40+ Social Engineering Statistics and Facts + Infographics

We are reader supported and may earn a commission when you buy through links on our site. Learn more.

Social engineering attacks are one of the deadliest. You can do everything else in cybersecurity but fall to a social engineering attack simply for being too trusting or not completing a cross-check.

But since they enjoyed popularity over the past decade, have these attacks slowed down?

We collected data and vetted surveys and reports over 100+ editorial hours to combine the latest social engineering attack statistics, trends, facts, and forecasts.

Top 6 Social Engineering Statistics (Editor’s Pick)

  • APAC companies ranked social engineering 9th on their most serious threats list.
  • Females were likelier to know what social engineering was than males.
  • Indian companies faced more social engineering threats in 2022 than in 2021.
  • Almost 9 in 10 cyber-attacks targeting individuals used social engineering.
  • Pretexting accounted for 27% of all social engineering breaches in 2022.
  • About 15% of companies conducted phishing simulations in 2021.

Infographic

top social engineering statistics
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/social-engineering-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/04/top-social-engineering-statistics.png" alt="Top 6 Social Engineering Statistics" width="768" border="0" height="632.96703296703" loading="lazy" fetchpriority="low" srcset="https://vpnalert.com/wp-content/uploads/2023/04/top-social-engineering-statistics-768x633.png 768w, https://vpnalert.com/wp-content/uploads/2023/04/top-social-engineering-statistics-300x247.png 300w, https://vpnalert.com/wp-content/uploads/2023/04/top-social-engineering-statistics-1024x844.png 1024w, https://vpnalert.com/wp-content/uploads/2023/04/top-social-engineering-statistics.png 1456w" sizes="auto"></a>
				
			

General Social Engineering Statistics

1. By mid-year 2022, 75% of organizations considered social engineering the most dangerous threat.

Survey respondents were allowed multiple choices, and supply chain risks came in second with 36%. A lack of cybersecurity expertise was third, as 30% of organizations considered this a serious threat.

2. APAC companies ranked social engineering 9th on their most serious threats list.

In this region, social engineering ranked third in 2019 and fourth in 2021 before dropping to ninth in 2022.

3. 3 in 10 third-party security penetration testing were directed at social engineering threats.

In 2022, most brands were focused on network testing (81%), application testing (68%), and cloud security (48%) instead.

4. It took an average of 215 days to identify a social engineering attack in 2021.

After identification, it took another 75 days (on average) to contain the breach.

5. Social engineering attacks comprised 9% of local network penetration methods in 2021.

The complete list of local network penetration methods, and their significance, can be found below:

Network Penetration Method Significance
Credential compromise 71%
Known software vulnerabilities/exploits 60%
Configuration flaws 54%
Exploiting web application code vulnerabilities 43%
Social engineering 9%
Zero-day vulnerabilities 6%

6. Social engineering attacks caused an average of $4.47 million loss across companies in 17 countries in 2021.

Likewise, BEC (another attack using social engineering) accounted for 4% of all losses, totaling $5.01 million in average losses to victims. There were also phishing attacks, yet another form of social engineering, averaging $4.65 million per data breach that year.

Social Engineering Demography Statistics

7. About 6 in 10 breaches across Europe, Middle East, and Africa involved social engineering.

Likewise, over 80% of breaches globally contained a human error element, the entry point for social engineering.

8. Between 2020 – 2021, Africa accounted for less than 1% of global BEC scam attempts.

This study also identified the USA, Australia, and UK as the top targets for this social engineering attack.

9. South Africa suffered 34% of all BEC attempts in Africa in 2021.

Business Email Compromise, a form of social engineering, was also highly prevalent in Tunisia (20%), Morocco and Mauritius (12% each), and Nigeria (11%) during the reporting period.

10. The FBI’s Internet Crime Complaint Centre (IC3) received over 19,000 BEC reports in 2021.

The 19,954 reports received in the year amounted to about $2.4 billion in total losses to victims.

