Hacker working on computer showing Verizon DBIR on social engineering and ransomware

Verizon DBIR 2023: Social Engineering Attacks Exploding, Ransomware Doubles in Cost

The annual Verizon DBIR (Data Breach Investigations Report) provides further confirmation that attackers are showing a renewed interest in social engineering, particularly in conjunction with business email compromise (BEC) attacks. However, it’s far from time to put ransomware to bed. Though the amount of attacks appears to be leveling off after a “gold rush” during the Covid-19 pandemic period, the average financial damage of a breach has doubled and is almost certain to cost organizations at least $1 million to remediate.

2023 Verizon DBIR: BEC, ransomware caused by “human element” are the leading threats

The annual Verizon DBIR is one of the primary indicators of recent trends in the cyber threat landscape, particularly among profit-seeking criminals. The 2023 report analyzes a total of 16,312 security incidents that took place from late 2021 to late 2022; 5,199 of these were confirmed data breaches.

Social engineering “pretexting” incidents have been on a substantial upswing since 2020, but made a very big jump during this year’s report period. The majority of these incidents are part of a BEC attack of some sort, and this category of attacks nearly doubled in number from the prior Verizon DBIR.

Regardless of the approach attackers use, 74% of the successful attacks logged in the newest Verizon DBIR penetrated defenses due to human error of some sort. Attackers are first and foremost looking for stolen credentials, which were deployed in almost 50% of these breaches. Phishing took place in only about 15% of these attacks, and exploitation of known vulnerabilities in software occurred in fewer than 10%.

Ransomware incidents did not grow in number during this period, but held steady as compared to the prior Verizon DBIR numbers (taking place in nearly one quarter of breaches). What did grow is the size of the average ransom demand and the average total cost to the victim.

Ransomware victims can now expect incidents to cost them somewhere between $1 million to about $2.5 million, even as insurance coverage becomes more and more difficult to obtain.

As Bhaven Panchal, Senior Director of Service Delivery for Cyware, notes: “With the median costs of ransomware attacks doubling since last year and reaching the million-dollar range, the new Verizon DBIR once again highlights the upward inflationary trend of the cost of data breaches. Another striking revelation is the prevalence of the human element as the contributing factor behind breaches, whether it be through errors, privilege misuse, use of stolen credentials, or social engineering. It is imperative for organizations to accelerate their security processes and plug visibility gaps in their environments. The operationalization of threat intelligence, threat response automation, and security collaboration are going to help drive this change toward a more resilient cyberspace for all.”

83% of the Verizon DBIR incidents were attributed to external actors, about 70% were conducted by an organized crime group, and a decisive 94.6% were clearly for financial gain. Nation-state attackers, who generally focus on long-term espionage, were responsible for fewer than 10% of the recorded incidents.

Chad McDonald, CISO of Radiant Logic, notes one other item of interest that is new to this year’s study: “One alarming stat from the 2023 DBIR is the rise in Privilege Misuse and Fraudulent Transactions, up 10% from 2022. For trusted actors in an organization to conduct these fraudulent transactions, they must have a level of privilege that allows access. This means that either the employee’s privileges were not monitored, or the threat actor was able to steal coworkers’ credentials and misuse them to follow through with their ambitions. Either way, this should be an alarming realization to organizations that have neither the spare time nor money to safeguard their assets against their own trusted insiders. Organizations can address this issue by creating full visibility into all users and their access privileges in an approachable, user-friendly way. Once this is accomplished, IT teams can be set up to streamline the management process of identities and ensure access privileges are in the right hands–and quickly revoked when needed.”

Social engineering not yet a leading threat, but numbers grow as phishing and malware defenses improve

While social engineering pretexting did double in  quantity, it still sits below the total Verizon DBIR count of phishing incidents and well below the count of ransomware attacks. It is now more commonly seen than successful exploitation of known vulnerabilities, however, and is likely taking “market share” from areas where there are general improvements in organizational awareness and defenses.

The Log4J incident illustrates this. There was initial fear of widespread exploitation given how relatively easy it was to take advantage of, pressing IT teams all over the globe into duty over the holidays to ferret out and patch instances of it. However, during the prime Log4J period, overall vulnerability exploitation actually dropped to a 5% share of incidents. A corresponding increase in the use of stolen credentials during this time indicates that criminals are having such reliable success with that route, they often don’t even need to look at a juicy known software vulnerability.

Another area of the Verizon DBIR that demonstrates the growth of social engineering is an increase in the “asset share” of personnel that are directly attacked, particularly those working in finance. This group is involved in nearly 10% of attacks now, well above the total of other employees or end users that are targeted. Web applications remain the top action vector by far, however, followed by email servers.

Thus far, 98% of the recorded social engineering approaches open with an email. Social engineering attacks also tend to target certain industries more heavily than others: IT, professional fields, finance and retail are much more likely to be targeted by pretexting attempts than most other industries.

The average social engineering attack is still capturing a much smaller share of ill-gotten booty than the average ransomware attack: just $50,000. But it is also now 10% of the overall attempts logged by the Verizon DBIR, and 17% of total incidents that progressed to actual breaches. Though the range of this particular data ends just before ChatGPT became available, the rise of AI tools is extremely likely to feed a boom of pretexting attacks that impersonate company executives, family members and acquaintances to inspire trust in targets.

Roy Akerman, Co-Founder & CEO of Rezonate, notes that both social engineering and credential loss due to data breach are expected to remain as common threats into the foreseeable future: “Identity remains the leading reason for security breaches, yet tools and tactics remain the same, and organizations struggle to deploy and further mature their identity security programs. A shift in approach is required – a holistic, automatic approach to identity management and trusted identities is important now and will be for years to come.”