A new research experiment conducted by Web security firmTrusteer found that eveneducated email users click on links that can potentially lead towebsites containing malware, the company said.

New York-based Trusteer’s findings shed light on the potentialconsequences of the recent security breach at marketing firmEpsilon, a subsidiary of Alliance Data Systems Corp., whichreported this month that an unauthorized entry into its emailsystem resulted in the compromise of approximately 2% of itsclients’ customer names and email addresses.

The marketing firm manages customer email databases for morethan 2,500 clients including large financial institutions andretailers.

Security experts say they expect the breach to result intargeted email phishing attacks, and while credit unions were notamong the reportedly affected Epsilon clients, several CUs postedmessages on their websites warning members that they could betargeted if they opted in to an Epsilon client email marketinglist.

The Trusteer experiment entailed sending emails that listed thesocial networking site LinkedIn as the sender to 100 friends andfamily members of Trustee researchers. The emails contained a linkthat claimed to lead users to a new job alert, but instead directedthem to an outside website – a common strategy used by attackers,Boodaei said. Within seven days, Trusteer found that 68 of the 100subjects had followed the link.

The company posted a blog detailing the experiment on itswebsite, which states, “This research clearly demonstrates thatsocial engineering makes it easy to drive corporate users to fakewebsites that could potentially download malware onto theircomputer. Education is always recommended and can certainly help,but in this case education did not prevent the attack.”

Trusteer customized the emails crafted for the experiment bycreating a new identity on LinkedIn and gathering information aboutrecipients’ LinkedIn connections and their connections’ profiles,the company said. Researchers used Gmail to create the fakeLinkedIn email account and included photos of victims’ connectionsdownloaded from LinkedIn.

Since mail programs typically only display thename of the sender – not the sender’s full email address – foolingrecipients was simple, Trusteer CEO Mickey Boodaei said.

“It’s very easy to create a convincing email and attack anemployee’s desktop,” Boodaei said. “Since it is so easy to execute,I believe this will be the No. 1 attack vector in the next coupleof years.”

The lesson learned from the experiment, Boodaei said, is thatcompanies should concentrate on implementing technology that canprevent malware installation, not educating employees about how tospot malicious emails.

“Enterprises should assume employees will click on the links,”he said. “Then they should focus on how to prevent the links frominfecting the software, and that comes down to technology.”

Todd Thiemann, senior director of product marketing for SanJose, Calif.-based data security provider Vormetric, said he agrees educatedemail users can be tricked.

“Human beings are fallible,” he said. “Even a savvy person canmake a mistake.”

Thiemann added credit unions can draw two lessons from theEpsilon breach: First, to implement an in-depth data defensestrategy, and second, to re-think the definition of “sensitivedata.”

“Data is considered sensitive when you’re talking aboutthousands of client names and email addresses,” Thiemann said.“There’s a high probability of success for the fraudster who hasthat information.”

An “in-depth” defense strategy should include the followingactions, Thiemann said: Only allow certain individuals access tosensitive data and then only via proper encryption, performdatabase activity monitoring, develop a strong system for securityinformation management, implement a host intrusion preventionsystem, and run up-to-date antivirus software from a reputablevendor.