Most organizations know how much of a security risk phishing attacks are, but what isn’t always known is how well an organization and its employees are able to detect and deflect such attacks.
Duo Security has run a number of surveys over the course of the year that have consistently revealed how poorly prepared many organizations are to deal with a phishing attack. A study conducted in March, for example, found that nearly half (49 percent) of surveyed customers who had trained their employees on phishing avoidance still have employees falling victim to phishing attacks.
To that end, Duo Security announced on July 12 its Duo Insight service, which provides a free phishing simulation to help identify how an organization and its employees respond to phishing attacks.
According to Duo Security, across the first 100 Duo Insight simulations conducted by beta testers, 27 percent of users clicked the phishing link but didn’t end up entering a username and password. Only 17 percent of the first 100 users actually clicked the link and entered their full credentials.
As to why there was a gap between users who clicked on a link and entered credentials and those who didn’t enter credentials, Duo Security has a few ideas.
“We attribute this gap to users who are more security conscious,” Ruoting Sun, principal product marketing manager at Duo Security, told eWEEK. The more security-conscious users likely looked at the Web address, were suspicious that they had to re-enter their credentials and recognized this as a phishing attempt after clicking the link, according to Sun.
The fact that 17 percent of the first group of Duo Insight users fell for the phishing bait didn’t surprise Duo Security either.
“We are not surprised by these numbers. These phish rates are in line with industry estimates and averages for targeted phishing campaigns,” Sun said.
The Duo Insight system attempts to trick unsuspecting users by sending common business email correspondence. Duo Insight has the ability to detect what applications are used in a company and can recommend one of those as the target application used in the phishing email. Common applications including Salesforce, Outlook Web Access, Google Apps and Office 365 are all options that are available inside of Duo Insight for phishing emails.
Sun explained that the Duo Insight administrator can customize the content of the phishing email, including whom it’s from, what the spoofed domain should be, what the email says and who is the email target. After the phishing email is sent, the administrator can log into a dashboard that shows who opened the email, who clicked on the link and who got phished. The dashboard can also report if a targeted device is out of date, as well as make an estimate on how much financial and time loss might be incurred from the phishing email based on industry comparables.
The overall goal is to give organizations a better idea of who falls for phishing attacks and what devices are vulnerable in a network.
“Most phishing templates are corporate emails, leveraging the fact that people are most likely to fall for phishing when it comes from a trustworthy source within the company,” Sun said. “This is especially likely to happen if there are already email credentials that are compromised within the organization.”
The idea of testing the ability of an organization’s employees to detect a phishing attack is not a new one. There are multiple vendors, including PhishMe, that offer phishing readiness and testing services. A couple of benefits to choosing Duo Insight, according to Sun, is that it is a free tool and it’s easy for organizations to set up and deploy quickly.
“Duo Insight automatically generates a report for the administrator showing the results of their phishing campaign, as well as a business case for investing in the right security tools to prevent data breaches in case user credentials and devices are compromised,” Sun said. “Solutions that provide authentication and insight into device hygiene are effective at protecting against breaches.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.