Author: Derek Mizak

Phishing exploits human nature by tricking unsuspected users to click a link and enter some data – usually their username and passwords into something looking innocent  – we all know that. It is all about human nature and not about technology. In one of hour test phishing campaigns, 9% of users – entered theirs credentials in to phishing site – first in less than 3 minutes after campaign started.

Phishing Testing Data

So is phishing all about human? Well, if I would be asked this question, I would say – if your software is not up to date – most likely there is more vulnerabilities to exploit. Phishing, however, is all about human behavior, it is about how easily user can be tricked to do something he/she shouldn’t.

We (DMZIT) are running simulated phishing campaigns for our customers – we send batteries of prepared e-mails and monitor what users do. All e-mails are harmless they just link to our statistical, monitoring software. As presented on the picture bellow we can see that 9% of users were phished successfully by entering data – their credentials – it should be worrying.

Phishing Response Data

There is something in those stats which always surprised me. Phished population often uses out of date browser (right circle on the chart bellow) in contrast to non phished population (left chart).

Chart Phishing Data

There is a different proportion for different customers but the trend is there

Charts Showing browser phishing data

I want to stress that we are not using browser vulnerabilities in our test phishing campaigns – we just send a simulate emails which have scripts monitoring user behavior, checking who click the link and who entered data – data is not going outside actually, we collect stats only.

Why the users who are more susceptible to phishing use out of date software – I am not sure – maybe it has something to do with how much attention they receive from their IT departments.

Derek Mizak is a cyber security consultant working on application of Artificial Intelligence to cyber security practice. Digital Forensic Investigator, ISO27001 lead auditor. Read more posts from Derek Mizak