Specialist insurer Beazley has reported a nine-fold increase in data breaches due to social engineering in the first to third quarters of this year.
In the first three quarters of 2016, attacks involving social engineering – a form of attack that relies on human interaction and often involves tricking someone into breaking security protocols – accounted for only 1% of the incidents handled by Beazley Breach Response (BBR) Services. This soared to 9% of the 2,013 incidents reported to BBR Services – Beazley’s dedicated in-house team that helps clients manage data breaches – in Q1-Q3 2017, the specialist insurer said in a press release on Tuesday.
According to the Beazley Breach Insights – October 2017 report, professional service firms had the highest percentage of social engineering breaches (18%), followed by financial institutions (9%) and higher education institutions (9%).
Fraudsters use social engineering attacks to prey on employees’ roles in their companies in order to orchestrate the disclosure of sensitive information or the wire transfer of money to criminal recipients, Beazley reported. These exploits generally take one of two forms, Beazley said in the release. The first, W-2 scams, typically occurs during the months leading to tax filing deadlines when criminal use targeted emails to persuade a specific company employee to forward copies of all the company’s employees’ W-2 forms. This can often result in criminals being able to file false tax returns, based on the improperly forwarded W-2 information to claim refunds. The second category – fraudulent instruction – occurs when a fraudster impersonates a trusted party, such as a company executive or payment system vendor, to cause a fraudulent payment, often a wire transfer, to be made into the fraudster’s account.
“Social engineering can be quicker, easier and cheaper to implement for cybercriminals than stealing data and can be much more lucrative,” said Katherine Keefe, global head of BBR Services, in the release. “As a leading data breach insurer, Beazley is concerned at the rapid development of this trend. We are urging our clients to implement tighter security and internal process controls, such as a requirement for dual authorization, and ensure that their employees are fully trained to spot potential attacks in order to reduce the chances of this happening.”
Hacking and malware remained the most prevalent cause of data breach during the first nine months of 2017 – at 34% of the total reported to Beazley. This category includes cyber extortion, which accounted for 30% of these attacks. Unintended disclosure remained a major cause of breaches, despite having dipped slightly from 35% in Q1 2017 to 29% for the first nine months of 2017.
Raf Sanchez, international breach response service manager at Beazley, noted in the release that trends seen in the United States are also playing out in the United Kingdom and continental Europe. “Phishing and social engineering continue to be the main sources of attack, with higher education establishments and the public sector, which often hold the most sensitive and therefore the most valuable data, particularly affected,” he said.
By sector, hacking and malware was on the rise for financial institutions. Hacking and malware attacks as a proportion of the total number of data breaches reported to Beazley by financial institution clients rose to 46% in the first nine months in 2017, up from 40% in the same period in 2016. Consistent with the overall findings of Beazley’s Breach Insight report for the third quarter of 2017, social engineering emerged as the fastest growing trend, representing 9% of all breaches.
In healthcare, at 41% of the total number of breaches reported to Beazley by organizations in the sector, the high level of unintended disclosure is unabated and remains more than double that of the second most frequent cause of loss – hacking or malware (19%). Beazley also noted an upturn in the number of data breaches caused by insiders, up from 12% of the total in 2016 to 15% in 2017.
In the higher education sector, phishing remains a prevalent cause of data breach for institutions. Higher education incidents so far this year have involved one specific type of phishing scheme targeting employee direct deposit instructions. Attackers gain access to an employee’s email inbox through phishing, determine the type of payroll/human resources system that the institution uses, request a password reset for the employee’s login to the system and divert the electronic deposit of the employee’s paycheque, Beazley said by way of example.
For professional services organizations, the highest percentage cause of breaches in Q1-Q3 2017 was hacking and malware at 48%. However, social engineering has emerged as a “worrying trend,” Beazley said in the release, accounting for 18% of all breaches reported to Beazley by firms operating in this sector, and almost double that recorded for financial institutions and higher education establishments.