10 Critical Learnings From Verizon’s 2021 DBIR — A DMARCReport Perspective

As DMARCReport, we closely monitor threat trends that directly impact email security — especially those that exploit human behavior, credential theft, and social engineering. Verizon’s 2021 Data Breach Investigations Report (DBIR) provides a wealth of insights, many of which align closely with the risks we help our clients mitigate. Below are ten key takeaways, along with our analysis and recommendations, framed to help organizations strengthen their defenses.

1. Social Engineering Surged, Especially Business Email Compromise (BEC)

Verizon found that after denial-of-service (DoS) attacks, social engineering tactics (notably credential theft) accounted for 61% of breaches. EasyDMARC+2Gatefy+2
Phishing was present in 36% of all confirmed breaches — a major jump from 25% the previous year. EasyDMARC

DMARCReport’s take:

• Attackers are increasingly relying on human manipulation rather than purely technical exploits.
• BEC is particularly alarming: Verizon notes a dramatic increase in misrepresentation-based BEC, up 15x year over year. EasyDMARC
• This signals that organizations must go way beyond technical controls: security awareness training, phishing simulations, and real-world scenario preparation are essential.
  

Our recommendation:

• Use DMARC to enforce stricter email authentication (p=quarantine or p=reject) so you block or flag malicious spoofing.
• Maintain a regular phishing-awareness program for all users, especially executives and finance teams.
• Combine training with simulated BEC attacks that mimic real misrepresentation scenarios — not just generic phishing.
  

2. Credentials Are a Primary Target — Especially in Web Applications

Verizon’s 2021 data shows that default, stolen, or weak credentials continue to be a top vector for web application exploitation. EasyDMARC
Attackers are compromising web application layers, cloud-based apps, and customer-facing portals. When they gain access through credentials, they can escalate or pivot to more damaging breaches.

DMARCReport’s take:

• Credential-based attacks remain one of the most powerful tools for attackers because compromised credentials offer direct access.
• Even if your applications are well-coded, poor credential hygiene or weak authentication exposes you.
  

Our recommendation:

• Encourage or enforce strong password policies + multi-factor authentication (MFA) across all systems.
• Regularly monitor for leaked credentials (via breach notification services) and force resets when needed.
• Use DMARC report data to trace any spikes in failed authentication or suspicious sending sources — as credential exploitation for email account takeover can directly feed into BEC.
  

3. Human Error: The Biggest Risk Factor

Verizon highlights that roughly 85% of breaches involve a human element in some form.

When a user clicks a malicious link, misuses privileges, or is socially engineered, they often become the entry point for attackers.

DMARCReport’s take:

• Technical defenses are crucial, but people remain the weakest link in many security chains.
• Attackers exploit behaviors, not just vulnerabilities — and that makes risk management more complex.
  

Our recommendation:

• Invest in a holistic security culture: regular security training + reporting + reinforcement.
  Set up incident response playbooks tailored to human-initiated threats (e.g., what happens when a user reports a suspicious email).
• Use aggregated DMARC data to identify domains or services where user behavior is risky (for example, domains that keep sending SPF/DKIM failures — which may indicate improper configuration or abuse).

4. Financially Motivated Attacks Dominate

The 2021 DBIR reported that financially motivated attackers often combine web app attacks, system intrusion, social engineering, and DoS in their strategies. 

 Ransomware, BEC, and other profit-driven threats are not just opportunistic — they are increasingly sophisticated.

DMARCReport’s take:

• As long as there’s financial payoff, threat actors will continue to refine hybrid attacks that blend social engineering + technical exploitation.
• Your security investments cannot focus on only one type of attack: you must be prepared for multi-vector threats.
  

Our recommendation:

• Prioritize risk assessments to identify your most valuable assets (data, systems, user groups) and tailor your defense strategy accordingly.
• Use DMARC policies along with other controls (e.g., network segmentation, least privilege access) to limit the blast radius of an intrusion.
• Continuously monitor your DMARC aggregate reports to identify suspicious sending behavior — especially from accounts in high-risk or finance-centric departments.
  

5. Malware Incidents Are Climbing — Especially with New Vectors

Verizon noted a 26% increase in malware attacks compared to previous years. 

This suggests threat actors are expanding their tactics, not just sticking to old-school malware. More often, they’re leveraging social and physical environments to deliver or trigger malicious payloads.

DMARCReport’s take:

• Modern malware campaigns are not limited to classic vectors: phishing + human compromise are deeply integrated.
• The convergence of social engineering and malware makes email-based defenses more critical than ever.
  

Our recommendation:

• Enable advanced email security solutions (like sandboxing, attachment scanning) to catch more aggressive or evasive malware.
• Combine technical controls with behavioral ones: when a user clicks a link, have a system that flags abnormal download activity.
• Use DMARC reporting to see where email-based threats are coming from — especially in campaign peaks.
  

6. Misuse of Privileges Is a Growing Concern

Another alarming trend: misuse of access increased significantly in 2021. Attackers increasingly exploit legitimate user privileges — or insiders may themselves act maliciously — for financial benefit or revenge.
This includes insiders making unauthorized changes, exfiltrating data, or using their access in unintended ways.

