Phishers and other fraudsters who rely on social engineering are now concentrating their attacks on C-level executives because those execs have access to a company’s most sensitive information, according to the 2019 Verizon Data Breach Investigations Report.
The research shows that senior executives are 12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches than in previous years, with financial motivation remaining the key driver. Financially-motivated social engineering attacks represent 12% of all attacks the report examined.
Senior executives are an attractive target because they often have unchallenged approval authority and privileged access into critical systems. Usually dealing with deadlines, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through, according to the report.
The Verizon research added that the increasing success of social attacks such as business email compromises (BECs -which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.
“Enterprises are increasingly using edge-based applications to deliver credible insights and experience. Supply chain data, video, and other critical – often personal – data will be assembled and analyzed at eye-blink speed, changing how applications utilize secure network capabilities,” said George Fischer, president of Verizon Global Enterprise, in a prepared statement. “Security must remain front and center when implementing these new applications and architectures. Technical IT hygiene and network security are table stakes when it comes to reducing risk. It all begins with understanding your risk posture and the threat landscape, so you can develop and action a solid plan to protect your business against the reality of cybercrime.”
Verizon provided the following key findings from the report:
- New analysis from FBI Internet Crime Complaint Center (IC3): Provides insightful analysis of the impact of Business Email Compromises (BECs) and Computer Data Breaches (CDBs). The findings highlight how BECs can be remedied. When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99 percent of the money recovered or frozen; and only 9 percent had nothing recovered.
- Attacks on Human Resource personnel have decreased from last year: Findings saw 6x fewer Human Resource personnel being impacted this year compared to last, correlating with W-2 tax form scams almost disappearing from the DBIR dataset.
- Chip and Pin payment technology has started delivering security dividends: The number of physical terminal compromises in payment card related breaches is decreasing compared to web application compromises.
- Ransomware attacks are still going strong: They account for nearly 24 percent of incidents where malware was used. Ransomware has become so commonplace that it is less frequently mentioned in the specialized media unless there is a high profile target.
- Media-hyped crypto-mining attacks were hardly existent: These types of attacks were not listed in the top 10 malware varieties, and only accounted for roughly 2 percent of incidents.
- Outsider threats remain dominant: External threat actors are still the primary force behind attacks (69 percent of breaches) with insiders accounting for 34 percent.
One thought on “Verizon Data Breach Report: Cybercriminals’ New Focus is the C-Suite”
Cybercriminals have shifted their gears and now targeting the C-Level executives. Social Engineering was one of the best ways for them to compromise C-Level email or social media accounts. But now, apart from social engineering, they have found sophisticated ways to attack and compromise.
As a Founder of Cybersecurity company, I advise my clients to be on toes and get the assessments done periodically, provide training to employees including the management and moreover focus on Red Team Assessment to know, how prepared are they if there was a real-world attack.