It takes 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign, a report suggests.
Compiled by Verizon, the report looks at analyses of almost 80,000 security incidents that hit thousands of companies in 2014.
It found that, in many companies, about 25% of those who received a phishing email were likely to open it.
"Training your employees is a critical element of combating this threat," said Bob Rudis, lead author on the report.
Tricking people into opening a booby-trapped message let attackers grab login credentials that could be used to trespass on a network and steal data, the report said.
"They do not have to use complex software exploits, because often they can get hold of legitimate credentials," Mr Rudis said.
Analysis of data breaches found that, in many cases, it had taken less than two minutes for freshly sent phishing emails to catch their first victim. And, said Mr Rudis, half of the victims had clicked on the message within the first hour of it being sent.
Although attackers racked up victims quickly, it took companies far longer to notice they had been compromised, Mr Rudis said.
The report also found companies could take straight-forward steps to defend themselves against well-crafted phishing emails designed to make people open them and their attachments.
Teaching staff to spot bogus messages could reduce the proportion of victims to sent emails from one in four to one in 20, he said.
Showing workers the tell-tale signs of a phishing email could also turn them into another line of defence that could catch messages missed by automatic detection systems.
"They should be treating employees as tools in the fight rather than as lambs to the slaughter," Mr Rudis said.
After phishing, some cyber-thieves relied on companies running un-patched software that was vulnerable to old and well-known exploits, he said.
More than 99% of the vulnerabilities exploited in data breaches had been known about for more than a year, Mr Rudis said. And some had been around for a decade.
"There are some vulnerabilities that just linger out there," he said.
A good patching regime would help companies protect themselves against most of the vulnerabilities cyber-thieves abuse, Mr Rudis added.
Find out how to avoid scam emails