Researchers sent simulated phishing messages to employees at more than 3,500 small and midsize enterprises (SMEs) and found that recipients at nearly 500 companies, or 15 percent, clicked on a link contained in the message.
Clicking brought users to a page where they were informed they just took part in phishing research.
Those within the travel, education, financial, government, and IT fields were most likely to click on the links.
“The problem is that SMEs are focused on growth and not so much focused on security,” Stu Sjouwerman, founder and CEO of KnowBe4, told SCMagazineUS.com on Monday.
Employees at 25 percent of travel firms included in the study responded to the simulated attack, as did nearly 23 percent of those in both education and financial services industries. Rounding out the top five were government services, where 21 percent of workers fell for the ruse, and IT services, where 20 percent of the targets responded, according to the study.
Some SMEs – particularly those in the education and travel industries – don't have adequate budget, in-house expertise or support from top-level management to protect their networks and train employees about security threats, Sjouwerman said, adding that those in IT services, on the other hand, may think they can rely on firewalls and anti-virus technologies to stop phishing attacks.
“[Phishing] isn't a technology problem,” he said. “It is a people problem.”
Researchers conducted the experiment by first harvesting business domain names off the website of Inc. magazine, which maintains an annual list of the fastest-growing private U.S. companies. Using a free data gathering tool called Maltego, researchers then scanned the internet to find email addresses associated with those domains.
The researchers sent the simulated phishing emails to about 40,000 email addresses, or 12 messages per company. These were successfully delivered to about 29,000 recipients across 3,037 businesses.
Sjouwerman said his company could face legal risks for delivering unsolicited email to organizations, but after running the idea by his company's lawyers, he decided to go ahead.
"[Our lawyers] looked at this in the light of the CAN-SPAM Act and decided that since it was not malicious, and we explained after the 'click' that it was for research, we would probably not get in too much trouble,” he said. "I decided it was worth the risk, as it is really important to get the message out there, but substantiated with some solid numbers. And this was the only way to get those.”
Social engineering is one of the primary vehicles attackers use to launch sophisticated attacks against businesses today.
The recent breach of security firm RSA's intellectual property related to its SecurID products, for example, began with a phish, the company disclosed. Those behind the breach sent low-level RSA employees emails that contained an Excel file labeled "2011 Recruitment Plan" that contained an Adobe Flash zero-day flaw.
Meanwhile, criminals are increasingly using social networking sites to distribute phishing attacks, according to a report released by Microsoft earlier this month. The prevalence of phishing on social networking sites increased 1,200 percent last year – up from 8.3 percent of all phishing in January to 84.5 percent in December.