2021 Phishing & BEC Attacks

I’ve been very busy this summer, which is why I’m just now reading the 2021 Verizon Data Breach Investigations Report. Here are a few takeaways from the section about the “Social Engineering” attack pattern (read: phishing).

“Phishing is responsible for the vast majority of breaches in this pattern, with cloud-based email servers being a target of choice.”

I think we all saw this one coming. What I didn’t expect was the emphasis on cloud email servers. Breaches as a result of successful Social Engineering (phishing) attacks are up from last year and have been up every year since 2017. The authors of the report aren’t sure why cloud email services/servers are such a focus, but we have our own theories we’ll outline in the next paragraph.

“Additionally, Social Engineering attacks often result in the loss of Credentials. This pattern saw those stolen credentials used in both Hacking and Malware attacks.”

And there it is. We believe cloud email services/servers are a focus because it gives attackers the ability to launch follow-on attacks like Business Email Compromise and Ransomware. What better way to convince employees that the CFO needs gift cards than the use the CFO’s actual email account?

“On the other hand, that Phishing email may have also been dropping Malware, which tends to be a Trojan or Backdoor of some type…”

This statement aligns with the threat intelligence we gather by analyzing malicious email attachments. A lot of malicious email attachments are not directly ransomware. Often, the attacker wants to first trick the user into installing malware that allows them remote access to the network. Once the bad actors have remote access, they can come and go as they please and move around the corporate network looking for the most impactful systems to compromise.

“Pretexting, normally associated with the BEC also makes a strong showing.”

By “strong showing,” the authors of the Verizon DBIR report mean that BEC accounts for about 17% of the breaches caused by social engineering. By contrast, the breaches caused by traditional phishing are about 82%. So, yes, BEC makes a strong showing but it’s still a distant second to phishing. To be fair, the frequency of BEC attacks is rising dramatically and the impact of them is far easier to measure than other forms of compromise.

“…real phishing may be even more compelling than simulations. In a sample of 1,148 people who received real and simulated phishes, none of them clicked the simulated phish, but 2.5% clicked the real phishing email.”

This little gem jumped right off the page. I think user education is an important piece of defending an organization against phishing but far too many businesses use it as a compensating control for better detection using machine learning, etc. Users can absolutely help defend the enterprise but they should be the last few inches of defense, not the last mile.