11. People over 60 were the likeliest to fall for romance scams in 2021.

32% of 60-year-olds and above were victims of these social engineering scams, as reported to the FBI’s IC3. The number is second highest among 50–59-year-olds, and the third highest age demographic was the 40-49 group.

Age Range % Affected
Over 60 32%
50-59 16%
40-49 15%
30-39 15%
20-29 10%
Under 20 2%

12. 42.1% of surveyed Saudi Arabians did not know what social engineering was in 2022.

Another 50.4% of the surveyed respondents had a moderate knowledge of these attacks. Only 7.5% claimed to have a good understanding of social engineering.

13. 18 – 25-year-old Saudi Arabians were likelier to know what social engineering was in 2022.

As of 2022, 33.3% of this age group claimed to understand “social engineering. 

That was better than respondents aged 26 – 35 (29.6%) and 36 – 45 (21%).

14. The 26 – 35 age group in Saudi Arabia was likeliest to not know about social engineering at all.

In this age group, 28% of respondents did not have any experience with social engineering at all as of 2022. Respondents aged 46 and above (24.2%) fared better, while those aged 36-45 (20.2%) fared best in this category.

15. Females were likelier to know what social engineering was than males.

A 2022 Saudi study identified that 40.5% of female participants knew what social engineering was, while 59.5% did not. In contrast, 64.7% of the males across all age groups did not know what social engineering was, leaving only 35.3% with a moderate or solid knowledge of such attacks.

16. Social engineering was the top attack pattern type in APAC regions for 2022.

It accounted for 48% of all the breach types and incidents reported in the region

It was also estimated that 99% of the social engineering incidents were related to phishing.

17. Social engineering’s breach impact grew to almost 60% in the EMEA region in 2022.

Of the top actions in the region, the use of stolen credentials (just over 60%) and phishing (60%) led the others. These two are also some of the outcomes of, and approaches to, social engineering attacks, respectively.

18. Social engineering was North America's second most prevalent attack type in 2022.

Phishing (almost 80%) and pretexting (around 30%) were the region’s most used social engineering techniques.

social engineering was the second most prevalent attack type in north america
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/social-engineering-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/04/social-engineering-north-america.png" alt="Social Engineering Was the Second Most Prevalent Attack Type in North America" width="768" border="0" height="544.35912581217" loading="lazy" fetchpriority="low" srcset="https://vpnalert.com/wp-content/uploads/2023/04/social-engineering-north-america-768x544.png 768w, https://vpnalert.com/wp-content/uploads/2023/04/social-engineering-north-america-300x213.png 300w, https://vpnalert.com/wp-content/uploads/2023/04/social-engineering-north-america-1024x726.png 1024w, https://vpnalert.com/wp-content/uploads/2023/04/social-engineering-north-america-1536x1089.png 1536w, https://vpnalert.com/wp-content/uploads/2023/04/social-engineering-north-america.png 1693w" sizes="auto"></a>
				
			

19. Social engineering contributed to 88% of cyber threats in the Caribbean.

As of 2022, social engineering attacks were the third most prevalent in the region. 

They were propagated through phishing attempts (20%) and the use of stolen credentials (10%).

20. Indian companies faced more social engineering threats in 2022 than in 2021.

In 2021, Indian firms rated social engineering 10th on their list of most dangerous threats faced. By 2022, social engineering had moved up three places to 7th.

21. Japanese firms rated social engineering attacks in 14th place among other cyber threats.

Social engineering threats in Japan stayed in 14th place for two years across 2021 and 2022. However, phishing and whaling attacks (which employ some form of social engineering) climbed five places from fifth (in 2021) to first (in 2022).

22. Social engineering attacks have dropped eight points in Malaysian threat rankings since 2021.

2022 data shows that social engineering slumped from the 6th to 14th position across Malaysian companies. Phishing and whaling attacks also dropped six places from their number #1 position among cyber threats to Malaysian companies in 2021.

