In April 2008, thousands of high ranking corporate executives received an e-mail message informing them that they were being subpoenaed by the United States District Court in San Diego. The official-looking notice, which was personalized with the executive’s name, company and phone number, informed the recipient that he was required to appear before a grand jury in a civil case. An attachment supposedly contained a copy of the full subpoena. Anyone who clicked on the attachment – and who among us wouldn’t? – unwittingly downloaded and installed a keystroke logger and other malware that allows remote control of the PC.

This is a classic case of spear phishing, or in this case, whaling – the practice of attacking the “really big fish” such as corporate executives. And it worked, too. According to a security researcher who volunteers at the Internet Storm Center, there were at least 2,000 victims of this phishing attack. (Read more in this New York Times article.)

Could your executives fall prey to such a scheme? What about the average workers in your company? Yes, of course. Almost everyone is vulnerable to a well orchestrated phishing attack like this one simply because we humans are naturally programmed to respond to things that are perceived as important to us.

Corporate users are just as susceptible to phishing attacks as consumers, and the stakes may be higher. A corporate phishing scam could cause direct financial loss, customer data breaches, or the theft of intellectual property such as trade secrets or corporate strategy. Therefore, user awareness training should be a part of every corporate security program.

Lorrie Faith Cranor is the director of the Carnegie Mellon University CyLab Usable Privacy and Security Laboratory. In the article How to Foil “Phishing” Scams published in the December 2008 issue of Scientific American, Cranor says phishing plays on human vulnerabilities and is not strictly a technological problem. “Although we have shown that we can teach people to protect themselves from phishers, even those educated users must remain vigilant and may require periodic retraining to keep up with phishers' evolving tactics,” wrote Cranor.

A clever way to teach workers about phishing and condition them to question suspicious e-mails is the service called PhishMe from the Intrepidus Group. PhishMe is an easy to use SaaS mock phishing exercise that a company runs against its own employees. Instead of resulting in a harmful consequence, PhishMe sends instant feedback and training to the worker who falls for the trick and clicks on the link in the bogus message.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.