In the cyber security world, few research reports are more widely respected than Verizon's annual Data Breach Investigations Report (DBIR).
The DBIR—which is based on data from publicly disclosed security incidents, Verizon's Threat Research Advisory Center, and dozens of industry contributors—is one of the most detailed and comprehensive reports available to the security community.
So when Verizon published their 2019 DBIR, our team quickly consumed their latest findings. Having recently published our own annual PTI report, we were naturally curious to see whether Verizon's data told the same story about phishing that ours had.
This is what we found.
Phishing is Still the Number 1 Cause of Data Breaches
One of the first things we noticed when reading the latest DBIR is that phishing is only the fifth most common primary cause of security incidents. Denial-of-Service attack (DoS), data loss, C2, and misdelivery all caused more security incidents in the last year than phishing did.
But when it comes to data breaches, phishing is number one yet again. Number two is stolen credentials… and where do you think they come from? More on that later.
That's right. The headlines may be grabbed by ransomware and IoT botnets, but in reality, phishing is still the biggest cyber threat to organizations. It's popular with everyone from financially motivated criminal gangs to state-sponsored espionage groups. And all for one simple reason: it works.
According to the report, phishing had by far the highest success rate of any threat vector. During the last year, despite being the primary threat action in less than 10% of security incidents, phishing was the primary weapon in almost a third (32%) of all data breaches.
Meanwhile, DoS—which was responsible for more than half of all security incidents—resulted in almost no breaches whatsoever.
Even When it's Not Phishing… it's Phishing
When the DBIR notes that phishing was the top threat action in 32% of breaches, it doesn't mean only 32% of breaches involved phishing.
In fact, a much higher proportion of security breaches involve a phishing component. And, as the DBIR explains, many other attack vectors go hand-in-hand with it.
Most notably:
Malware: According to the DBIR primary dataset, more than half of malware is delivered by email. Most of this comes in the form of email attachments, but malicious links are also still a popular option. According to a separate dataset, submitted by a security vendor and based on millions of malware detonations, over 94% of detected malware is delivered by email. That's a pretty strong correlation.
Stolen Credentials: As we've noted, the use of stolen credentials came in at number two leading cause of data breaches. And, as the DBIR notes, perhaps the single most common technique used to acquire stolen credentials is, you guessed it, phishing.
Social Engineering: When you're as deeply embedded in the phishing world as we are, it's sometimes easy to forget that other types of social engineering exist. But here's the thing… do they really? According to Verizon's dataset, around 85% of all social engineering attacks are phishing, with pretexting making up most of the rest.
How Phishing Fits Into the Cyber Kill Chain
When threat actors attack a business network, it usually isn't a direct process. Most organizations have security protocols in place, so threat actors are usually forced to take at least a few actions before they get what they want.
According to this year's DBIR, phishing is common in the early and middle stages of attacks. It's less common in later stages, but still sometimes makes an appearance.
This stacks up with our own experience. While in some cases—such as BEC—phishing is the sole cause of a breach, it's more commonly used either as a delivery mechanism (i.e., for malware or ransomware) or as a means of stealing credentials (usually by linking to a phishing site).
According to the report, phishing:
- Is the first step in around 20% of security incidents
- Plays a role in the middle steps of a further 20%
- Is the last step in 10% of security incidents
Note that once again this is security incidents, not breaches. And as we've already explained, phishing has a very high success rate compared to other attack vectors.
A Note on BEC
One positive anecdote from this year's DBIR related to BEC scams. As we've highlighted in the past, the FBI has repeatedly warned about the dangers of BEC scams, which have reportedly cost businesses around the world billions of dollars in recent years.
However, as the DBIR points out, the most recent Internet Crime Report included a significant win for the FBI:
When the FBI's Internet Crime Complaint Center (IC3) Recovery Asset Team (it's a mouthful, we know) is involved in BEC cases, around half of victims based in the US are able to recover or freeze the majority of their lost funds.
Given the severity of the losses businesses have suffered as a result of BEC scams, it's fair to say this is an outstanding result for the IC3 and FBI.
So if you're based in the US, and you are (or have been) a victim of BEC, don't take it lying down. Get in touch with the FBI via the IC3 and see what can be done.
Are Employees Getting Better at Spotting Phish?
This is a big question.
After all the time and energy we—among others—have put into reducing phishing susceptibility, are employees any better at detecting phishing emails than they were a few years ago?
The resounding answer is yes.
Here's a direct quote from this year's DBIR:
“There is some cause for hope in regard to phishing, as click rates from the combined results of multiple security awareness vendors are going down. [...] click rates are at 3%."
Source: 2019 Data Breach Investigations Report, p. 14
Would you look at that? Phishing susceptibility down 22% in six years.
Here's the breakdown by industry:
Source: 2019 Data Breach Investigations Report, p. 32
So is that it now? Problem solved?
Clearly not. First off, despite these reduced click rates, let us recall that phishing is still the number one cause of data breaches.
Second, it's important to understand where these figures come from. These click rates are based on the results of sanctioned SAT exercises from several anti-phishing vendors. That means what we're looking at are susceptibility figures from organizations that most likely have anti-phishing programs in place already.
For organizations that don't have anti-phishing programs, rates are likely to be somewhat higher.
The DBIR also notes that click rates are significantly higher when phishing messages (whether email or SMS) are opened on mobile devices. Mobile devices make it difficult to check the authenticity of emails and web pages (e.g., by checking email headers, SSL certificates, and so on) which naturally has a negative effect on click rates.
Also, as we have noted in the past, people tend to open mobile messages reflexively (often while doing other things) and exercise much less caution than they would while using a PC or laptop.
Given the results of our most recent PTI report, this is a trend we expect to see continue in the coming years.
What Can We Learn From This?
So there you have it. Another year has gone by, bringing plenty of new and worrying cyber threats with it… and phishing is still the single biggest cyber threat to organizations. Not only is it a significant source of security incidents, it's also the most consistently effective tool threat actors have at their disposal.
Here are a few quotes from the DBIR that detail some of the preventative measures organizations can take to fight back against phishing:
“Work on improving phishing reporting to more quickly respond to early clickers and prevent late clickers. Think about reward-based motivation if you can—you catch more flies with honey."
“Monitor email for links and executables (including macro-enabled Office docs). Give your team a way to report potential phishing or pretexting."
“Understand the human factor — Not just from a phishing target standpoint. [...] Insider misuse is also still a concern, so ensure efforts are taken to routinely assess user privileges. Limit the amount of damage an employee acting inappropriately or maliciously can do with existing privileges."
Promote reporting of suspicious emails. Scan incoming emails for suspicious links and attachments. Limit user privileges.
It's almost as if someone at Verizon has been reading our blog.
On a serious note, these are vital steps that should be taken to protect your organization from the threat posed by phishing. To find out more about what you can do to fight back against phishing, click below to download our white paper.
Best Practices for Enterprise Phishing Protection White Paper
Additional Resources: