Quick Stats: Cybercrime

The average U.S. data breach cost $8.64 million in 2020—and small businesses can be targets, too

Think your business isn’t on hackers’ radar? Think again. Cybercrime has a wide reach, and anyone with data is a potential target. Check out some of the common cyberattacks used to gain access to data and dollars.

Quick Stats: Cybercrime

The average U.S. data breach cost $8.64 million in 2020—and small businesses can be targets, too

Backdoor

Criminals find a secret way to bypass normal security using a “backdoor” that was created by an error, made by people who planned to exploit it, or deliberately added for a legitimate reason.
80%
Approximate number of websites that have been put at risk of data breach due to backdoor code inserted into the official PHP Git repository in March 2021. Had it not been caught and deleted, the code would have installed backdoors into most websites, including all WordPress sites.

Denial-of-Service Attack

Criminals block people from using a program, computer, network, or website by overwhelming the target with input (like bad passwords or website visitors). When the DoS is distributed (DDoS), the attack comes from many sources at once, making it harder to stop.
$100,000
The average cost of a DDoS attack for a small to medium business in 2018. This includes cost to fight the attack and loss of business during the denial-of-service.

Eavesdropping

Criminals access communications that your computer sends in packets over a network. This is also known as a sniffing or snooping attack. Eavesdropping attacks even can target spoken communications via VoIP and mobile phones.
75%
Approximate share of U.S. mobile data that went through Wi-Fi, with the rest being cellular, in 2018. (This increased during the pandemic.) Without encryption, Wi-Fi communications are especially vulnerable to hacking.

Malware

Software designed to give criminals access to your sensitive information, to delete your data, or to prevent you from accessing your data until you pay the criminals (ransomware).
24%
Percentage of malware incidents that used ransomware. Even if your data isn’t particularly valuable to thieves, they can make money off of it by removing your access to it so that you agree to pay to get back the information you need to run your business.

Phishing

Phishing is a type of social engineering in which criminals try to trick users into revealing sensitive information that will give them access to computers, bank accounts, identities, and more. Quality phishing emails, messages, and websites look like legitimate ways to interact with trusted people and organizations, convincing users to type in passwords, reveal credit card numbers, and more.
65%
Share of U.S. organizations that were the targets of a successful phishing attempt in 2019

Social Engineering

Phishing is a form of this attack, but social engineering attacks also can happen in person, over the phone, and via text message. Often, the attacker pretends to be someone who has a legitimate need for sensitive information and presses their target to deliver the information quickly, before they can consider the consequences or verify the requester’s identity.
81%
Organizations globally that faced social engineering attacks involving dropped USB devices. In this social engineering effort, criminals load the USB with malware to infect the computer and network of a helpful person who wants to find the device’s rightful owner.

Spoofing

An attacker fakes data to make themselves look like they should have access to data. Examples include altering the sender or recipient data in an email, making a phone call look like it came from another number, or faking an IP address to hide the criminal’s location.
113,190,325
Spoofed calls made by Texas company Rising Eagle in less than 5 months in 2019 in an illegal effort to sell short-term health insurance. The calls factored into a $225 million fine from the FCC in March 2021.

DNS Highjacking

Criminals use weaknesses in the Domain Name System (DNS) to send visitors to a malicious webpage instead of the one they intended to visit. The switch may not be immediately obvious if criminals want to collect sensitive information, or the page may be clearly wrong but have already put the user’s information at risk.
79%
Share of surveyed 900 global organizations that experienced DNS attacks in 2020

Privilege Escalation

Also called privilege elevation, this attack sees a user with a lower level of access exploit some vulnerability to give themselves a higher level of access so they can get to restricted information they don’t have permission to see.
110
Days it took HP to successfully patch a high-impact privilege-escalation vulnerability in its driver software that exposed millions of computers and printers worldwide after the vulnerability was reported in February 2021.

Direct-Access Attacks

The criminal directly accesses a computer—usually physically—and can download data or install surveillance programs and malware.
61%
Share of U.S. employees who said they give friends or family access to devices issued by their employers, creating an opportunity for an attack or accidental breach.