Social Engineering Statistics By Security Spending, Cost, Attacks, Causes and Best Practices
Updated · Feb 11, 2025
TABLE OF CONTENTS
- Introduction
- Editor’s Choice
- What Is Social Engineering?
- Common Types of Social Engineering Attacks
- General Social Engineering Statistics
- Global Share of Organizations Losing Sensitive Information
- Security Spending And Cost Statistics
- Social Engineering Attacks By Type Statistics
- Causes Of Cyber Attacks By Companies In The US
- Ransomware And Malware Attack Statistics
- Statistics On IoT, DDoS, And Other Attacks
- Mitigation Strategies and Best Practices
- Conclusion
Introduction
Social Engineering Statistics: Social engineering is when criminals use tricks or manipulative tactics to get people to share private or sensitive information. Although these methods have changed with technology, the goal remains the same: to deceive people and steal important details. Social engineering has been the top method hackers and malware used to take advantage of people and devices since the start of computer networks. However, it was only widely recognized and discussed as a serious threat in the past five to ten years.
In this article, we will look at Social Engineering Statistics to give a complete overview of the dangers that come with this type of attack. By learning about these risks, you can better protect yourself and take steps to prevent falling victim to cyber-attacks.
Editor’s Choice
- 18% of cyberattacks focus on web-based software and email services.
- Smishing, or phishing via text messages, impacts 76% of businesses worldwide.
- In the second quarter of 2023, Microsoft was the most copied brand in phishing scams. (MSSP Alert)
- Phishing makes up 44% of social engineering attacks and is the third most common method in breaches involving digital currencies.
- Social engineering attacks cost companies an average of USD 130,000.
- In the third quarter of 2023, attackers used these methods: phishing websites (54%), phishing emails (27%), social media scams (19%), and instant messaging hoaxes (16%).
- 68% of hackers say that multi-factor authentication and encryption are the biggest challenges they face.
- LockBit’s attacks grew by 3.5%, while BlackCat’s attacks increased by 5.4% in 2023.
- France had the highest number of ransomware attacks in 2024, with 74%.
- Google blocks about 100 million phishing emails each day.
- 90% of data breaches happen because attackers target people’s actions or mistakes to get sensitive business information.
- People who work in education are the most likely to open phishing emails, while employees in healthcare and retail are less likely.
- On average, companies face more than 700 social engineering attacks annually, or about 2.7 attacks every day. (Firewall Times)
- Men are more than twice as likely as women to fall for phishing scams. (KnowBe4)
- The number of phishing attacks increased by 54% in the first half of 2023 compared to the second half of 2022, from 482.2 million to 742.9 million attacks.
You May Also Like To Read
What Is Social Engineering?
In information security, social engineering is when people are tricked into doing something or sharing private information through psychological manipulation. It’s a type of scam used to collect data, commit fraud, or get unauthorized access to systems. Unlike traditional scams, social engineering is often just one part of a bigger fraud plan. It’s also described as any action that persuades someone to do something, even if it’s not in their best interest.
(Source: splunk.com)
A study from 2023 showed that social engineering will be a major challenge in the next decade. As this threat grows, it will be more important for businesses and governments to understand and handle social engineering, especially because it could affect global politics. This raises concerns about whether we can make the right choices if the information we rely on is manipulated or biased.
The increase in social engineering attacks makes it clear that we need new ways to spot them and better cybersecurity training for everyone.
Common Types of Social Engineering Attacks
- Ransomware Attacks: Harmful software locks a victim’s files, and the attacker demands money to unlock them.
- Phishing Attacks: Fake emails are sent to many people, tricking them into giving away private details.
- Spear Phishing: A more personalized phishing attack where the scam uses personal information to appear more convincing.
- CEO Fraud/Whaling: Hackers pretend to be top executives to persuade employees to do things like transfer money.
- Business Email Compromise (BEC): Similar to CEO fraud, the attacker hacks an executive’s email account to make requests seem real.
- Smishing: Phishing through text messages, where the attacker tries to get the victim to share private info or click on a harmful link.
