Why go through all the technical trouble of finding a vulnerability, escalating privileges, and exfiltrating data when impersonation can just as easily lead to captured credentials?
This, it seems, is the question many hackers have been asking themselves in recent years.
Verizon’s 2023 Data Breach Investigations Report revealed that 74% of the company’s breaches recorded between November 1, 2021 and October 31, 2022 included the “human element,” like tactics involving privilege misuse, social engineering, and stolen usernames and passwords. This is a decline from Verizon’s DBIR last year, which found that 82% of breaches involved the human element, but the continued person-to-person trickery suggests that the old-school con still appeals to a wide swath of bad actors.
“It’s a maneuver that doesn’t require really any technical skills. Anybody can pull it off as long as they can be convincing,” said Chris Novak, managing director of Verizon Cyber Security Consulting.
Whoa, so many pretexts in a row. Verizon’s analysis also noted an uptick in “pretexting.”
Not a practice draft of a breakup message, pretexting is the act of fooling a victim—often with urgency—into believing a bogus narrative, such as:
Hey, I’m the CEO and I need you to pay this invoice quickly! Or, Your family member has been hurt and needs funds wired to a foreign hospital!
Phishing is a suspicious email attachment. Pretexting impersonates family, friends, colleagues, and other trusted, known parties.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In email-compromise pretexting, for example, actors may use an existing email thread—a familiar context to request a seemingly routine task like changing a vendor’s bank information.
According to last year’s data-breach report from Verizon, pretexting made up 27% of recorded social-engineering incidents. This year’s report showed that the pretext made up more than 50% of incidents, surpassing phishing.
Not a tech person. To be sure, many data breaches require technical expertise: scanning for a zero-day vulnerability, gaining access, and moving laterally to a connected system, for example.
Take attacks on the log utility Log4j—which the Verizon report also detailed, citing that 0.003% of honeypot-captured scanning activity belonged to probing for that vulnerability, which was disclosed in late 2021.
“If you go the human element angle, in many cases, you’re convincing someone to just wire you money, and they do it,” Novak told IT Brew.
Along with fire drills and simulations, Novak emphasized the importance of layered security controls and checks and balances to combat the human hackers.
“For example, in the case of someone doing the fraudulent wire transaction, instead of one person being able to initiate the wire, you have one person that sets it up, and another person that has to review it,” said Novak.
Collaboration—another human element.