Once hackers can access an employee's e-mail, they use it to get a password reset from the company's payroll provider, then change the employee's inbox forwarding rule to send all e-mails from the payroll provider to the employee's junk mail. Then hackers are free to change the employee's direct deposit bank account details to their own, and clean out the account.

Hackers are also targeting employee W-2 information so that they can use it to file fraudulent tax returns; attacks on W-2s represented 9 percent of all breaches Beazley handled during the first quarter of the year.

Beazley reports that most direct deposit phishing attempts took place in the higher education sector, where hacks and malware caused 48 percent of data breaches in the first quarter—close to the 50 percent of breaches executed in Q1 of 2016.

Ransomware—the infection of a business's computer system with malware that prevents the business from accessing its data until it pays a ransom—was up 35 percent in Q1 2017 over Q1 2016, and has targeted multiple industries.

The health care industry is its own worst enemy in protecting patient data, and suffers more from unintended disclosure—which accounted for 45 percent of incidents in the first quarter—than it does from any other individual cyber threat, thanks to misdirected faxes and e-mails or improper release of discharge papers.

In addition, insiders are a big threat, accounting for 13 percent of breaches in Q1 compared with 10 percent in Q1 of 2016. Hacking and malware accounted for 16 percent of breaches.

Financial institutions hit with data breaches aren't exactly on top of the mark either, with 31 percent of breaches the result of unintended disclosure—sending bank account details or personal information to the incorrect recipient.

And that's actually escalating, too; in Q1 of 2016, only 26 percent of breaches resulted from unintended disclosure. But hacks and malware did account for the lion's share of problems, with 39 percent of events resulting from outside intervention.

Beazley suggests that organizations need to be more diligent in deploying detection and prevention tools; using threat intelligence services; training managers and employees on cybersecurity and threat awareness; and conducting risk assessments focused on identifying and protecting sensitive data.