- Vishing: Voice phishing is when the attacker calls and pretends to be someone trustworthy to steal personal information.
- Baiting: The attacker leaves something, like a USB drive with malware, in a place where the victim will pick it up.
- Piggybacking/Tailgating: The attacker sneaks into a restricted area by following someone who is allowed in.
- Pretexting: The attacker makes up a believable story to trick the victim into giving out personal details.
- Quid Pro Quo/Tech Support Scams: The attacker offers a service, like tech help, in exchange for sensitive information.
- Scareware: Malware is disguised as legitimate software, often offered for free, to trick people into installing it.
- Watering Hole Attacks: The attacker infects websites that their target frequently visits, hoping to compromise their device.
General Social Engineering Statistics
- Social engineering is behind 98% of cyberattacks.
- Almost all cyberattacks (98%) use social engineering, like phishing or baiting, to trick people into granting access to systems.
- Social engineering is used in 70% to 90% of data breaches, where it’s easier to trick an employee than to break into a system directly.
- In 2023, 84% of US organizations experienced at least one phishing attack via email.
- Companies face over 700 social engineering attacks every year, which means more than two attacks daily.
- Social engineering attacks can cost businesses around USD 130,000 in stolen money or damaged data. Major breaches can cost even more.
- Phishing, where attackers trick people into sharing information, causes 36% of all data breaches.
- Men are more likely than women to fall for phishing attacks. They are 225% more likely to give their login details when tricked.
- Facebook is the most commonly impersonated brand in phishing attacks, making up 18% of fake websites.
- Amazon leads as the most imitated brand in phishing emails, accounting for 17.7% of phishing attempts.
- In 86% of companies, at least one employee clicked on a phishing link, even if it didn’t lead to a full breach.
- 12% of external attackers use phishing to get into company systems, along with other methods like stolen passwords.
- Employees at small businesses are 350% more likely to be targeted by social engineering attacks than those in large companies.
- Pretexting, where attackers make up fake stories to steal information, is responsible for 50% of social engineering attacks.
- CEOs are targeted by phishing attacks about 57 times annually or more than once a week.
- Around 84% of phishing websites appear secure because they use SSL certificates, which show “https” in the URL.
(Reference: secureframe.com)
- 86% of companies deal with bulk phishing, where the same phishing email is sent to many employees.
- IT staff are targeted by social engineering attacks around 40 times per year or about three times a month.
- 69% of breaches in the public sector happen because of social engineering attacks.
- Smishing, phishing through text messages, affected 76% of businesses in 2022, up from 75% the previous year.
- In 2023, 74% of companies faced social media-based social engineering attacks.
- Only 53% of employees can correctly identify phishing, and even fewer know what smishing (23%) and vishing (24%) are.
- 11% of companies hit by phishing attacks were fined due to not following data security regulations.
- Just 56% of companies offer security training to their employees, and only 35% test employees using phishing simulations.
- Spear phishing, a more targeted type of phishing, is used in 95% of successful attacks on enterprise networks.
- Business Email Compromise (BEC) attacks have a 28% open rate, much higher than the 12% average for phishing emails.
- 15% of people who receive BEC attack emails end up replying to them, showing how convincing these emails can be.
- Most replies to BEC emails come from entry-level sales staff (78%).
- 36% of replies to BEC attacks come from employees who have already fallen for a similar attack.
- 64% of identity management experts need to learn the best ways to reduce phishing risks, like using two-factor authentication.
(Reference: sci-tech-today.com)
- In 2023, Sweden had the highest percentage of organizations losing sensitive information, with 87% affected.
- Worldwide, 63% of companies experienced a loss of sensitive data.
- Germany came in second, with 85% of organizations impacted.
Security Spending And Cost Statistics
- The average cost of a data breach worldwide in 2024 is USD 4.88 million, which is 10% higher than last year.
- On average, each person affected by a data breach costs USD 165, which is USD 1 more than in 2022.
- The average cost of a ransomware breach in 2024 is USD 5.13 million, 13% higher than the year before.
- Cyber insurance premiums in the US grew by 50% in 2022, reaching USD 7.2 billion.
