KnowBe4 Research Reveals Companies Vulnerable to Cybercrime -- Test Shows 43% of Businesses Susceptible to Phishing

Share Article

Hundreds of Inc. 5000 Companies Respond to Simulated Phishing Attack in KnowBe4 Experiment, Demonstrating Urgent Need for Internet Security Training


Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

We believe that SMEs are prime targets for cybercriminals because companies in growth mode are often so focused on expansion that they overlook Internet security training.

With cyberheist cases and phishing statistics continuing to make headlines nationwide, it’s become clear that companies are vulnerable to cybercrime – and new research published by KnowBe4 reveals just how susceptible businesses are to these types of attacks. A respected provider of Internet Security Awareness Training (ISAT), KnowBe4 uses phishing security tests to help small and medium enterprises (SMEs) identify and educate Phish-prone™ employees. The company recently conducted a larger-scale test to determine how many of today’s fastest-growing SMEs are likely to fall prey to phishing, and the results suggest real cause for concern.

“We believe that SMEs are prime targets for cybercriminals because companies in growth mode are often so focused on expansion that they overlook Internet security training,” explained KnowBe4 founder and CEO Stu Sjouwerman (pronounced “shower-man”). “So we decided to conduct an experiment to test that theory.”

Sjouwerman found a perfect subject pool within the Inc. 500 and Inc. 5000 ranks. “As an alumnus of the Inc. 500 with my last company, Sunbelt Software, I knew we’d find many driven, growth-oriented SMEs on those lists. Better yet, provided domain names for more than 3,500 of those businesses – which made it easy for us to conduct a search for all publicly available email addresses.”

Using a free data-gathering service, KnowBe4 was able to obtain more than 42,000 email addresses. The company’s experiment involved sending out simulated phishing emails with no malicious payload, and tracking the resulting clicks. The emails purported to be sent by a government agency, and asked recipients to click a link to verify that their email address is legitimate and has not been used to send spam emails to government computer systems. Individuals who clicked the link arrived at a landing page KnowBe4 created for the test, which informed subjects of the experiment and assured them all was well.

KnowBe4 first conducted a preliminary test, using a reputable bulk email service to send 989 emails to recipients at 81 companies. The emails were successfully delivered to 79 companies, and individuals at 34 of those companies – a shocking 43% – clicked the link. Although the email service had previously been informed of the test, a complaint from one alert recipient led the company to suspend KnowBe4’s account until an alternate solution was agreed upon for the next phase of the experiment.

As a result, the remaining emails were sent through a one-time mail server with an unknown reputation, which reduced the percentage of successful deliveries. Of the 3,457 businesses targeted in the second test, 2,958 received the emails; and 451 of those companies – or 15.2% – had at least one employee who clicked the link.

“Considering that we organized our simulated attacks fairly quickly and only went after low-hanging fruit, our phishing statistics should serve as a wake-up call to SMEs everywhere,” asserted Sjouwerman. “Successful cybercriminals spend a great deal of time and effort planning their attacks. If we had devoted more time to each step of our test, I believe the number of Phish-prone companies could easily have been double.”

Between the two tests, 658 emails were clicked by employees at nearly 500 organizations. KnowBe4 dubbed these companies the FAIL500. “If it was so easy for us to get in, there is a high likelihood that these networks are already compromised, and that a cyberheist is either in progress or may happen soon,” warned Sjouwerman. “Out of respect for the companies and individuals involved in our experiment, we won’t be disclosing the names of the FAIL500. However, we’ve alerted corporate representatives that their c ompanies are vulnerable to cybercrime, and we’ve recommended that they conduct Internet security awareness training immediately.”

Sjouwerman has made it his mission to educate business owners and managers about the dangers of cybercrime, and arm them with the knowledge they need to combat it. To that end, he recently published his fourth book, Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. The results of the FAIL500 experiment are highlighted at the beginning of Cyberheist. The book then goes on to explore the business of cybercrime, examine a variety of scams through case studies, and equip readers with powerful tips and tools for countering cyber attacks.

Complete phishing statistics from the FAIL500 project can be found at Future announcements from KnowBe4 will provide additional details and analysis on the experiment, including America’s top five Phish-prone industries. For more information on Cyberheist, or to order the paperback or e-book edition, visit

About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. For more information on Sjouwerman and KnowBe4, visit

Media Inquires:
Karla Jo Helms
CEO and PR Strategist
JoTo Extreme PR
Phone: 888-202-4614


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Nelson (Nate) J. Spoto
Visit website