Q&A with Duo Security - Educating employees on phishing risks

Phishing is a bigger problem now than it was in the past, says Duo Security's Jordan Wright.

Is phishing a bigger problem now than it has been in the past? If so, why?

Absolutely. According to the Anti-Phishing Working Group, 2016 was a record year for phishing, with the total number of attacks exceeding 1.2 million. This number represents the highest ever recorded, and a 65 per cent increase over 2015. 

Phishing attacks have grown in number because they are one of the most cost-effective ways for attackers to gain access to critical information, and then profit by selling the data. The barrier to entry is also relatively low, as you don’t need to be a computer scientist to illegally use a phishing tool. 

Despite what you read in the headlines, most organisations will not face complex nation-state adversaries, but will be victims of a targeted phishing campaign or social engineering.

The effectiveness of phishing emails is surprising to those who don’t follow this topic closely. For example, based on 2,600 phishing simulation campaigns we conducted last year on a total of 60,000 recipients via the Duo Insight tool:

  • 44 per cent of recipients opened the phishing email
  • 26 per cent of recipients clicked the link, making them susceptible to having malware or ransomware installed on their devices
  • 14 per cent of recipients entered their credentials
  • 61 per cent of campaigns could have allowed us to capture at least one credential
  • On average, from the beginning of a phishing campaign, it only takes 12-13 minutes before someone is successfully phished

Why are corporate employees such lucrative targets for hackers?

Employees represent the broadest threat vector that organisations need to monitor. In particular, they possess credentials and access to sensitive information that is critical to the security and success of a company. 

Increasingly, adversaries are targeting end-users, often the soft underbelly of an organisation’s security landscape. Attackers will move laterally through an organisation as they work to gain access to vital company data and personal customer information.

What sophisticated phishing techniques are we seeing which weren’t around a year ago?

Attackers study existing corporate emails and try to mimic them in an attempt to appear legitimate. This is often done by appealing to authority and impersonating an executive at the company found through social media sites such as LinkedIn. Attackers will ask for copies of sensitive information or request a wire transfer be sent to an account they specify under the guise of a business transaction.

Attackers are also increasingly using phishing templates specific to the email service used by the recipients. For example, there was a very clever Gmail phishing attack earlier this year that embedded a linked image designed to look like a standard Google Drive attachment.

People should also be wary of phishing attempts via LinkedIn. Attackers typically use a compromised account to send phishing emails to the person’s contacts, exploiting the inherent trust that many users have with the business colleagues they are connected with. They do this until they are able to steal a person’s employee access credentials and gain access to a company’s applications.

Why are employees still falling for phishing attacks?

Many people who aren’t in the information security industry or who can’t stay up on the ever-evolving tactics attackers are using are less likely to recognise the tell-tale signs of a phishing email.

Oftentimes, employees are so focused on their business and completing their daily tasks that it’s difficult to step back and consider that they may be targeted by an attacker. In addition, it’s human nature to trust your friend, colleague or give someone the benefit of the doubt. Attackers know to exploit this.

What can organisations do to educate their employees on the risks of phishing and how can they help prevent themselves from falling foul to an attack?

Using phishing simulation tools allow CISOs and their security teams to conduct a risk assessment of their organisation, and then develop an action plan which might be as simple as implementing two-factor authentication (2FA). With 2FA, if attackers have someone’s credentials, they still can’t access the system since they do not have the user’s authentication device. The assessment also may out the need for an employee education plan depending on the results.

In addition, organisations and employees should:

  • Keep software up to date
  • Stay vigilant - look for signs that the email may not be legitimate, such as typos
  • Be extra cautious if you weren’t expecting the email
  • Use a password manager
  • Before entering your credentials, check that the website you’re on is the one you expect
  • Be careful with attachments, which can contain malware
  • When in doubt, double-check!
    ●Let your security team know if an email is suspicious
    ●If it’s a personal contact, you can reach out via another method like a phone to ensure they sent they the email

Is education a more effective approach than prevention?

CISOs need to take a bilateral approach. Creating internal awareness, education and urgency are important, yet the chances are still good that an adversary will eventually gain access to a company’s network or applications. 

This is why implementing multi-factor authentication, as well as enforcing policies that limit remote access based on the user and device, are so important. Regardless of the product you go with, employees must like using it and it cannot hamper their productivity. For security to be effective, it needs to be easy.

Can training create a sense of over-confidence in employees?

This is less of a concern compared to raising employee awareness of what to look out for and providing education on what to do if you fall prey to a phishing technique.

How do you expect phishing attacks to impact enterprises in the future?

In general, companies need to focus on basic security hygiene, such as data encryption and backup, timely patching of software such as browsers and operating systems, utilising password managers, multi-factor authentication and granting access based on the user and device rather than the location.

Until organisations have mastered these basics, they shouldn’t be spending another pound on a security solution.

Jordan Wright, R&D Engineer, Duo Security
Image Credit: wk1003mike / Shutterstock

ABOUT THE AUTHOR

Jordan has more than six years of experience in information security and is a pioneer in offensive and defensive phishing tactics. He is also a frequent contributor to open-source software projects and research. Jordan helped develop Duo Insight, a free phishing simulation tool allowing organisations to phish their own companies in under five minutes to determine risk from phishing attacks.