09:00 AM
Connect Directly

The Real Reason Phishing Works So Well

New Duo Security study shows many companies don't update browsers and operating systems - a first line of defense.

Tests prove that people just keep clicking on malicious links and attachments: in a new study from Duo Security based on its free phishing assessment tool, nearly one-third of users clicked the link in a phishing email sent by Duo’s internal team.

Worse still, 17% entered their user name and password, which would have given a real attacker the keys to corporate data.

The real-world data comes from the Duo Security’s Duo Insight, a free tool that lets organizations run internal phishing simulations. The data also showed that a phishing campaign that took just five minutes to execute via the tool could lead an attacker to corporate data within 25 minutes, according to Duo Security.

Since Duo Insight’s launch last month, around 400 companies have used the tool; in its report, Duo pulled results from 11,542 users who received a phishing email campaign from their companies.

“The tool tells companies which devices have operating systems out of date, who clicked on an email on a test, who clicked on a link and who entered credentials,” says Jordan Wright, R&D engineer at Duo Security,

Most successful phishing attacks are the result of endpoint problems, not credential issues, he notes. In fact, the Duo study found that on average, 62% of respondents were using out-of-date browsers. And on average, 68% used out-of-date operating systems.

“Attackers have created reusable exploit kits that come bundled with multiple high-quality exploits designed to compromise a browser,” Wright said. “These exploit kits can download malware or ransomware to a device, and steal credentials and information stored on the device.”

Duo offers these four tips for preventing phishing attacks: 

Run simulation campaigns internally to understand the company’s risk. Companies need to understand that the internal campaigns are not “one-and- done” events. To be effective, they must be run continuously so that over time, the company can see improvement. Typically, a system administrator is notified via email that a test will be under way, and it’s suggested that companies tell staff that as part of their security program they will run periodic tests to determine how susceptible the company is to phishing attacks.

Educate the staff. Wright says that it’s very important for companies not to focus too much on the people who clicked. Don’t single out anyone in a negative light. And in many ways, it’s more important to focus on the people who notified corporate IT. The drills are meant to build a collaborative environment in which the staff works closely with IT. Another point to remember: Just because somebody clicked on one test doesn’t mean they won’t click on a subsequent drill. So shy away from singling out those who clicked; it can happen to anyone.   

Keep all operating systems, browsers, and Flash and Java program up-to-date. Wright says that it’s highly unlikely for an attacker to penetrate a browser or operating system that’s been updated. The attacker would need a zero-day attack to penetrate an updated OS or browser, and they are much more expensive and unusual. Phishers (aka attackers) typically go for the low-hanging fruit of those who don’t upgrade their systems.

Reward employees for catching a phish. Some companies offer financial rewards or gift cards, or just simply recognize users at a corporate event or a special email. Try to create a climate in which the employees want to be the first to notify IT of a phishing incident.  

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When Harry Met Sally
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
PUBLISHED: 2018-12-13
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
PUBLISHED: 2018-12-13
The OFBiz HTTP engine ( handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitati...
PUBLISHED: 2018-12-13
An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.
PUBLISHED: 2018-12-13
An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring.