Which Industry’s Employees Fall for Phishing E-mail Most Often?

Although cybercrime research reveals “widespread vulnerability to phishing in virtually all business sectors nationwide,” new research has identified five industries where employees are most likely to click on links in phishing e-mail messages. What’s even more chilling is how successful this thankfully benign attack was.

KnowBe4, an Internet security awareness training (ISAT) firm, released the results of its new cybercrime experiment that identifies “the nation's most Phish-prone industry sectors” -- that is, those where employees are most “susceptible” to its cybercrime ploy. The top five: travel, education, financial services, government services, and IT services. Yes, IT services.

KnowBe4 conducted the experiment by targeting small and midsize enterprises (SMEs) from Inc. 500 and Inc. 5000 lists. It used Inc.’s Web site to assemble the SME’s domain names and a “free data-gathering service to find publicly available e-mail addresses.”

According to the company, “Individuals who clicked the link were directed to a landing page that informed them they had just taken part in phishing research. The [e-mail messages] were successfully delivered to about 29,000 recipients at 3,037 businesses; and in nearly 500 of those companies, one or more employees clicked the link.” That’s nearly one in six employees at targeted companies.

In a release, KnowBe4 founder and CEO Stu Sjouwerman points out that "Any business that provides access to e-mail or access to its networks via the Internet is only as safe from cybercrime to the degree that its employees are trained to avoid phishing e-mails and other cyberheist schemes.” Sjourwerman is also an author whose latest book is Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

KnowBe4 categorized the targeted companies into 25 industry sectors. The travel industry showed the most vulnerabilities; employees in 25 percent of travel companies responded to the phish-y message. Following closely behind: education (22.9 percent), financial services (22.7 percent), government services (21.2 percent), and a group that should know better: IT services (20.4 percent).

"Our cybercrime statistics should serve as a wake-up call to SMEs nationwide," noted Sjouwerman, in what I can best call an understatement. "Not only are these businesses at risk for financial loss through a cyberheist, but their susceptibility to phishing tactics could compromise sensitive customer data such as credit card, bank account and social security numbers."

Why are the percentages so high? Sjouwerman attributes it in part to a “false sense of security” -- that people assume antivirus software “and an in-house IT team provide sufficient data security.” Given that IT services made it into the Top Five list, there’s clearly a retraining opportunity here.

The cleverness of cybercriminals can still overcome the best intentions of employees. As Sjouwerman points out, “Many of the top Phish-prone industries are regulated and subject to compliance rules, so well-meaning employees can be tricked into clicking a link if they believe an e-mail was sent by a government or law enforcement agency, or by someone they know and trust.”

More details from the study, including percentages by all 25 industries, by state, and by domain suffix (among others) can be found at www.knowbe4.com/fail500/. No registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 05/31/2011