+44 118 905 5000
Contact Us

Social Engineering

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

Summary

Social Engineering incidents have increased from the previous year largely due to the use of Pretexting, which is commonly used in BEC, almost doubling since last year. Compounding the frequency of these attacks, the median amount stolen from these attacks has also increased over the last couple of years to $50,000.
 

What is the same?

Phishing and Pretexting continue to dominate this pattern, thus ensuring that email remains one of the most common means of influencing individuals.

Frequency

  

1,700 incidents, 928 with confirmed data disclosure

Threat actors

  

External (100%), Multiple (2%), Internal (1%), Partner (1%) (breaches)

Actor motives

  

Financial (89%), Espionage (11%) (breaches)

Data compromised

  

Credentials (76%), Internal (28%), Other (27%), Personal (26%) (breaches)

Professional engineers?

Engineering is a beautiful combination of math and physics applied to a practical and meaningful end—or so we’re told. However, much to our parents’ disappointment, most of us are not engineers, but only an infinite collection of monkeys tied to typewriters. (Legend has it we will compose “Hamlet” by pure chance any day now. Watch your back, GPT-4.)

However, this section is about another, not-so-useful-to-society, form of engineer—the social engineer. This pattern focuses on tactics used by threat actors that leverage our innate helpful nature to manipulate and victimize us. These attackers use a combination of strategies to accomplish this: by creating a false sense of urgency for us to provide a reply or to perform an action, a fake petition from authority, or even hijacking existing communication threads to convince us to disclose sensitive data or take some other action on their behalf. Social engineering has come a long way from your basic Nigerian Prince scam to tactics that are much more difficult to detect. This increased sophistication explains why Social Engineering continues to rise and currently resides in our top three patterns (accounting for 17% of our Breaches and 10% of Incidents).

Relevant ATT&CK techniques
 

Compromise Accounts: T1586
      – Email Accounts: T1586.002

Establish Accounts: T1585
      – Email Accounts: T1585.002

External Remote Services: T1133

Internal Spearphishing: T1534

Phishing: T1566
      – Spearphishing Attachment: T1566.001
      – Spearphishing Link: T1566.002
      – Spearphishing via Service: T1566.003

Phishing for Information: T1598
      – Spearphishing Service: T1598.001

Use Alternate Authentication Material: T1550
      – Application Access Token: T1550.001

Valid Accounts: T1078
      – Domain Accounts: T1078.002


Please use this bank account number going forward.

There is a common misconception when it comes to distinguishing phishing from the more complex forms of social engineering. Raise your hand if you haven’t received an email with a dubious attachment or a malicious link requesting that you update your password. Nobody? Yeah, that’s what we thought. This is phishing, and it makes up 44% of Social Engineering incidents. Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill. The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency.  Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top.

One of the more complex social attacks is the BEC. In these pretexting attacks, actors leverage existing email threads and context to request that the recipient conduct a relatively routine task, such as updating a vendor’s bank account. However, the devil is in the details, and the new bank account belongs to the attacker, so all payments the victim makes to that account will make zero dents in what they owe that vendor. These types of attacks are often much harder to detect due to the groundwork laid by the threat actors prior to the attack. For example, they might have spun up a look-alike domain that closely resembles that of the requesting party and possibly even updated the signature block to include their number instead of the vendor they’re pretending to represent. These are just two of the numerous subtle changes that attackers can make in order to trick their marks—especially those who are constantly bombarded with similar legitimate requests. Perhaps this is one of the reasons BEC attacks have almost doubled across our entire incident dataset, as can be seen in Figure 36, and now represent more than 50% of incidents within this pattern.

Attack type doesn’t appear to have much of an effect on click/open rate. The median fail rates for attachment and link campaigns are 4% and 4.7% respectively, and the median click rate for data entry campaigns is 5.8% (though the data entry rate is 1.6%).

2023 Data Breach Investigations Report
2023 Data Breach Investigations Report


Inconspicuous beginnings

Because this pattern is largely based on human-targeted attacks, it makes sense that the very first action in this pattern will be some form of phishing or pretexting email (Figure 37). In fact, email alone makes up 98% of the vector for these incidents, with the occasional sprinkling of other communication methods, such as phone, social media or some internal messaging app that some folks might be Slacking off on (cough, cough).

Two paths diverged, etc., etc.

What happens after that initial email is where things often diverge. There are two major routes that the attacks typically take. Most commonly, if the attackers are soliciting credentials and obtain them, then they will leverage those credentials to access the user’s inbox (found in 32% of incidents). The road less traveled is where—by simply using email communication—the attackers are able to spin a credible story (albeit fictitious) to convince someone to do their bidding. Persuading someone to change the bank account for the claimed recipient, for example, is found in 56% of incidents. Of course, a combination of tactics can also be used. The attackers may leverage their acquired access to a user’s inbox to look for an email chain they can hijack or search the victim’s address book to find people who can be targeted further. It’s not uncommon for attackers to add forwarding rules to make sure their activities stay undetected as long as possible, which is why …

2023 Data Breach Investigations Report


Time is of the essence.

When responding to social engineering attacks (and the same could be said of most attacks), rapid detection and response is key. The importance of timely detection is highlighted by the increasing median cost of BECs, as shown in Figure 38, which has risen steadily from 2018 and now hovers around the $50,000 mark. However, unlike the times we live in, this section isn’t all doom and gloom. Fortunately for the victims, law enforcement has developed a process by which they collaborate with banks to help recover money stolen from attacks such as BEC. More than 50% of victims were able to recover at least 82% of their stolen money. This illustrates the importance of ensuring that their employees feel comfortable reporting potential incidents to security, since their willingness to do so greatly improves the organization’s ability to respond. With this in mind, we encourage companies to step away from the “phishing exercises will continue until click rates improve” stance and adopt a more collaborative approach to security.

2023 Data Breach Investigations Report

Why do BECs work?

Much like Ransomware, which is the monetization of access to an organization’s network, BECs are just one of the many means criminals have of monetizing access to a user’s inbox and contacts.

  • BECs can be targeted internally, meaning that the attacker will leverage a compromised employee’s email account to target their own organization by impersonating the user. We commonly see actors trying to redirect payroll deposits into an account they control.
  • Alternatively, actors can target partners by using access to an employee’s email account, so they can impersonate that user and request updates to payments in order to include their own bank account.


CIS Controls for consideration

There are a fair number of controls to consider when confronting this complex threat, and all of them have pros and cons. Due to the strong human element associated with this pattern, many of the controls pertain to helping users detect and report attacks as well as protecting their user accounts in the event that they fall victim to a phishing lure. Lastly, due to the importance of the role played by law enforcement in responding to BECs, it is key to have plans and contacts already in place.

 

Protect accounts

Account Management [5]
      – Establish and Maintain an Inventory of Accounts [5.1]
      – Disable Dormant Accounts [5.3]

Access Control Management [6]
      – Establish an Access Granting Process [6.1]
      – Establish an Access Revoking Process [6.2]
      – Require MFA for Externally- Exposed Applications [6.3]
      – Require MFA for Remote Network Access [6.4]

Security awareness programs

Security Awareness and Skills Training [14]

Although not part of the CIS Controls, a special focus should be placed on BEC and processes associated with updating bank accounts.

Managing incident response

Incident Response Management [17]
      – Designate Personnel to Manage Incident Handling [17.1]
      – Establish and Maintain Contact Information for Reporting Security Incidents [17.2]
      – Establish and Maintain an Enterprise Process for Reporting Incidents [17.3]

Let's get started.