Human Error To Blame For Much Of Corporate Finance Scam, Says Verizon


The bad news keeps on coming for businesses facing cyberattacks.

The FBI released new data last week warning businesses that the business email compromise scam has led to an uptick in wire fraud. The scam resulted in $5.3 billion in attempted fraud between October 2013 and 2016.

Previous data from the FBI found that between October 2013 and May 2016, fraud attempts hit $3.1 billion. That means $2.1 billion in attempted fraud occurred in just the last seven months of 2016, a significant and scary spike.

There are other cyber threats hitting companies, many of which are targeted at smaller businesses.

Even more recent data from eSentire found that “rudimentary” cyberattacks on SMEs are among the most threatening, with seemingly simple tactics like intrusion attempts and information gathering accounting for the majority of cyberattacks on smaller companies.

Now in its tenth year, Verizon’s Data Breach Investigations Report uncovers the latest trends in cybersecurity: who is attacking whom and how. The research highlights how human error and vulnerability are some of the biggest benefits for cybercriminals.

According to the data, 75 percent of attacks occurred from outside the enterprise, and more than half (51 percent) involved organized criminal groups. Nearly a quarter of all attacks landed at financial organizations, but there are other industries that are particularly vulnerable: health care, along with retail and accommodation businesses. Each accounted for 15 percent of data breach victims, while public-sector entities were also highly targeted.

“Cyberattacks targeting the human factor are still a major issue,” said Verizon Enterprise Solutions Executive Director, Global Security Services, Bryan Sartin in a statement when the report was released. “Cybercriminals concentrate on four key drivers of human behavior to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”

Unsurprisingly, the majority (62 percent) of data breaches were a direct result of hacking, with 51 percent involving malware. Verizon’s research also uncovered just how dangerous lackluster passwords are for the enterprise, with 71 percent of hacking-related breaches occurring breach of stolen or weak passwords, the report said.

Digging a bit deeper into these tactics, Verizon found that two-thirds of malware-related data breaches occurred because of malicious email attachments.

Employees that have fallen victim to those malicious email attachments or other untrustworthy links aren’t necessarily immune from making the mistake again either, with 15 percent of workers who had clicked on some type of malicious link doing so a second time.

Most of these attacks (73 percent) were financially motivated, with 21 percent relating to espionage — another rising concern for companies.

One of the first and strongest lines of defense, Verizon said, is for employees to actually report when some type of suspicious activity occurs.

“This is paramount,” Verizon concluded. “You’re never going to completely stop phishing emails getting through and being clicked, but if you have a good process for detecting and handling them, they’re less likely to impact your organization.”

Yet only about a fifth of people hit with a simulated phishing scam actually reported it.

“Reporting is key to limiting the effectiveness of phishing that makes it past your email filters,” Verizon added.

Phishing scams are popular, but ransomware is also on the rise. What was once the twenty-second most common type of malware in 2014 is now the fifth most common, analysts said, with Verizon declaring “ransom notes are the most profitable form of writing.”

Another rising concern is pretexting — a tactic criminals deploy that involves the use of some kind of social interaction with an employee, as in a business email compromise scam.

“Pretexting is a form of social engineering  focused on creating a scenario, or pretext, to influence your target,” Verizon explained, adding that this is a common tactic found hitting finance departments and that these situations are often  discovered only after the fact during financial audits.

Overall reaction to the report has been negative: “Verizon’s annual data breach report is depressing reading, again,” declared Cyberscoop. “Basic cybersecurity focus misplaced,” reacted TechTarget.

But Verizon had a more optimistic conclusion.

“Insights provided in the DBIR are leveling the cybersecurity playing field,” said Verizon Enterprise Solutions President George Fischer in a statement released at the time of the report. “Our data is giving governments and organizations the information they need to anticipate cyberattacks and more effectively mitigate cyber risk. By analyzing data from our own security team and that of other leading security practitioners from around the world, we’re able to offer valuable intelligence that can be used to transform an organization’s risk profile.”