- When remote work contributes to a data breach, the average cost is USD 173,074 higher.
- The global security market is projected to reach USD 424.97 billion by 2030.
(Reference: cybersecurityventures.com)
- Companies using AI and automation for security pay 2.2% less in breach costs.
- Organizations that use a zero-trust security model save an average of USD 1.76 million in breach costs compared to those that don’t.
- A data breach can cause a company to lose USD 1.3 million in business on average.
- Hospitals spend 64% more on advertising in the two years following a data breach.
- Phishing attacks are the most expensive, costing USD 4.9 million on average in 2023.
- Large companies spend about USD 2,700 per employee each year on cybersecurity.
- The biggest cost of a cyberattack is the Loss of information, which makes up 43% of the total cost.
- For small companies (with fewer than 500 employees), the average cost of a breach increased from USD 2.92 million in 2022 to USD 3.31 million.
- For large companies (with more than 25,000 employees), the average cost of a breach dropped from USD 5.69 million in 2022 to USD 5.42 million.
(Reference: venturebeat.com)
- After a data breach, 57% of companies increased the prices of their products or services.
- The cost of a data breach in Canada fell by 9%, from USD 5.64 million to USD 5.13 million.
- In 2024, the US had the highest average data breach cost at USD 9.36 million. The Middle East is second with USD 8.75 million.
- Spending in the cybersecurity industry is expected to reach USD 87 billion in 2024, an 8% increase from 2023.
- A 2023 report found that 97% of cybercriminals are motivated by money.
Social Engineering Attacks By Type Statistics
(Reference: statista.com)
- In 2023, scams made up 50% of all social engineering attacks worldwide, making them the most common type of cyberattack in this group.
- Phishing came in second, with 35.5% of the attacks, while business email compromise (BEC) accounted for almost 11% of all spear-phishing attacks.
Causes Of Cyber Attacks By Companies In The US
(Reference: sci-tech-today.com)
- In 2023, the biggest cause of cyberattacks on US companies was unpatched security weaknesses. Also, 22% of attacks had an unknown cause, making it a significant factor in these incidents.
| Reasons | % |
|
Unpatched vulnerability |
23% |
| Root cause unknown |
22% |
|
Phishing |
20% |
| Other(e.g Pixel, device theft, skimmers) |
17% |
|
Misconfiguration |
6% |
| Brute force/Credential stuffing |
3% |
|
Social engineering |
3% |
| Human error/Unintended recipient |
3% |
|
Employee abuse of access privileges |
2% |
| Open RDP |
1% |
You May Also Like To Read
Ransomware And Malware Attack Statistics
- In 2023, 83% of people hit by ransomware paid the attackers, either directly, using cyber insurance, or with the help of a negotiator. More than half of them paid at least USD 100,000.
- The most common amount paid for ransomware was between USD 25,000 and USD 99,999, making up 44% of the total payments.
- In 2023, the average cost of a data breach reached USD 4.45 million, setting a new record.
- Almost half of businesses plan to increase their security spending after experiencing a breach.
- In 2023, small businesses with fewer than 500 employees saw the average cost of a data breach rise by 13.4%, from USD 2.92 million to USD 3.31 million.
- In 2023, the total amount paid in ransomware attacks topped USD 1 billion.
- In the fourth quarter of 2023, only 29% of ransomware victims paid the ransom, which was the lowest percentage ever.
(Reference: statista.com)
- Thirty-three percent of companies said they would consider paying the ransom depending on the situation.
- Only 7% of organizations planned to increase their spending on ransomware protection technologies significantly next year.
- Thirty-eight percent of companies plan to keep their current spending on ransomware protection.
- In the second quarter of 2023, the average ransom paid more than doubled, from about USD 328,000 in the first quarter to over USD 740,000 in the second quarter.
- LockBit was the most active ransomware group in 2023, responsible for 19.2% of all attacks.
- BlackCat was the second most active group, responsible for 18.4% of ransomware attacks.
- Medusa was behind 5.5% of ransomware attacks in 2023.
