Social engineering attacks are one of the deadliest. You can do everything else in cybersecurity but fall to a social engineering attack simply for being too trusting or not completing a cross-check.
But since they enjoyed popularity over the past decade, have these attacks slowed down?
We collected data and vetted surveys and reports over 100+ editorial hours to combine the latest social engineering attack statistics, trends, facts, and forecasts.
Top 6 Social Engineering Statistics (Editor’s Pick)
- APAC companies ranked social engineering 9th on their most serious threats list.
- Females were likelier to know what social engineering was than males.
- Indian companies faced more social engineering threats in 2022 than in 2021.
- Almost 9 in 10 cyber-attacks targeting individuals used social engineering.
- Pretexting accounted for 27% of all social engineering breaches in 2022.
- About 15% of companies conducted phishing simulations in 2021.
General Social Engineering Statistics
Survey respondents were allowed multiple choices, and supply chain risks came in second with 36%. A lack of cybersecurity expertise was third, as 30% of organizations considered this a serious threat.
In this region, social engineering ranked third in 2019 and fourth in 2021 before dropping to ninth in 2022.
In 2022, most brands were focused on network testing (81%), application testing (68%), and cloud security (48%) instead.
After identification, it took another 75 days (on average) to contain the breach.
5. Social engineering attacks comprised 9% of local network penetration methods in 2021.
The complete list of local network penetration methods, and their significance, can be found below:
|Network Penetration Method||Significance|
|Known software vulnerabilities/exploits||60%|
|Exploiting web application code vulnerabilities||43%|
6. Social engineering attacks caused an average of $4.47 million loss across companies in 17 countries in 2021.
Likewise, BEC (another attack using social engineering) accounted for 4% of all losses, totaling $5.01 million in average losses to victims. There were also phishing attacks, yet another form of social engineering, averaging $4.65 million per data breach that year.
Social Engineering Demography Statistics
Likewise, over 80% of breaches globally contained a human error element, the entry point for social engineering.
8. Between 2020 – 2021, Africa accounted for less than 1% of global BEC scam attempts.
This study also identified the USA, Australia, and UK as the top targets for this social engineering attack.
9. South Africa suffered 34% of all BEC attempts in Africa in 2021.
Business Email Compromise, a form of social engineering, was also highly prevalent in Tunisia (20%), Morocco and Mauritius (12% each), and Nigeria (11%) during the reporting period.
10. The FBI’s Internet Crime Complaint Centre (IC3) received over 19,000 BEC reports in 2021.
The 19,954 reports received in the year amounted to about $2.4 billion in total losses to victims.
11. People over 60 were the likeliest to fall for romance scams in 2021.
32% of 60-year-olds and above were victims of these social engineering scams, as reported to the FBI’s IC3. The number is second highest among 50–59-year-olds, and the third highest age demographic was the 40-49 group.
|Age Range||% Affected|
Another 50.4% of the surveyed respondents had a moderate knowledge of these attacks. Only 7.5% claimed to have a good understanding of social engineering.
As of 2022, 33.3% of this age group claimed to understand “social engineering.”
That was better than respondents aged 26 – 35 (29.6%) and 36 – 45 (21%).
In this age group, 28% of respondents did not have any experience with social engineering at all as of 2022. Respondents aged 46 and above (24.2%) fared better, while those aged 36-45 (20.2%) fared best in this category.
A 2022 Saudi study identified that 40.5% of female participants knew what social engineering was, while 59.5% did not. In contrast, 64.7% of the males across all age groups did not know what social engineering was, leaving only 35.3% with a moderate or solid knowledge of such attacks.
16. Social engineering was the top attack pattern type in APAC regions for 2022.
It accounted for 48% of all the breach types and incidents reported in the region.
It was also estimated that 99% of the social engineering incidents were related to phishing.
17. Social engineering’s breach impact grew to almost 60% in the EMEA region in 2022.
Of the top actions in the region, the use of stolen credentials (just over 60%) and phishing (60%) led the others. These two are also some of the outcomes of, and approaches to, social engineering attacks, respectively.
18. Social engineering was North America's second most prevalent attack type in 2022.
Phishing (almost 80%) and pretexting (around 30%) were the region’s most used social engineering techniques.
19. Social engineering contributed to 88% of cyber threats in the Caribbean.
As of 2022, social engineering attacks were the third most prevalent in the region.
They were propagated through phishing attempts (20%) and the use of stolen credentials (10%).
