Phishing, Pretexting, and Data Breaches: Verizon’s 2018 DBIR

April 24, 2018
Aaron Jentzen

Verizon recently released the 2018 Data Breach Investigations Report (DBIR), its annual analysis of the real-world security events that are impacting organizations around the globe. The report collected data from 67 contributing organizations, covering over 53,000 incidents and 2,216 confirmed data breaches.*

This year’s report underscores the important role of end users in cybersecurity. “Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education,” according to the DBIR.

The following highlights speak to the importance of mitigating end-user risk through security awareness training.

Social Attacks: Phishing and Pretexting

A section of the report titled, “Social attacks: We’re only human” focuses on phishing and pretexting. Taken together, phishing and pretexting represent 93% of all social breaches in the study. Email was the most common attack vector (96%).

While these two types of social engineering attacks have much in common, the report makes some useful distinctions between them.

Phishing is the familiar attack usually sent via email that entices end users to click on a malicious link or attachment. Attackers may use phishing to gain a foothold in an organization, often by distributing malware. According to the DBIR, malware is present in two-thirds of phishing attacks.

Pretexting “is the creation of a false narrative to obtain information or influence behavior.” Pretexting includes some dialogue or back-and-forth (especially over the phone), and most often targets employees in finance or human resources. Pretexting can involve impersonating executives as part of a business email compromise (BEC) attack.

Although they are categorized separately, phishing and pretexting often go hand in hand. “We have incidents where an employee is phished, leading to email account compromise, leading to establishing a pretext against a second human target,” the DBIR notes.

Key Phishing Statistics

As noted, phishing is often the first step in a larger chain of events leading to a breach; an email-based attack is often “followed by malware installation and other actions that ultimately lead to exfiltration of data.” The DBIR calls out cyber-espionage breaches as a specific example, in which phishing campaigns are commonly combined with C2 and backdoor malware.

The following phishing statistics give a sense of the threat in 2017:

  • 59% of phishing attacks are financially motivated; 41% are motivated by espionage
  • Phishing was involved in 70% of breaches associated with nation-states or state-affiliated actors
  • On average, 4% of people will click on the bait in a simulated phishing campaign — down from 7.3% in last year’s report
  • People who click on phishing emails are more likely to click in the future

Attackers Are Targeting End Users Across Many Industries

The DBIR breaks down data by industry and organization size, noting how the actors, motives, tactics and attack patterns vary across industries. Notable insights include the following:

  • Education – Social attacks are the second most common action type, present in 41% of breaches. The report ties this to the prevalence of cyber-espionage within this vertical.
  • Financial – Social attacks, particularly phishing, figure prominently in breaches in this industry.
  • Healthcare – According to the DBIR, the healthcare vertical is the only one in which insider threats pose a greater risk than external threats when it comes to breaches. This can be tied to the frequency of employee errors and misuse of data.
  • Manufacturing – External espionage is a major threat in this industry, and most attacks begin with phishing.
  • Professional Services – Almost of half of breaches in this industry involve either phishing or pretexting.
  • Public Administration – Phishing is the top cyber-espionage action in this vertical.

Engaging End Users Through Security Awareness Training

As in years past, the DBIR makes several recommendations for educating end users and enlisting their help in breach prevention strategies:

  • Provide role-specific education and training for users likely to be targeted based on their privileges or access to data, especially those with access to employee data such as W-2s or the ability to transfer funds.
  • Increase end users’ level of skepticism.
  • Conduct regular security training and routine security audits to help prevent successful phishing attacks and miscellaneous errors.
  • Implement two-factor or multi-factor authentication for those who administer any web applications or databases — and preferably for all users in your organization.

In addition to being taught how to avoid phishing attacks, end users should be encouraged to actively report suspicious emails. According to the DBIR, only 17% percent of phishing campaigns were reported. Training employees to use a reporting button to flag suspected phishing emails helps reduce the amount of time a threat remains active within a corporate network. A fast response can help prevent more people from clicking on the phishing email.

Bryan Sartin, executive director of security professional services at Verizon, underscores the need for informed, prepared, and engaged end users in the fight against cybercrime. “Companies also need to continue to invest in employee education about cybercrime and the detrimental effect a breach can have on brand, reputation and the bottom line,” he said in a press release. “Employees should be a business’s first line of defense, rather than the weakest link in the security chain. Ongoing training and education programs are essential. It only takes one person to click on a phishing email to expose an entire organization.”

* For reference, Verizon makes a clear distinction between a security incident and a security breach. An incident is “a security event that compromises the integrity, confidentiality or availability of an information asset.” A breach is “an incident that results in the confirmed disclosure — not just the potential exposure — of data to an unauthorized party.”