Summary

Phishing is responsible for the vast majority of breaches in this pattern, with cloud-based email servers being a target of choice. Business Email Compromises (BECs) were the second most common form of Social Engineering. This attack scenario reflects the meteoric rise of Misrepresentation, which was 15 times higher than last year in Social incidents. Additionally, Social Engineering attacks often result in the loss of Credentials. This pattern saw those stolen credentials used in both Hacking and Malware attacks.

Frequency

3,841 incidents, 1,767 with confirmed data disclosure

Threat Actors

External (100%) (breaches)

Actor Motives

Financial (95%), Espionage (6%) (breaches)

Data Compromised

Credentials (85%), Personal (17%), Other (9%), Medical (4%) (breaches)

Anyone who has been around children for an extended period of time is well acquainted with social engineering. Watching them trying to convince a parent (or sibling) to see things their way can be quite entertaining. Not that you can blame them. We’re all trying to get ahead. But none of us wants to be the one handing over something we’d rather keep just because the actor, whether they are three years old or 30, has a really good story about why they need it.

We’ve definitely seen a jump in Social Engineering breaches as a pattern from last year with an overall upward trend since 2017. For the past couple of years, it appears to be correlated to an uptick in the compromise of cloud-based mail servers. What we cannot say is why email is so enticing to threat actors.⁵⁹ Maybe it’s for the email addresses themselves. Maybe it’s for the internal information they contain. Maybe it’s for the creds, personal, and other monetizable information. Or it could simply be that they want to repurpose the server to send more malicious emails out. Sometimes it’s best to admit when you just don’t know.

Hopefully it is not a surprise that all Social Engineering incidents have a Social action,⁶⁰ but as you can see in Figure 72, Malware and Hacking pop up as well.

A lot of Social Engineering breaches steal Credentials⁶¹ and once you have them, what better thing to do than to put those stolen creds to good use, which falls under Hacking. On the other hand, that Phishing email may have also been dropping Malware, which tends to be a Trojan or Backdoor of some type (Figure 74), a trap just waiting to be sprung.

As with past years, Social actions are predominantly phishing, though Pretexting, normally associated with the BEC,⁶² also makes a strong showing. Remember those children and their great stories? This is the grownup version of why they need what you have.

The good news about Phishing is that the click rate in phishing simulations is down to a median of 3%. But as we can see in Figure 75, it’s not “most companies are around 3%.” Instead, there’s a long tail of companies with far larger click rates.

The phishing email itself has a lot to do with the click rate. An analysis⁶³ of 150 phishing templates found that the expected click rate varied significantly. In Figure 76, you can see the click rate could be anywhere from almost none to expecting over half of respondents to click. Additionally, real phishing may be even more compelling than simulations. In a sample of 1,148 people who received real and simulated phishes, none of them clicked the simulated phish, but 2.5% clicked the real phishing email. Finally, phishing volumes are very unequal. As you can see in Figure 77, no organizations experienced consistent malware by email. On the other hand, most experienced just a few days with extremely high malicious email volumes.

Engineering Incidents

Figure 78 reveals another concerning stat: The majority of Social Engineering incidents were discovered externally. Out of the top varieties in Figure 79, only one, (Reported by employee) is internal. This means that when employees are falling for the bait, they don’t realize they’ve been hooked. Either that, or they don’t have an easy way to raise a red flag and let someone know they might have become a victim. The former is difficult to address, but the latter is simple and should be implemented—something as basic as a well-publicized email of cert@yourorganizationhere.com (which, of course, is monitored) can give you a heads up that something is amiss.

Finally, we would be remiss if we let the BECs slide by. They were the second most common form of Social attacks and, as Figure 80 shows, they’re continuing to take off. Misrepresentation is 15 times higher than last year in Social incidents.⁶⁴ Together with Phishing and Pretexting, Misrepresentation helps drive the BEC juggernaut. And while the impact can be hard to quantify in some kinds of incidents, with a BEC it’s a lot easier.⁶⁵ As we point out in the Impact section, of the 58% of BECs that successfully stole money, the median loss was $30,000 with 95% of BECs costing between $250 and $984,855. Not bad for a day’s work.

Building Cybersecurity Culture

Masha Arbisman
Behavioral Engineering Manager for the Paranoids, the information security team at Verizon Media

The conversation about data leakage has flipped from “if” to “when” a company will be breached by malicious actors. The fight against cyber breaches continues to depend on an organization’s ability to train and adapt its members’ behaviors to protect against actions such as credential theft, social engineering, and user error.

Verizon Media believes the simulations and training offered by most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, and are not measured against real attacks the organization receives. This is why it is important to progress from the traditional security awareness model to that of using behavioral science to change the habits that lead to attack path breaking actions.

Huang and Pearlson’s cybersecurity culture model⁶⁶ suggests that cyber secure behaviors are driven by the values, attitudes, and beliefs of an organization, which are visible at the leadership, group, and individual levels. Influencing how employees prioritize, interpret, learn about, and practice cybersecurity allows managers a way to create a cybersecurity culture within the organization.

We used the Huang and Pearlson model in combination with behavioral science techniques⁶⁷ to develop a three-step approach⁶⁸ to drive experimentation and make decisions aimed at improving the security behaviors of employees. Over two years, the approach tripled adoption of a password manager and decreased the overall phishing susceptibility of employees by half, as calculated by the results of our phishing simulation programs correlated with real company attacks measured by their Security Operations team.

There is no singular approach to minimizing the human risks that lead to breaches. Each corporation experiences different flavors of the same types of attacks and must customize their behavioral engineering and cybersecurity education programs accordingly. The Verizon Media data-driven and measurable approach can be used as a starting point to building customized programs.

⁵⁹ Just like the old Defcon adage, the person on stage, (or in this case writing the report), is probably not the smartest person in the room. Maybe in this case, that’s you. If you have data showing what threat actors are doing with all the email accounts they’re compromising, give us a holler.

⁶⁰ Mostly delivered by email.

⁶¹ Though we’d be remiss to overlook the second most common data variety: Personal. It’s just that it’s kinda obvious that if someone’s got your email, they’ve probably also got personal info.

⁶² Fun fact, BEC doesn’t even have to compromise a business email address. Your.CEO@davesmailservice.com comes up all too often in our dataset.

⁶³ Pretty vague huh. We figured it sounded better than “a Marcov Chain Monte Carlo Mixture Model”. That’s just downright scary. (Though we totally did it.)

⁶⁴ We mentioned that BECs don’t even have to compromise an email address, but when they do, using it to send the malicious email is considered a Misrepresentation integrity compromise.

⁶⁵ Readers may be familiar with the old cyber shanty regarding phishing. “Soon may the phisherman come, to bring us creds to pwn for fun, one day, when the hacking’s done, we’ll take our crytpo and goooo.....”

⁶⁶ https://scholarspace.manoa.hawaii.edu/bitstream/10125/60074/0634.pdf

⁶⁷ See the Dictionary of Terms in the case study in the next footnote for a list of techniques

⁶⁸ https://cams.mit.edu/wp-content/uploads/Verizon-Media-CyberCulture-Paper.pdf