The 2025 Verizon Data Breach Investigation Report (DBIR) issued in late April 2025 analyzed the highest number of breaches ever in a single report, with 12,195 confirmed data breaches out of 22,052 security incidents. Especially noteworthy was how the human element was involved in 60% of incidents, which is less than what was reported in the 2024 DBIR: 68%. That said, it is noteworthy how the social engineering of insiders increased from 12% in 2024 to 18% of recorded incidents, with this avenue of attack becoming “commonplace” in the public administration sector.
This 18th annual report leverages the VERIS framework (Vocabulary for Event Recording and Incident Sharing) to analyze data from various global contributors, aiming to present a broad understanding of the challenges organizations face. The VERIS framework is a structured set of metrics designed to provide a common language for describing security incidents, enabling organizations to collect, analyze, and share incident-related information.
The tactics used to engage users included pretexting, phishing, prompt bombing, and third-party manipulation. Espionage, not a recognized category within the VERIS framework, accounted for 17% of all analyzed breaches.
Pretexting
The report highlights how pretexting continues to be the tactic used by adversaries to social engineer the behavior of insiders. To be clear, pretexting involves the building of a believable scenario and putting it in front of the target. This may include leveraging existing communication or contextual information which results in the insider revealing sensitive or privileged information, performing a given action (sharing files, transferring funds).
Phishing
The advance of artificial intelligence has served to improve the quality of phishing emails, which are on the increase. Phishing accounted for approximately 15% of the “initial access vector” of reported incidents. Thus, phishing used in tandem with pretexting continues to remain a significant threat vector.
Prompt Bombing
A tactic reported on the increase in the 2025 report is that of prompt bombing. Where the user receives numerous multifactor login requests from an adversary. The adversary’s goal is to wear down the user and have the user simply approve one of the requests so that the barrage of requests will stop. The technique was successful in more than 20% of the incidents reported in the 2025 DBIR.
It is especially noteworthy that this technique is often associated with nation state attacks.
Third party
The increase in incidents which involve a third party (i.e. an external vendor or partner) accounted for roughly 30% of all reported incidents, up from 15% in 2024. This highlights the very real risk posed by the interconnectedness with external entities and their alignment, or not, with appropriate security postures.
Costs
Though the report placed the average cost to an entity to be relatively modest, the potential for long-term business interruption and continued exploitation (multiple bites from the apple by the adversary) argues that the cost may be significantly more.
FSO’s action required
Year over year, we see that the human element remains at a far too high number of reported incidents, suggesting that the technologies employed continue to rely on users to make everyday decisions that impact overall security. This should serve as a klaxon call to Field Security Officers (FSO) to take on board the DBIR’s suggestion that training to raise user security awareness is not for naught and the use of clear reporting mechanisms being made available to users are crucial defenses.
FSOs must make sure the training provided to their constituents covers the right topics (like whether it’s outdated, relevant to their field, includes adversary tactics, etc.) and that the reporting mechanisms available to the insider are accessible and easy to use.
Additionally, the security posture of third-party contractors, vendors, or partners and their security postures should be part of all contract negotiations, require periodic review, and evidence-based alignment.
Finally, the report strongly suggests that entities utilize the VERIS framework to ensure consistency of collected and analyzed security incidents, which in turn allows for informed decision-making as one manages risk.