- The play accounted for 4.6% of ransomware attacks in 2023.
- Together, LockBit and BlackCat made up 38% of all ransomware attacks in 2023.
- South Africa came second with 69%, and Italy had 68%.
- The countries with the lowest attack rates were Brazil (44%), Japan (51%), and Australia (54%).
- Nine countries reported fewer ransomware attacks in 2024 than in 2023.
- Five European countries—Austria, France, Germany, Italy, and the U.K.—saw higher attack rates, with Germany’s increase being less than 1%.
Statistics On IoT, DDoS, And Other Attacks
- Using stolen credit card details is the most common type of cyber threat, followed by ransomware and phishing attacks.
- DDoS (Distributed Denial of Service) attacks were the most frequent type of cyberattack in 2022, with 6,248 attacks reported.
(Reference: cloudflare.com)
- DDoS attacks targeting application layers grew by 15% in the second quarter of 2023.
- Attacks on cryptocurrency companies increased by a huge 600% in the first quarter of 2023, along with a 15% rise in HTTP DDoS attacks.
- 19% of data breaches involve insiders or people within the company.
- In December 2022, there were more than 10.54 million attacks on Internet of Things (IoT) devices globally.
(Reference: sci-tech-today.com)
- About 58% of IoT attacks were aimed at stealing cryptocurrency.
- The average smart home faces more than 12,000 hacker attempts every week.
- In 2021, 30% of known zero-day vulnerabilities targeted mobile phones.
- Insider threats, whether accidental or intentional, account for 43% of all data breaches.
- Hackers exposed over 24 billion passwords in 2022, with 64% of passwords being between eight and 11 characters long.
Mitigation Strategies and Best Practices
To effectively fight social engineering attacks, organizations should use a mix of technology, employee training, and strong rules. Here are some key actions to help reduce the risk of these attacks:
- Use Advanced Security Tools: Implement tools like Multi-Factor Authentication (MFA), email filters, and behavior tracking to detect and stop social engineering attacks.
- Train Employees Regularly: Teach employees about the common tricks used in social engineering and run practice exercises to help them recognize and react to threats.
- Set Strong Security Rules: Create clear guidelines on how to handle data, control access, and respond to security incidents to lower the risk of social engineering attacks.
- Monitor and Act Quickly: Keep an eye out for signs of social engineering attacks and have a clear plan to act fast and reduce the damage if it happens.
- Encourage a Security-Conscious Culture: Foster a workplace where employees are aware of security risks and stay alert, which will help protect the organization from social engineering attacks.
Conclusion
The widespread use of technology and the growing complexity of social engineering attacks require all organizations, no matter their size or industry, to take quick and effective action. Social Engineering Statistics show that these attacks are unpredictable and often target human behavior. To tackle these problems effectively, organizations need to do more than rely on traditional tech defenses.
People are at the heart of any strong security plan, acting as both a strength and a potential vulnerability. Make the most of human involvement by creating a culture of transparency and security awareness where employees are actively working to protect the organization.
At the same time, invest in key technologies like antivirus software, firewalls, intrusion detection and prevention systems, and multi-factor authentication. By combining the power of technology with trained and alert employees, organizations can create a much stronger security network.
Sources
FAQ.
Social engineering attacks are responsible for a significant number of cyber-attacks. In fact, about 90% of successful hacks and data breaches start with some social engineering. If you think your company is safe, think again—84% of businesses have been affected by a social engineering attack.
Only 18% of cyber incidents were caused by outside threats, and extortion made up just 2%. The study found that about 90% of all cyber claims were due to human errors or actions.
Saisuman is a talented content writer with a keen interest in mobile tech, new gadgets, law, and science. She writes articles for websites and newsletters, conducting thorough research for medical professionals. Fluent in five languages, her love for reading and languages led her to a writing career. With a Master’s in Business Administration focusing on Human Resources, Saisuman has worked in HR and with a French international company. In her free time, she enjoys traveling and singing classical songs. At Coolest Gadgets, Saisuman reviews gadgets and analyzes their statistics, making complex information easy for readers to understand.
