Almost a Third of Staff Still Fall for Phishing Emails

Written by

Almost one-third of employees are putting their organization at risk of phishing attacks, according to new research from Duo Security.

The firm has released findings from its free phishing simulation tool Duo Insight, which offers organizations of all sizes a free internal phishing drill system that allows them to simulate a phishing campaign on their employees, and found that 31% of staff clicked the link in the emails sent by their internal team. This shows phishing is still a significant threat to companies as they attempt to stem the tide of cyber-attacks that continue to plague organizations across the globe.

“Phishing is still a very real problem that every single organization faces,” Jordan Wright, R&D engineer at Duo Security, told Infosecurity. “This shows that phishing still works and across any major breach traditionally we still see the initial infection vector being a simple phishing email that landed in a user’s inbox.”

Perhaps most concerning, Duo Security discovered that 17% of staff not only clicked on the links, but even entered their username and password when prompted to do so, something that would, in a real-word scenario, gives an attacker the keys to corporate data especially if they are using unsecured internet browsers, plug-ins (such as Flash and Java) and out-of-date operating systems on their devices.

When it comes to pinpointing why people still seem to be falling victim to phishing emails Wright explained that it often comes down to hackers intentionally exploiting a certain level of trust that users have about the software, systems and document types they use day-to-day.

Whenever an attacker decides to go after an organization, they often take into account two things: the first is considering what makes a convincing, believable email or landing page that looks as though it belongs to a service the victim would be used to. The second is then ensuring the actual content within the email is worded so convincingly that users will click without being suspicious.

“I think that hackers know much more about human psychology than some security professionals and security researchers do,” explained Zinaida Benenson, lead of the Human Factors in Security and Privacy Group at the IT Security Infrastructures Lab of the University of Erlangen-Nuremberg. “They exploit old techniques that have always worked in order to make people click: make a person curious about some piece of content behind a link, spoof a sender they might know or a life situation they might relate to, use language that fits the situation.”

Furthermore, the data from Duo Insight suggests cyber-criminals are capable of orchestrating entire phishing campaigns in as little as half an hour, with some taking just five minutes to put together and a mere 25 minutes to access corporate data.

Speaking to Infosecurity, PandaLabs technical director at Panda Security Luis Corrons said that this quick turnaround highlights the fact that the phishing process is now so sophisticated that each of the steps involved are specialized and automated, giving hackers the means to gather profit within hours.

“They have access to tools and services in the dark web to carry out the attacks,” he added. “A common technique used by the hackers is to use automated tools in order to find vulnerable web sites so they can put their phishing in. This saves them a great deal of time, as there are a lot of sites which have not been updated in months or even years and are vulnerable.

“Once the phishing is hosted, they can spread the malicious link using the habitual spam methods. The addresses and phishing mails can be bought in the black markets so they can have them ready in advance. The time required to gather the data depends on the protection level of the end user and the ability to trick him/her. Once tricked getting the information/payment can be done in minutes as they have access to the vulnerable site or can redirect it to another server.”

A key takeaway from Duo Security’s findings is that phishing is now very much an endpoint problem and not just a credential issue, and whilst it’s very easy to be most concerned about credentials that are being sent out, the fact is that by targeting the endpoint with exploit kits hackers can potentially get their hands on endless amounts of sensitive data.

“From a security standpoint, phishing is not just about compromising your credentials,” said Ash Devata, VP of products at Duo Security. “If you click on a phishing link your endpoint can potentially be compromised. This means all the data on your endpoint can be read and it can make your endpoint the hacker’s entry point to get into the network.”

So what is the solution? What do companies need to be doing to help combat this all-too-common security risk?

Wright believes the answer lies with building a positive, collaborative security environment that focuses on rewarding staff who actively pickup and report phishing emails, as with the correct training they are the ones who can potentially save companies significant amounts of money. 

“We understand that users are the weakest vector, but it’s not about shaming users, it’s about training them and running drills to educate them on phishing attacks to give them the tools to build that collaborative environment that allows people to work together to address the problem.”

These were sentiments echoed by Arun Vishwanath, associate professor at the State University of New York, Buffalo, who told Infosecurity that to tackle the phishing epidemic, enterprises must begin with gaining an understanding of their people and employees which allows them to tailor training that factors in the realities of how staff operate, how they think, their patterns of device use and their work habits.

“Once we know what ails each individual, we can come up with individualized solutions that help deal with their specific problem,” he added.

Look at modern medicine as an example, continued Vishwanath, which has been successful because it works by examining patients and treating their individual problems.

“Some patients require medication, others a change in lifestyle, and some others need counseling. Likewise, some employees will need education, some a change of work patterns, and others will need to be provided new ways of thinking about phishing. Knowing who needs what and providing them different treatments is key to defending against the threat of not just phishing but all social engineering attacks.”

To conclude, Wright urged companies to avoid being afraid to measure the issues within – don’t fear knowing what types of things your users will click on, as this is the information you need to get to the heart of the issue.

“It’s hard to address a problem before you measure it, or before you know the impact of the exposure you are dealing with.”

What’s hot on Infosecurity Magazine?