Travel, education sectors most vulnerable to phishing

Employees at organisations in the travel, education and financial services industries are most susceptible to falling for phishing attacks, according to a US study.

Researchers sent simulated phishing messages to employees at more than 3500 small and medium enterprises and found that recipients at nearly 500 companies, or 15 per cent, clicked on a link contained in the message.

The link brought users to a page which informed that they had taken part in phishing research.

Those within the travel, education, financial, government, and IT fields were most likely to click on the links.

“The problem is that SMEs are focused on growth and not so much focused on security,” Stu Sjouwerman, chief executive officer of internet security awareness training firm KnowBe4 said.

Employees at 25 per cent of travel firms in the study responded to the simulated attack, as did nearly 23 per cent of those in education and financial services industries.

Rounding out the top five were government services, where 21 per cent of workers fell for the ruse, and IT services, where 20 per cent of the targets responded, according to the study.

Some SMEs – particularly those in the education and travel industries – don't have adequate budget, in-house expertise or support from top-level management to protect their networks and train employees about security threats, Sjouwerman said.

But he said those in IT services may think they can rely on firewalls and anti-virus technologies to stop phishing attacks,.

“[Phishing] isn't a technology problem,” he said. “It is a people problem.”

Researchers conducted the experiment by first harvesting business domain names off the web site of Inc. magazine, which maintains an annual list of the fastest-growing private US companies. Using a free data gathering tool called Maltego, researchers then scanned the internet to find email addresses associated with those domains.

The researchers sent the simulated phishing emails to about 40,000 email addresses, or 12 messages per company. These were successfully delivered to about 29,000 recipients across 3037 businesses.

Sjouwerman said his company could face legal risks for delivering unsolicited email to organisations, but after running the idea by his company's lawyers, he decided to go ahead.

"[Our lawyers] looked at this in the light of the CAN-SPAM Act and decided that since it was not malicious, and we explained after the 'click' that it was for research, we would probably not get in too much trouble,” he said.

"I decided it was worth the risk, as it is really important to get the message out there, but substantiated with some solid numbers. And this was the only way to get those.”

Social engineering is one of the primary vehicles attackers use to launch sophisticated attacks against businesses today.

The recent breach of security firm RSA's intellectual property related to its SecurID products, for example, began with a phish, the company disclosed. Those behind the breach sent low-level RSA employees emails that contained an Excel file labeled "2011 Recruitment Plan" that contained an Adobe Flash zero-day flaw.

Meanwhile, criminals are increasingly using social networking sites to distribute phishing attacks, according to a report released by Microsoft earlier this month. The prevalence of phishing on social networking sites increased 1200 per cent last year – up from 8.3 per cent of all phishing in January to 84.5 per cent in December.