Tests prove that people just keep clicking on malicious links and attachments: in a new study from Duo Security based on its free phishing assessment tool, nearly one-third of users clicked the link in a phishing email sent by Duo’s internal team.
Worse still, 17% entered their user name and password, which would have given a real attacker the keys to corporate data.
The real-world data comes from the Duo Security’s Duo Insight, a free tool that lets organizations run internal phishing simulations. The data also showed that a phishing campaign that took just five minutes to execute via the tool could lead an attacker to corporate data within 25 minutes, according to Duo Security.
Since Duo Insight’s launch last month, around 400 companies have used the tool; in its report, Duo pulled results from 11,542 users who received a phishing email campaign from their companies.
“The tool tells companies which devices have operating systems out of date, who clicked on an email on a test, who clicked on a link and who entered credentials,” says Jordan Wright, R&D engineer at Duo Security,
Most successful phishing attacks are the result of endpoint problems, not credential issues, he notes. In fact, the Duo study found that on average, 62% of respondents were using out-of-date browsers. And on average, 68% used out-of-date operating systems.
“Attackers have created reusable exploit kits that come bundled with multiple high-quality exploits designed to compromise a browser,” Wright said. “These exploit kits can download malware or ransomware to a device, and steal credentials and information stored on the device.”
Duo offers these four tips for preventing phishing attacks:
Run simulation campaigns internally to understand the company’s risk. Companies need to understand that the internal campaigns are not “one-and- done” events. To be effective, they must be run continuously so that over time, the company can see improvement. Typically, a system administrator is notified via email that a test will be under way, and it’s suggested that companies tell staff that as part of their security program they will run periodic tests to determine how susceptible the company is to phishing attacks.
Educate the staff. Wright says that it’s very important for companies not to focus too much on the people who clicked. Don’t single out anyone in a negative light. And in many ways, it’s more important to focus on the people who notified corporate IT. The drills are meant to build a collaborative environment in which the staff works closely with IT. Another point to remember: Just because somebody clicked on one test doesn’t mean they won’t click on a subsequent drill. So shy away from singling out those who clicked; it can happen to anyone.
Keep all operating systems, browsers, and Flash and Java program up-to-date. Wright says that it’s highly unlikely for an attacker to penetrate a browser or operating system that’s been updated. The attacker would need a zero-day attack to penetrate an updated OS or browser, and they are much more expensive and unusual. Phishers (aka attackers) typically go for the low-hanging fruit of those who don’t upgrade their systems.
Reward employees for catching a phish. Some companies offer financial rewards or gift cards, or just simply recognize users at a corporate event or a special email. Try to create a climate in which the employees want to be the first to notify IT of a phishing incident.