Security Watch

Keeping Track of patches and hacks in the IT security world.

Nearly a Third of Users Fall for Phishing

About 400 organizations tested a total of 11,542 employees to see how many would click on phishing emails; 31 percent did, Duo Security's new tool showed.


A month ago, Duo Security publicly released its free Duo Insight tool, enabling organizations to test responses to phishing attacks. The results of the first six weeks of user testing are now in, and the numbers are not inspiring.

From July 12 to Aug. 5, approximately 400 organizations made use of the Duo Insight tool. In that time period, 11,542 employees were exposed to a phishing attack test to see what the response would be and how many would actually open and click on a potentially malicious link.

Nearly a third (31 percent) of tested users ended up clicking on a link that was inside the Duo Insight phishing email test; 17 percent of tested users clicked the link and also entered their username and password information. When Duo Insight was first made public, the company had already done an initial set of 100 tests, in which 27 percent clicked on the link and then 17 percent (same as the new study) actually entered their information.

"We weren't surprised that the numbers were static," Jordan Wright, R&D engineer at Duo Security, told eWEEK.

Wright added that he thought the initial test group of 100 users and the larger public test group of 11,542 users were pretty similar, and as such, it's reasonable to expect similar results.

"The main thing to take away from this is that even if only 17 percent provided their username and password, 31 percent clicked the link, which in itself can lead to a breach through an outdated endpoint," Wright said.

Duo Security found that, on average, 68 percent of end-users were running with out-of-date operating systems and 62 percent had outdated web browsers. Wright noted that the out-of-date figures for operating systems and browsers are shocking though they are in line with what Duo Security observed in its 2016 Trusted Access Report.

"We keep coming back to the same tried-and-true advice, which is to patch often and make sure the devices accessing your network are secure enough that you're comfortable with them accessing your data and business applications," Wright said.

The overall goal with the Duo Insight phishing test is to help identify the problem as well as being a training tool to teach users what not to do. At this point, Wright commented that it's still too early to give some hard statistics on trends per user and whether behavior changes over time.

"We hope that organizations will use Duo Insight to run campaigns at regular intervals and use them to train and educate their users on how to spot phishing campaigns so that they don't click links or offer up user credentials when they get a real-life phishing email from a malicious attacker," Wright said.

The Duo Insight tool itself is improving over time, with new phishing templates added since the initial launch. Duo Security has also worked to make the experience more streamlined for users, Wright said.

"No one else is really offering a free tool like this yet, so a lot of the future for Duo Insight will be reliant on how it's received," Wright said. "Hopefully, more easy-to-use tools will be available to help administrators who have very little time and no budget to do these types of risk assessments."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.