A new research experiment conducted by New York-based Web security firm Trusteer found that even educated e-mail users click on links that can potentially lead to websites containing malware, Trusteer CEO Mickey Boodaei said.
The Trusteer experiment entailed sending e-mails that listed the social networking site LinkedIn as the sender to 100 friends and family members of Trustee researchers.
The e-mails contained a link that claimed to lead users to a new job alert, but instead directed them to an outside website – a common strategy used by attackers, Boodeai said. Within seven days, Trusteer found that 68 of the 100 subjects had followed the link.
The company posted a blog detailing the experiment on its website Wednesday, which states, "This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer. Education is always recommended and can certainly help, but in this case education did not prevent the attack."
Boodaei said attacks similar to the one staged by Trusteer are some of the biggest security threats enterprises face today, and that the security breach at marketing firm Epsilon, in which millions of client customer names and e-mail addresses were comprised, will likely result in the delivery of many malicious e-mails.
Trusteer customized the e-mails crafted for the experiment by creating a new identity on LinkedIn and gathering information about recipients' LinkedIn connections and their connections' profiles, the company said. Researchers used Gmail to create the fake LinkedIn e-mail account and included photos of victims' connections downloaded from LinkedIn.
Since mail programs typically only display the name of the sender – not the sender's full e-mail address – fooling recipients was simple, Boodaei said.
"It's very easy to create a convincing e-mail and attack an employee's desktop," Boodaei said. "Since it is so easy to execute, I believe this will be the No. 1 attack vector in the next couple of years."
The lesson learned from the experiment, Boodaei said, is that companies should concentrate on implementing technology that can prevent malware installation, not just educating employees about how to spot malicious e-mails.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Natasha Chilingerian
Natasha Chilingerian has been immersed in the credit union industry for over a decade. She first joined CU Times in 2011 as a freelance writer, and following a two-year hiatus from 2013-2015, during which time she served as a communications specialist for Xceed Financial Credit Union (now Kinecta Federal Credit Union), she re-joined the CU Times team full-time as managing editor. She was promoted to executive editor in 2019. In the earlier days of her career, Chilingerian focused on news and lifestyle journalism, serving as a writer and editor for numerous regional publications in Oregon, Louisiana, South Carolina and the San Francisco Bay Area. In addition, she holds experience in marketing copywriting for companies in the finance and technology space. At CU Times, she covers People and Community news, cybersecurity, fintech partnerships, marketing, workplace culture, leadership, DEI, branch strategies, digital banking and more. She currently works remotely and splits her time between Southern California and Portland, Ore.
