Skip navigation
Duo Labs

So Your Users Clicked - Now What?

Duo recently released a tool called Duo Insight that lets organizations run effective mock phishing campaigns against their employees for free.

Since our initial launch, we've seen hundreds of organizations use Duo Insight to gain visibility into their exposure to phishing attacks. Unfortunately, as most of these organizations are finding out, when it comes to phishing, it's not if a link will be clicked - it's when and by whom.

We wanted to provide some advice on what to do after the first phishing campaign is completed. These are some simple steps to take to get more value out of results from Duo Insight, as well as decreasing your overall exposure to phishing.

Know You're Not Alone

As the first phishing results roll in, the knowledge that every click could result in a serious breach is eye-opening. It's important to remember that you're not alone. Phishing affects everyone, regardless of your information security budget or what devices you have deployed. It affects everyone because it works.

Here are some high-level stats from our initial launch of Duo Insight:

Duo Insight Phishing Stats

As you review the results from your campaign, know that everyone is affected by phishing. By gaining visibility into your exposure to phishing, you can start to take steps to decrease the number of clicked links.

Reward the Reporters!

Typically, when organizations run phishing campaigns, their only worry is who clicked. However, these campaigns also provide insight into another metric that can be even more valuable: who reported the phishing campaign.

Vigilant employees can be the single most effective security system for an organization—better than any security device in a rack. When an employee forwards a suspicious email to the security team, they may have saved the organization.

So reward the reporters! This positive reinforcement provides incentive for employees to report phishing emails, which in turn will give value back to the company in the form of increased reporting and fewer phishing emails opened.

Approach Phishing as an Endpoint Problem

Phishing is an Endpoint Problem

It’s commonly misunderstood that phishing is a credential problem. It's thought that, as long as users are just clicking the links but not entering credentials, they're safe. This is simply not the case.

Phishing is an endpoint problem, not a credential problem.

Attackers know that browsers have vulnerabilities. They also know that browser plugins like Flash and Java have even more vulnerabilities. They understand that, if they can exploit these vulnerabilities, they get more than a set of credentials; they get complete control over the compromised device.

To make this easier, they've created reusable exploit kits that come bundled with multiple high-quality exploits designed to compromise a browser. These exploit kits can download malware or ransomware to a device, steal credentials and information stored on the device, and more.

In our 2016 Trusted Access Report, we found that up to 72 percent of devices are vulnerable to things like exploit kits by running outdated browser plugins. Even clicking a malicious link can be game over.

You can significantly reduce your exposure to threats like exploit kits by using an endpoint solution that can both provide visibility into outdated devices and allow you to block them from accessing your applications.


If you haven’t tried out Duo Insight, give it a shot! Measuring user risk to phishing is the first step to managing it. By running simulated phishing campaigns at regular intervals, you will find that users will become better at spotting and reporting real phishing emails before they ever become a threat to your organization.