Verizon 2025 DBIR: Key Takeaways for Modern Email Security

Another year, another set of breach statistics that drive home the same undeniable truth: threat actors are still overwhelmingly successful because of human behavior.

But while the storyline is familiar, the 2025 Verizon Data Breach Investigations Report (DBIR) sharpens the focus in ways that deserve attention, especially for security teams tasked with defending the inbox.

Here are the key takeaways from this year’s report, and what they mean for organizations looking to stay one step ahead.

Credential theft remains the path of least resistance, and phishing is still the most effective way to get there.

According to the report, stolen credentials were used in nearly one-third of breaches, making it the third most common technique for initiating a breach. Phishing, the method by which many of those credentials are acquired, appeared in 14% of breach cases. And with email identified as the attack vector in 27% of breaches, second only to web applications, it’s plain to see that the inbox remains a preferred entry point.

These are the very threats most organizations believe they’re already protecting against. But the numbers tell a different story. The continued success of credential-based attacks suggests that traditional defenses—like secure email gateways and basic multi-factor authentication—are no longer sufficient. If phishing and credential abuse are still this prevalent, too much is still getting through.

As phishing continues to be a launchpad for credential theft, account takeover, and downstream compromise, organizations relying on rules-based detection or user vigilance are playing a dangerous game. On top of that, with the increasing availability of generative AI tools, attackers can now generate highly convincing phishing messages at scale, making them even harder to detect and even easier to believe.

Perhaps the most consistent finding from this year’s report is that the human element continues to be a major contributor to breaches, playing a role in 60% of cases.

This encompasses a wide range of actions and decisions, from clicking on phishing links to reusing passwords to inadvertently exposing sensitive data. Among breaches involving human error or manipulation, 30% involved credential abuse and 23% involved social actions like phishing or pretexting. Additionally, people were the second most common target of attacker efforts, involved in 24% of breaches.

All of these data points make one thing clear: attackers are consistently focusing their efforts on manipulating or compromising individual employees, whether to gain access, exfiltrate data, or move laterally within an organization. Cybercriminals don’t need to exploit complex technical flaws when they can exploit trust, urgency, or routine.

If people remain the primary vector of compromise, organizations need to acknowledge that even the most security-conscious employee can still be deceived. Training is important, but it isn’t sufficient by itself. Detection needs to happen before engagement.

The report also highlights just how effective social engineering attacks continue to be. In 2024, there were 4,009 social engineering incidents, and 85% of those resulted in confirmed data disclosure. That’s not just a volume problem; it’s a success rate problem. These attacks are working, and they’re working well.

Among incidents driven by external threat actors, 22% involved social engineering tactics, reinforcing the idea that impersonation, deception, and manipulation remain core elements of modern cybercrime. Phishing was the top tactic, used in 57% of social engineering incidents, followed by pretexting in 30%, which often manifests in business email compromise (BEC) scenarios where attackers impersonate executives or vendors to request wire transfers or sensitive data.

Today’s social engineering attacks are strategic, contextual, and increasingly personalized. The high success rate highlights the inadequacy of security tools that rely on detecting known indicators or static threat signatures.

One of the most significant changes in this year’s report was the rise in breaches involving external partners. In 2024, 30% of breaches involved a third party, up from just 15% the previous year. That’s a 100% increase year-over-year—an alarming trend that highlights how attackers are exploiting trust-based relationships between organizations and their vendors.

What makes these attacks particularly dangerous is their subtlety. A message from a compromised vendor doesn’t raise the same red flags as one from a stranger. In fact, it often looks exactly like every other email in the thread. Attackers use real accounts, real context, and real message history to execute attacks that bypass technical controls and deceive even the most discerning employees.

Trust is no longer a reliable signal, and legacy tools that evaluate messages based solely on sender reputation or known indicators are fundamentally unprepared to detect this type of abuse. Defending against third-party compromise requires a solution that can baseline normal behavior across both internal and external communications and spot when something seems off.

This year’s DBIR doesn’t just confirm long-standing attack trends; it validates a core truth of modern security: people are still the most consistently exploited vulnerability. It also shows us that:

• Credential theft is still rampant.

• Email is still a primary vector.

• Social engineering is still highly effective.

• Vendors are increasingly being used as backdoors.

For security leaders, the message is apparent. Defenses need to adapt—not just to new threats, but to new tactics being used in old ones. Legacy defenses that rely on threat signatures, allowlists, or employee judgment can’t keep up with the scale and sophistication of today’s attacks, especially when AI gives attackers the tools to impersonate, deceive, and adapt faster than ever.

What’s needed is a solution that understands not just the contents of a message, but the context in which it was sent. At Abnormal, we take a fundamentally different approach to email security. By baselining known-good behavior across the entire email environment, our platform understands how your employees normally communicate and can flag anything that deviates from that baseline.

We don’t just stop emails with known malicious links or bad sender reputations. We stop subtle, socially-engineered threats that bypass traditional tools. With the findings in this year’s DBIR as context, the case for behavior-based detection has never been stronger.

Interested in learning more about how Abnormal AI can protect your organization? Schedule a demo today!