23. In 2022, social engineering threats were slightly rising in the Philippines.

This was evident from a 2022 report showing a one-place climb for social engineering (among other cyber threats) from 12th to 11th between 2021 and 2022.

24. Social engineering was in the top 5 threats faced by Singaporean companies in 2022.

As of 2021, social engineering was rated 14th among other bodies of cyber threats facing Singaporean firms. By 2022, it climbed into fourth place, with phishing/whaling attacks in second place.

25. Almost 9 in 10 cyber-attacks targeting individuals used social engineering.

In 2021, only 14% of cyber-attacks were directed at individuals

However, 88% of these attacks used social engineering to target the victims.

Social Engineering Statistics by Type

26. Over 24,000 victims reported romance and confidence scams to the FBI in 2021.

These scams totaled 24,299 in the reporting year, with victims losing about $956 million.

27. Tech support fraud cost victims more than $347 million in 2021.

This was up from just over $146 million in 2020 and a smaller $54 million in 2019

By 2021, the FBI received 23,903 complaints about this social engineering scam.

28. Social engineering attacks accounted for 5% of healthcare data breaches in 2021.

This data looked at attacks solely carried out by social engineering. 

When combined with other social engineering attacks (such as phishing, 45%), it accounted for 50% of all healthcare breaches in the year.

healthcare data breaches
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/social-engineering-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/04/healthcare-data-breaches.png" alt="Healthcare Data Breaches Statistic" width="768" border="0" height="544.35912581217" loading="lazy" fetchpriority="low" srcset="https://vpnalert.com/wp-content/uploads/2023/04/healthcare-data-breaches-768x544.png 768w, https://vpnalert.com/wp-content/uploads/2023/04/healthcare-data-breaches-300x213.png 300w, https://vpnalert.com/wp-content/uploads/2023/04/healthcare-data-breaches-1024x726.png 1024w, https://vpnalert.com/wp-content/uploads/2023/04/healthcare-data-breaches-1536x1089.png 1536w, https://vpnalert.com/wp-content/uploads/2023/04/healthcare-data-breaches.png 1693w" sizes="auto"></a>
				
			

29. Over 8 in 10 of those who knew about social engineering also knew about different types of these attacks.

In 2022, 81.7% of respondents who claimed to know about social engineering also demonstrated knowledge of types (BEC, phishing, etc.). Conversely, 4.3% of respondents who claimed not to know what social engineering was still knew about its types.

30. Pretexting accounted for 27% of all social engineering breaches in 2022.

Phishing remained the most used social engineering technique, accounting for over 75% of attack variants.

31. Backdoors or C2s were the most common malware deployed in social engineering attacks.

Accounting for about 70% of cases, backdoors were followed by downloaders (about 60%). On the other hand, ransomware was used in about 4 in 10 social engineering attacks in 2022.

32. Data theft remained the sole driver of social engineering attacks against individuals in 2021.

46% of social engineering attacks against individuals in 2021 sought to steal user credentials. 20% stole personal data, while another 14% went after the individuals’ credit card information.

Social Engineering Statistics by Industry

33. Social engineering was the most prevalent attack type in the Mining + Utilities industry in 2022.

This attack type was used in 110 out of 179 attacks across both industries, more than any other.

34. Social engineering contributed to 90% of attacks against accommodation and food services firms.

As of 2022, social engineering worked with system intrusion and basic web attacks to account for 9 in 10 attacks on these industries. Likewise, social engineering attacks on the food and accommodations industry were greater during the last five years.

35. Social engineering threat actors contributed 88% of major cyber threats against manufacturing firms in 2022.

However, the prevalence of this attack in the manufacturing sector was less over the past 3 and 5-year reporting periods leading to 2022.

36. In 2022, social engineering had a hand in almost 9 in 10 cyber-attacks on the professional, scientific, and technical services industries.