DMARCReport’s take:

• Not all threats come from outside. Privilege misuse can be external or internal.
• Effective security requires zero trust and continuous monitoring: trusting users just because they have credentials is no longer sufficient.
  

Our recommendation:

• Implement role-based access control (RBAC) and the principle of least privilege.
• Monitor and alert on anomalous behavior (e.g., privileged accounts being used at odd hours, or excessive access/downloads).
• Use DMARC failure and success reports to detect potential misuse of email accounts. For instance, a compromised internal account might start sending spoofed or malicious emails — DMARC can help flag that.
  

7. Lack of Employee Training Amplifies Risk

Unsurprisingly, Verizon found a correlation between insufficient security awareness/training and breach frequency.
When employees are not regularly educated about phishing, social engineering, or the dangers of credential reuse, the door stays open for attackers.

DMARCReport’s take:

• Training is not a one-time checkbox. Security threats evolve rapidly, and so must your training strategy.
• Simulated attacks, real-life case studies, and context-specific training (e.g., BEC vs. spear-phishing) are more effective than generic modules.
  

Our recommendation:

• Conduct regular phishing simulations that evolve with threat intelligence.
• Share DBIR-style findings and real-world breach stories with employees to highlight the relevance of training.
• Use DMARC aggregated data to tailor training: identify which domains or sources are generating the most compliance issues, and design curriculum around them.

8. Web Apps, VPNs & Remote Desktop Are Prime Attack Vectors

Verizon’s DBIR identifies web applications, VPNs, and desktop sharing tools as significant vectors for breaches.
This is especially relevant in a world where work-from-home (WFH) has become the norm, increasing exposure.

DMARCReport’s take:

• Remote infrastructure increases risk. Services like VPNs and remote desktop tools are critical but often misconfigured or inadequately protected.
• Web applications offer a scalable attack surface, especially when credential-based attacks are rampant.
  

Our recommendation:

• Audit remote access tools (VPNs, RDP) for configuration issues, patching, and access control.
• Strengthen web app security by enforcing MFA, encrypting traffic, and performing regular code audits.
• Monitor DMARC reports to check if compromised or misconfigured accounts start to send from new vectors (e.g., atypical IPs, new sending domains).
  

9. Web Servers Are Highly Targeted — But Personal Devices Are Catching Up

Verizon found that web servers remain a top target among organizational assets.
However, due to WFH trends, user personal devices have become increasingly vulnerable and frequently breached — especially through business email compromise or phishing.

DMARCReport’s take:

• The hybrid reality (office + remote) means attackers exploit whichever avenue is weak — and often, that’s a user’s personal device.
• Email remains a central pivot in these attacks: once a device is compromised, it can be used to send spoofed or malicious email internally or externally.
  

Our recommendation:

• Enforce security hygiene on remote devices: antivirus, disk encryption, and updates.
• Define and communicate a clear BYOD (Bring Your Own Device) security policy.
  Use DMARC aggregate reporting to spot unusual email flows from employee domains or devices, possibly indicating compromised endpoints.

10. Privilege Misuse and Espionage Are No Longer Fringe Risks

The DBIR not only flagged misuse of legitimate access but also observed a 98% rise in privilege misuse and a 66% increase in cyber-espionage.
These aren’t just low-level thefts — some attackers are using insider capabilities or advanced threat actors to exfiltrate sensitive data.

DMARCReport’s take:

• Espionage and strategic misuse reflect a shift: not all attackers are financially motivated — some are goal-oriented, long-term, and patient.
• Once privileged accounts are compromised, the damage can be immense: loss of intellectual property, regulatory exposure, or reputational risk.
  

Our recommendation:

• Monitor for abnormal privileged account behavior and implement just-in-time (JIT) access where possible.
• Use threat intelligence and user behavior analytics to flag potential espionage.
• Leverage DMARC failure reports to trace whether privileged accounts are being used to send spoofed or malicious emails. Persistent anomalies in DMARC data may indicate deeper, stealthy compromise.
  

Final Thoughts: What This Means for Email Security

From the standpoint of DMARCReport, Verizon’s 2021 DBIR underscores a sobering reality: email is at the heart of many of today’s most dangerous attacks. Whether it’s BEC, phishing, credential theft, or deeper intrusions driven by privilege misuse — all roads often lead through the inbox.

To defend against these risks, organizations need to adopt a multi-layered strategy:

1. Enforce strong DMARC policies (quarantine or reject) to reduce impersonation risk.
2. Continuously analyze DMARC reports, both aggregate and failure reports, for unusual or risky behavior.
3. Prioritize security awareness training, especially for phishing and BEC.
4. Strengthen access control through MFA, least-privilege models, and just-in-time access.
5. Secure web, email, and remote infrastructure, keeping in mind the hybrid workforce.
   

If your organization is not yet fully leveraging DMARC or hasn’t yet aligned its security operations with the threat landscape revealed by the DBIR — now is an excellent moment to act. At DMARCReport, we’re committed to helping organizations make sense of DMARC data, spot emerging risks, and build stronger email hygiene. Reach out to us if you’d like to discuss how your DMARC posture can be optimized in light of these findings.