Verizon DBIR 2021 Findings: Email (Still) Holds the Keys to the Kingdom

Last week, Verizon published their annual Data Breach Investigations Report (DBIR), analyzing 29,207 security incidents and 5,258 data breaches from 2020. The DBIR, as always, does an excellent job at providing insight at both the skyscraper and blade-of-grass level. Findings from the 2021 DBIR hammer home the presence of email as either the attack vector of choice for cybercriminals or as fertile ground for human error.

A Preponderance of Phishing

Verizon defines ‘actions’ as tactics used to affect an action during security incidents or breaches. While analyzing actions across 4,073 breaches, phishing was found to be the most common action, involved in 36% of breaches (increasing from 25% last year). This sobering stat comes on the heels of the FBI reporting that complaints on phishing and related attacks grew by 110% in 2020.

The Verizon DBIR team writes:

“This increase (in phishing) correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect.”

This aligns with trends observed by the Armorblox threat research team. Not only have phishing attacks increased in general, but attackers also used COVID-related themes to induce fear and urgency among victims and affect socially engineered success.

Fig: Phishing is the number one threat action, involved in 36% of breaches

The other actions in the graph above are also noteworthy. Phishing attacks go hand in hand with the use of stolen credentials. More than 60% of all breaches involved credential data. If we focus just on social engineering incidents (n = 3,841), then credentials were compromised in a whopping 85% of cases.

Unfortunately - and unsurprisingly, if you’ve been paying attention to recent news - ransomware made a huge jump to 10% this year, roughly doubling last year’s number. Ransomware actors are growing more malicious and intrepid by the minute, now choosing to target critical infrastructure and “name and shame” their victims into paying ransoms or risk affecting the lives of millions of people.

BEC Hits the Big Time

Business Email Compromise (BEC) was the second most common form of social engineering recorded in the 2021 DBIR. Along with Phishing, the report tracks Pretexting and Misrepresentation as attacker tactics - the 2021 report found the occurrence of Misrepresentation 15 times higher than last year in Social incidents. Of the 58% of BEC attacks that successfully stole money, the median loss was $30,000, with 95% of BECs costing between $250 and $984,855. Earlier this year, the FBI reported $1.86 billion in BEC and EAC related losses in 2020.

Since 2013, BEC has grown and cemented itself as a URL-free variant of email attacks that are often easier to execute and present a higher likelihood of financial reward for scammers. Gabe Bassett, senior information security data scientist for the Verizon Security Research team and co-author of this year's Verizon DBIR, said:

“There's definitely a continued shift for the attackers toward the most efficient attacks and methods of monetization. Breaches are moving away from complexity, toward simplicity."

Fig: Phishing and Pretexting drive the BEC juggernaut

In the graph above, note the small proportion of Spam among overall social engineering techniques used. It’s important to remember two things about spam mail:

• It’s a high volume, low success variant of ‘bad email’ that’s more a nuisance than it is dangerous.
• Built-in email security from Microsoft and Google already do an effective job at stopping most spam and graymail.

With BEC doubling for two years in a row according to the DBIR, it’s evident that the battlefield has shifted from spam (if it was ever there in the first place).

Industries With Vulnerable Inboxes

The 2021 DBIR provides illuminating data breach breakdowns for various industries. The numbers point to more than a few industries struggling under the onerous weight of phishing and social engineering:

• Roughly 50% of breaches in the Education sector were social engineering attacks. Around 80% of these social engineering breaches involved Pretexting as a tactic, which is heavily associated with BEC.
• Around 40% of breaches in the Manufacturing sector started with a Social attack, of which 75.4% were phishing attempts.
• Breaches in the Mining, Quarrying, and Oil & Gas Utilities sector were beset by social engineering, which accounted for 86% of breaches in these verticals.
• Over 69% of breaches in the Public Administration sector involved social engineering, with phishing and pretexting being the almost-exclusive tactics used.

Won’t Somebody Please Think of the People?

We apologize for burying the lede, but the most revealing finding of the 2021 DBIR was that 85% of breaches (n = 4,492) involve the human element. Whether it was social engineering meant to alter human behavior, misdelivered sensitive information due to human error, or BEC making humans an active (albeit unintentional) participant in the attack - the human layer has emerged as the most attacked and most vulnerable part of the organization.

Fig: 85% of breaches involved the human element

Speaking to Dark Reading, Gabe Bassett said:

"Transitioning to the cloud changes the security mentality: Traditionally businesses have been focused on securing the computer. When they move to the cloud, that computer is no longer theirs. Moving to the cloud refocuses more clearly on the human element."

The Armorblox threat research team has observed the human layer being targeted by email attacks in manifold ways - by attackers pretending to be trusted entities, using free online services, and replicating commonly occurring email workflows to lull victims into a false sense of security.

Guidance and Recommendations

A hundred-page humdinger of a report with breach data can’t be distilled into a few points of recommendation, but here are some security hygiene tips from the Armorblox team to get you started:

• Follow MFA and password management best practices: Deploy multi-factor authentication (MFA) on all possible business and personal accounts. Don’t use the same password on multiple sites/accounts. Use a password management software to store your account passwords. Avoid using passwords that reference your publicly available information (date of birth, anniversary date etc.). Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.
• Watch out for social engineering cues: As most inboxes today are overflowing with unreads, we know that ‘read every email rationally’ is not realistic advice. Nonetheless, everyone should try and engage with emails related to money or data requests in a circumspect manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. why is the IRS asking for my social security number over email, why is a known vendor changing bank account details the day before an invoice is due, etc.)
• Be prepared to be a victim: If you or your organization are victims of a BEC attack, contact the originating financial institution as soon as fraud is recognized to request a recall or reversal. File a detailed complaint with www.ic3.gov. Never make any payment changes without verifying the change with the intended recipient. Regularly visit the IC3 website for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations or industries.
• Augment native email security with additional controls: For better protection coverage against targeted email attacks like BEC, EAC, and 0-day credential phishing, organizations should invest in technologies that take a materially different approach to threat detection from that of built-in email security controls like Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO). Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

For more email security tips, threat research, and industry trends, join the Armorblox mailing list.

If you’re reevaluating your email security stack and are interested in augmenting your built-in email security, get started with a free 2-week Armorblox risk assessment below.