Now Available: Duo Insight, A Tool To Help Organizations Identify Phishing Risks
Today, we’re launching a free, easy-to-use risk assessment tool to help companies identify their users and devices that may be vulnerable to phishing attacks. You can use this tool by visiting insight.duo.com.
Many of the data breaches we hear about today stem from stolen, weak or default credentials (63%), according to the latest Verizon Data Breach Investigations Report. Many other breaches were due to exploited out-of-date devices, which leverage known vulnerabilities in older versions of operating systems, software and plugins.
One of the easiest ways to compromise user accounts is through the use of phishing, a socially-engineered attack designed to trick users into clicking malicious links or giving up their credentials. Clicking on malicious links can also install drive-by malware on users’ devices, designed to exploit security vulnerabilities on out-of-date devices.
Despite companies regularly educating their employees about phishing, many end users still fall for these attacks. Consider these numbers: Wombat’s State of the Phish 2016 Report found that 92% of companies regularly conduct phishing education for their employees.
Based on the first 100 phishing simulations launched by security professionals on Duo Insight, we found that 27% of end users clicked a phishing link and 17% of all users actually entered their credentials.
This is particularly disturbing, because it means a simple phishing campaign created in five minutes has an incredibly high success rate. (Later, we’ll show you how you can launch your own phishing simulation in just minutes). As we talked to more customers about how they deal with phishing, we learned about a few key challenges that remain unresolved:.
- Phishing assessments are costly and take a long time to set up, so most organizations only run yearly phishing simulations on their employees.
- Most administrators don’t know how to show the business impact of a successful phishing attack.
How Duo Insight Works
We decided to address these challenges with Duo Insight, a phishing simulation tool. First, Duo Insight stays true to Duo’s core design philosophy that security should be easy. You can run a full phishing simulation, from start to finish, in under five minutes. There are a lot of areas where we’ve done the hard work for you, for example:
We detect the applications used by your organization today and recommend those as the target applications for your phish. This level of customization is common in spear-phishing attacks today, because it increases the level of trust and authenticity in the message.
We can detect employees at your company, and then automatically populate their email addresses as recipients for your phishing simulation. Again, this is another common spear-phishing technique used today, as personalization with first and last names yield a significantly higher click-through rate.
Actionable Data Report
We also wanted to give administrators powerful, actionable data that helps them make decisions and get budget to solve these problems. After launching your phishing campaign, an interactive dashboard shows the results of your phish and the business impact that a potential data breach might have on your organization. It even shows how many of the users who clicked a phishing link are running out-of-date devices. An end user that’s more likely to fall for phishing attacks using an outdated, vulnerable device is the perfect target for any hacker.
You can share this dashboard with management to create a stronger business case for the budget to mitigate these risks. For example, implementing access policies around two-factor authentication and enforcing device health are great ways to prevent a data breach even if your user credentials or devices are compromised.
Lastly, we decided to make this a free tool so that any organization can quickly assess its user and device risk.
What We’ve Learned
In the last few months, we’ve helped hundreds of customers launch phishing assessments with Duo Insight. Through these campaigns and other industry research, we’ve learned a lot and wanted to share these findings:
- Despite the heavy focus on phishing awareness in many companies, several end users still fall for phishing emails. Through 100 phishing campaigns targeting more than 2,500 end users, more than 1 out of every 4 users clicked a phishing link, and about 1 out of every 6 users actually entered their credentials.
- Out-of-date software is prevalent among end users. Duo’s Trusted Access Report found that 6 out of every 10 users were running an outdated version of the Adobe Flash Player plugin and 7 out of every 10 years were running an out-of-date version of Java.
- Corporate emails tend to have the highest click-through rates at 15% (State of the Phish 2016, Wombat Security). For example, a commonly used template in Duo Insight is a Google Docs invite that takes unsuspecting victims to a spoofed domain asking them to sign in with their Google Apps credentials before they can view the document.
Go to Duo Insight to launch your first phishing simulation to see which users and devices are at risk in your organization.