
In further evidence of a move away from opportunistic campaigns, the hackers behind the campaigns investigated by Proofpoint were found finely adapting their strategy to hit the intended target.
The vendor found the hackers had upped their use of attachments, e-fax and voicemail, and were also sending their messages to correspond to when targets were sending and receiving lots of emails.
Even though cybersecurity staff persistently warn about spam messages, one in 25 of the malicious emails found by Proofpoint had their links clicked.
Departments like sales, finance and procurement were also said to be 50-80% more likely to click on bad links than other parts of the business.
"Every company still clicks; every department and industry is still at risk (though financial industries and sales and marketing continue to be the top target areas)," Proofpoint said.
"Attackers continue to shift tactics to play on human weaknesses as they siphon money and data from organisations."
The company argued that workers’ training in spotting previous signs of malicious emails had been undermined because of the development of new tactics.
Among the tactics used to steal credentials was a phishing page that spoofed Microsoft Outlook Web Access, a widely used remote login system for email.
"The central lesson of 2014 for CISO’s [chief information security officers] is that while user education may have an impact, attackers can always adapt and adjust their techniques more rapidly than end-users can be educated," Proofpoint said.