Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

The Real Reason Phishing Works So Well

New Duo Security study shows many companies don't update browsers and operating systems - a first line of defense.

Tests prove that people just keep clicking on malicious links and attachments: in a new study from Duo Security based on its free phishing assessment tool, nearly one-third of users clicked the link in a phishing email sent by Duo’s internal team.

Worse still, 17% entered their user name and password, which would have given a real attacker the keys to corporate data.

The real-world data comes from the Duo Security’s Duo Insight, a free tool that lets organizations run internal phishing simulations. The data also showed that a phishing campaign that took just five minutes to execute via the tool could lead an attacker to corporate data within 25 minutes, according to Duo Security.

Since Duo Insight’s launch last month, around 400 companies have used the tool; in its report, Duo pulled results from 11,542 users who received a phishing email campaign from their companies.

“The tool tells companies which devices have operating systems out of date, who clicked on an email on a test, who clicked on a link and who entered credentials,” says Jordan Wright, R&D engineer at Duo Security,

Most successful phishing attacks are the result of endpoint problems, not credential issues, he notes. In fact, the Duo study found that on average, 62% of respondents were using out-of-date browsers. And on average, 68% used out-of-date operating systems.

“Attackers have created reusable exploit kits that come bundled with multiple high-quality exploits designed to compromise a browser,” Wright said. “These exploit kits can download malware or ransomware to a device, and steal credentials and information stored on the device.”

Duo offers these four tips for preventing phishing attacks: 

Run simulation campaigns internally to understand the company’s risk. Companies need to understand that the internal campaigns are not “one-and- done” events. To be effective, they must be run continuously so that over time, the company can see improvement. Typically, a system administrator is notified via email that a test will be under way, and it’s suggested that companies tell staff that as part of their security program they will run periodic tests to determine how susceptible the company is to phishing attacks.

Educate the staff. Wright says that it’s very important for companies not to focus too much on the people who clicked. Don’t single out anyone in a negative light. And in many ways, it’s more important to focus on the people who notified corporate IT. The drills are meant to build a collaborative environment in which the staff works closely with IT. Another point to remember: Just because somebody clicked on one test doesn’t mean they won’t click on a subsequent drill. So shy away from singling out those who clicked; it can happen to anyone.   

Keep all operating systems, browsers, and Flash and Java program up-to-date. Wright says that it’s highly unlikely for an attacker to penetrate a browser or operating system that’s been updated. The attacker would need a zero-day attack to penetrate an updated OS or browser, and they are much more expensive and unusual. Phishers (aka attackers) typically go for the low-hanging fruit of those who don’t upgrade their systems.

Reward employees for catching a phish. Some companies offer financial rewards or gift cards, or just simply recognize users at a corporate event or a special email. Try to create a climate in which the employees want to be the first to notify IT of a phishing incident.  

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.