In 2021, Indian firms rated social engineering 10th on their list of most dangerous threats faced. By 2022, social engineering had moved up three places to 7th.
Social engineering threats in Japan stayed in 14th place for two years across 2021 and 2022. However, phishing and whaling attacks (which employ some form of social engineering) climbed five places from fifth (in 2021) to first (in 2022).
22. Social engineering attacks have dropped eight points in Malaysian threat rankings since 2021.
2022 data shows that social engineering slumped from the 6th to 14th position across Malaysian companies. Phishing and whaling attacks also dropped six places from their number #1 position among cyber threats to Malaysian companies in 2021.
This was evident from a 2022 report showing a one-place climb for social engineering (among other cyber threats) from 12th to 11th between 2021 and 2022.
24. Social engineering was in the top 5 threats faced by Singaporean companies in 2022.
As of 2021, social engineering was rated 14th among other bodies of cyber threats facing Singaporean firms. By 2022, it climbed into fourth place, with phishing/whaling attacks in second place.
In 2021, only 14% of cyber-attacks were directed at individuals.
However, 88% of these attacks used social engineering to target the victims.
Social Engineering Statistics by Type
26. Over 24,000 victims reported romance and confidence scams to the FBI in 2021.
These scams totaled 24,299 in the reporting year, with victims losing about $956 million.
27. Tech support fraud cost victims more than $347 million in 2021.
This was up from just over $146 million in 2020 and a smaller $54 million in 2019.
By 2021, the FBI received 23,903 complaints about this social engineering scam.
28. Social engineering attacks accounted for 5% of healthcare data breaches in 2021.
This data looked at attacks solely carried out by social engineering.
When combined with other social engineering attacks (such as phishing, 45%), it accounted for 50% of all healthcare breaches in the year.
In 2022, 81.7% of respondents who claimed to know about social engineering also demonstrated knowledge of types (BEC, phishing, etc.). Conversely, 4.3% of respondents who claimed not to know what social engineering was still knew about its types.
Phishing remained the most used social engineering technique, accounting for over 75% of attack variants.
Accounting for about 70% of cases, backdoors were followed by downloaders (about 60%). On the other hand, ransomware was used in about 4 in 10 social engineering attacks in 2022.
46% of social engineering attacks against individuals in 2021 sought to steal user credentials. 20% stole personal data, while another 14% went after the individuals’ credit card information.
Social Engineering Statistics by Industry
33. Social engineering was the most prevalent attack type in the Mining + Utilities industry in 2022.
This attack type was used in 110 out of 179 attacks across both industries, more than any other.
34. Social engineering contributed to 90% of attacks against accommodation and food services firms.
As of 2022, social engineering worked with system intrusion and basic web attacks to account for 9 in 10 attacks on these industries. Likewise, social engineering attacks on the food and accommodations industry were greater during the last five years.
35. Social engineering threat actors contributed 88% of major cyber threats against manufacturing firms in 2022.
However, the prevalence of this attack in the manufacturing sector was less over the past 3 and 5-year reporting periods leading to 2022.
Social engineering teamed up with system intrusion and basic web application attacks to cause 89% of cyber-attacks in these industries. Looking at the 3 and 5-year data, though, its impact in this industry is becoming lesser while systems intrusion takes up a bigger share.
37. Social engineering contributed to 84% of retail cyber-attacks in 2022.
It was also helped by system intrusion and basic web application attacks.
Likewise, this industry’s frequency of social engineering attacks has increased over the past 3 years.
That was a 1% negative drop, considering only 17% of companies were in the same category in 2021.
That number grew to 23% in 2022.
40. About 15% of companies conducted phishing simulations in 2021.
The number remained unchanged in 2022, as 15% of companies continued running (at least) one monthly simulation against this common social engineering attack.
2021 data shows that 28% of companies ran quarterly simulations against phishing attacks. By 2022, the number of companies in this category declined to 24%.
Hacking was used in 26% of the cases, while web exploits comprised 16% of the breaches.
Trust Is Earned, Not Given
Many social engineering hacks leverage that people can be trusting and highly unsuspecting. However, we would have a better chance against them if we trust and verify every communication, every single time, no matter who we believe such communications are coming from.
And given the many pies that social engineering has its hands in (BEC, phishing, vishing, smishing, etc.), it is best to understand each aspect to stay insulated from these attacks.
In that case, this collection of 30+ phishing statistics and facts is a great place to start.