Social Engineering

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.


Pretexting continues to be the leading cause of cybersecurity incidents, with actors targeting users with existing email chains and context. Extortion also grew dramatically because of the large-scale MOVEit incident.

What is the same?

Phishing and Pretexting via email continue to be the leading cause of incidents in this sector, accounting for 73% of breaches.



3,661 incidents, 3,032 with confirmed data disclosure

Threat actors


External (100%) (breaches)

Actor motives


Financial (95%), Espionage (5%) (breaches)

Data compromised


Credentials (50%), Personal (41%), Internal (20%), Other (14%) (breaches)

social engineering

*ishing in the wind

In the cybersecurity world, or “the cyber biz,” as we call it, we certainly love our catchy terminology. Terms such as whaling, smishing, quishing, tishing, vishing, wishing, pharming, snowshoeing67 and plain old phishing are ever-present in the Social Engineering pattern. This makes sense because there are a lot of vectors on which we need to educate our employees and end users, and we’re positive that in another five years, there will be new ones that we will have to add to our list.

However, even with the growth of these new vectors and types of attacks, we tend to see the core social tactics such as Pretexting and Phishing still being used often (Figure 34). More than 40% of incidents involved Pretexting, and 31% involved Phishing. Other tried-and-true tactics such as attacks coming in via email, text and websites (Figure 35) aren’t necessarily the most exciting, but any security professionals who have been around for any length of time have probably seen these contenders in some capacity over their careers.

Data Breach Investigation Report figure 34

Regardless of the exact method that attackers use to reach organizations, the core tactic is the same: They seek to exploit our human nature and our willingness to trust and be helpful for their own gain. While these attacks all share that commonality, one rather significant difference is the scale and pervasiveness of these tactics.

First, the good news. We have not seen a dramatic rise in Pretexting like we did last year. However, it is also true that it hasn’t decreased but instead has maintained its position as the top type of Social Engineering incident. As a quick reminder, when we talk about Pretexting, largely consider this as a stand-in for BEC, where attackers leverage existing email chains to convince victims to do something, such as update an associated bank account with a deposit.

Data Breach Investigation Report figure 35

Low tech, high cost

Unfortunately, the bad news comes next, which is that BECs continue to have a substantial financial impact on organizations. Figure 36 captures the growth in terms of costs associated with BEC since early 2018. As we mentioned above, there isn’t any growth this year as compared to last year, but neither has it decreased, with the median transaction hovering around $50,000.

One of the best things you can do when you realize you are a victim of BEC fraud is to promptly work with law enforcement. Figure 37 shows the distributions of outcomes from the cases our data contributors at the FBI IC368 have worked. In half of the cases, they were able to recoup 79% or more of the losses. On the less fortunate side, 18% of the incidents had nothing frozen and potentially lost everything that was sent to the criminals.

Data Breach Investigation Report figure 36
Data Breach Investigation Report figure 37

I hope this threat finds you well.

Our introvert selves were already weary of all these social “interactions” even before these extortion-based attacks from ransomware groups busted through the door into the Social Engineering pattern. Social attacks, such as those involving Phishing, have long played their part in ushering in a ransomware deployment, as typified by the leveraging of those techniques in the ALPHV breach of MGM Resorts and other entertainment groups. But given the shift in tactics by some groups, along with the Extortion action being the final result of the breach as opposed to an initial one, this seemingly “System intrusion-y” attack now also shows up in this pattern.

Keep in mind, however, that Extortion isn’t anything new in this pattern. We’ve seen various iterations of it from the empty threats (“We’ve hacked your phone and caught you doing NSFW stuff.”) to somewhat credible threats (“Look us up. We’re super-duper hackers that’ll DDoS you.”) to very credible threats (“We’ll leak the data we took. Here are samples for you to validate.”). This year, however, Extortion showed up in spades as a result of the MOVEit breach, which affected organizations on a relatively large scale and in an extremely public fashion.

Data Breach Investigation Report figure 38

This is plainly visible in the steps to breaches chart (Figure 38). As you can see, there has been a dramatic increase in compromising servers via Hacking. Given the prevalence of these types of attacks, we recommend discussions with leadership to determine what the course of action should be if they occur in your organization.

School of phishes

This is probably cliché at this point, but we’re believers that the first line of defense for any organization isn’t the castrametation69 of their systems but the education of their key staff, including end users.70 Fortunately, this isn’t simply us standing on our “user-awareness” soapbox. We have both figures and hard numbers to help quantify our stance. The first lesson to learn is that Phishing attacks happen fast. The median time to click on a malicious link after the email is opened is 21 seconds, and then it takes only another 28 seconds to enter the data (Figure 39). That leads to a frightening finding: The median time for users to fall for phishing emails is less than 60 seconds.

Some good news is that, as an industry, we seem to be getting better with regard to phishing test reporting. More than 20% of users identified and reported phishing per engagement, including 11% of the users who did click the email. As Figure 40 illustrates, this is another impressive improvement and one that we desperately need in order to catch up with the previous year’s increases in Phishing and Pretexting.

That leads to a frightening finding: The average time for users to fall for phishing emails is less than 60 seconds.

Data Breach Investigation Report figure 39
Data Breach Investigation Report figure 40

CIS Controls for consideration

There are a fair number of controls to consider when confronting this complex threat, and all of them have pros and cons. Due to the strong human element associated with this pattern, many of the controls pertain to helping users detect and report attacks as well as protecting their user accounts in the event that they fall victim to a phishing attack. Lastly, due to the importance of the role played by law enforcement in responding to BECs, it is key to have plans and contacts already in place.

Protect accounts

Account Management [5]
      – Establish and Maintain an Inventory of Accounts [5.1]
      – Disable Dormant Accounts [5.3]
Access Control Management [6]
      – Establish an Access Granting/Revoking Process [6.1, 6.2]
      – Require MFA for Externally-Exposed Applications [6.3]
      – Require MFA for Remote Network Access [6.4]

Security awareness programs

Continuous Vulnerability Management [7]
      Security Awareness and Skills Training [14]
      Although not part of the CIS Controls, a special focus should be placed on BEC and processes associated with updating bank accounts.

Managing incident response

Incident Response Management [17]
      – Designate Personnel to Manage Incident Handling [17.1]
      – Establish and Maintain Contact Information for Reporting Security Incidents [17.2]
      – Establish and Maintain an Enterprise Process for Reporting Incidents [17.3]

67 At the time of writing, one of these was fake.


69 There is a very obvious Maginot Line joke to be made here, so we will leave it as an exercise for the readers.

70 Perhaps we should say, “especially end users.”


Call Sales

Have us contact you
Request a call

Call for Public Sector