Enterprise employees are at a much bigger risk from phishing attacks than they think, according to a survey conducted by pollster Harris Interactive. In fact, a huger majority don't even know what phishing is, said the poll's sponsor, San Diego-based Websense on Wednesday.

The survey of 500 American workers and more than 350 IT decision makers pointed out a major disconnect between what employees think they're doing, and what their companies' IT staff sees them doing, said Dan Hubbard, the senior director of security and technology research at Web security and content filtering firm Websense.

Only four percent of the employees said they'd ever fallen for a phishing attack, while nearly half of the IT managers polled (45 percent) said that workers did click through.

"That disparity is fairly common," said Hubbard. "Usually the IT people are more computer savvy, and because they see the net result, their reporting's usually more accurate."

But even if the four percent figure is valid, that number, added Hubbard, is "on the high side." Other analysts and surveys have pegged the percentage of people who bite on phishers' lures at 3 to 5 percent. "Taking into the economy of scale of phishing, four percent can be a pretty big hit on your revenue if workers are disclosing [access to] financial information."

Other bits gleaned from the Harris/Websense poll point out the huge task enterprise IT has in educating workers on the dangers of phishing. Two out of every three employees say they've never heard of the term, while only 27 percent of the IT managers believe that workers in their company can accurately identify a phishing site.

Media focus on phishing notwithstanding, said Hubbard, "There are lots of people who think that everyone knows what phishing is, but awareness is actually fairly low."

And with some phishers turning to more sophisticated tactics and technologies--including installing keyloggers and other spyware, workers don't even have to disclose information to play with fire. "By clicking on a phishing URL, the site can install spyware, such as a malicious keylogger, on the employee's computer, which has the ability capture data such as network passwords without their knowledge."

Phishers targeting enterprises are also trying to install backdoor Trojans as well as keyloggers, so that later they can access the system remotely. Keyloggers, meanwhile, are being designed to sniff out enterprise-centric information, like access credentials, rather than the credit card and bank account numbers typically sought from consumers' PCs.

"When phishing first started to get attention, lots of analysts thought that phishing would only be a consumer problem," said Hubbard. "But it's becoming more enterprise-focused."

Backing that up are poll results showing that 32 percent of the IT managers surveyed believe phishing attacks have caused security problems for their organizations. And 20 percent of the IT people polled said that their jobs could be at risk if one of their employees gave up confidential data in a phish.

Even so, enterprises aren't exactly on the anti-phishing bandwagon, said Hubbard. "Most of them rely on anti-virus and/or anti-spam defenses to stop phishing." Only a small number--14 percent--of the IT decision makers said that they block HTML within e-mail, preventing links from being clicked, said the poll. In comparison, 60 percent block executables, a common defense against viruses and worms delivered as e-mail attachments.

"HTML within e-mails is frequently left unblocked," said Hubbard, "leaving employees vulnerable to attack from phishers."