Social engineering teamed up with system intrusion and basic web application attacks to cause 89% of cyber-attacks in these industries. Looking at the 3 and 5-year data, though, its impact in this industry is becoming lesser while systems intrusion takes up a bigger share.

37. Social engineering contributed to 84% of retail cyber-attacks in 2022.

It was also helped by system intrusion and basic web application attacks. 

Likewise, this industry’s frequency of social engineering attacks has increased over the past 3 years.

38. 18% of organizations NEVER conducted phishing simulations against social engineering attacks in 2022.

That was a 1% negative drop, considering only 17% of companies were in the same category in 2021.

39. 19% of companies conducted ongoing social engineering simulations against phishing attacks in 2021.

That number grew to 23% in 2022.

40. About 15% of companies conducted phishing simulations in 2021.

The number remained unchanged in 2022, as 15% of companies continued running (at least) one monthly simulation against this common social engineering attack.

about 15 percent of companies conducted phishing simulations
Share This Image On Your Website
				
					<a href="https://vpnalert.com/resources/social-engineering-statistics/" target="_blank" data-wpel-link="internal"><img src="https://vpnalert.com/wp-content/uploads/2023/04/phishing-simulations.png" alt="About 15 Percent of Companies Conducted Phishing Simulations" width="768" border="0" height="544.35912581217" loading="lazy" fetchpriority="low" srcset="https://vpnalert.com/wp-content/uploads/2023/04/phishing-simulations-768x544.png 768w, https://vpnalert.com/wp-content/uploads/2023/04/phishing-simulations-300x213.png 300w, https://vpnalert.com/wp-content/uploads/2023/04/phishing-simulations-1024x726.png 1024w, https://vpnalert.com/wp-content/uploads/2023/04/phishing-simulations-1536x1089.png 1536w, https://vpnalert.com/wp-content/uploads/2023/04/phishing-simulations.png 1693w" sizes="auto"></a>
				
			

41. More companies completed quarterly drills against social engineering attacks in 2021 than in 2022.

2021 data shows that 28% of companies ran quarterly simulations against phishing attacks. By 2022, the number of companies in this category declined to 24%.

42. 51% of government-related cyber-attacks in 2021 involved social engineering.

Hacking was used in 26% of the cases, while web exploits comprised 16% of the breaches.

Trust Is Earned, Not Given

Many social engineering hacks leverage that people can be trusting and highly unsuspecting. However, we would have a better chance against them if we trust and verify every communication, every single time, no matter who we believe such communications are coming from.

And given the many pies that social engineering has its hands in (BEC, phishing, vishing, smishing, etc.), it is best to understand each aspect to stay insulated from these attacks.

In that case, this collection of 30+ phishing statistics and facts is a great place to start.

References:
  1. https://www.cshub.com/events-cybersecurityfsasia/downloads/cs-hub-mid-year-market-report-2022
  2. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022
  3. https://www.interpol.int/content/download/16759/file/AfricanCyberthreatAssessment_ENGLISH.pdf
  4. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
  5. https://www.hhs.gov/sites/default/files/the-impact-of-social-engineering-on-healthcare.pdf
  6. https://www.scirp.org/pdf/jis_2022102711090310.pdf
  7. https://www.verizon.com/business/en-gb/resources/2022-data-breach-investigations-report-dbir.pdf
  8. https://assets.sophos.com/X24WTUEQ/at/f3vctf7kcmj7rp3xrb3k73/sophos-future-of-cybersecurity-apj-2022-wp.pdf
  9. https://static.fortra.com/core-security/pdfs/guides/cs-2022-pen-testing-report.pdf
  10. https://www.dataendure.com/wp-content/uploads/2021_Cost_of_a_Data_Breach_-2.pdf
  11. https://www.ptsecurity.com/upload/corporate/ww-en/analytics/positive-research-2022-eng.pdf