• blogangle-right
  • 85+ Social Engineering Statistics to Know for 2026

Table of Contents

85+ Social Engineering Statistics to Know for 2026

  • October 29, 2025
Author

Emily Bonnie

Senior Content Marketing Manager

Reviewer

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

In the world of cybersecurity, the greatest threat isn't always a rogue piece of code or a system bug. It’s something much harder to remediate – the human element. 

Unlike traditional cyber threats that seek to exploit system vulnerabilities, social engineering attacks bypass technical defenses by manipulating people into revealing confidential information or making security mistakes. 

That's why understanding social engineering is so vital. It's not just about implementing the latest security controls; it's about recognizing the human vulnerabilities within our organizations and learning how to fortify them.

So let's delve deeper into the world of social engineering, understand the extent of the threat it poses with the latest social engineering statistics, and explore how organizations can guard against this formidable threat.

What are social engineering attacks?

Social engineering is a method used by cybercriminals that involves tricking people into sharing confidential information such as passwords and credit card numbers, or access to their computer systems where they install malicious software. Instead of breaking into a system directly, social engineers manipulate people into making security mistakes or giving away sensitive information.

The trust we place in others, our desire to be helpful, and even our fears are all vulnerabilities that cybercriminals eagerly exploit. They don't need advanced hacking skills if they can simply trick an employee into clicking a malicious link or revealing a password.

Social engineering is among the most common types of cyberattacks used by bad actors to exploit an organization — and attacks are growing more sophisticated. Social engineers are using increasingly personalized tactics to gain trust and avoid suspicion. Voice cloning and deepfake technology make it possible for threat actors to impersonate their targets in even more convincing ways. In one high-profile instance, the AI-created voice of a bank director was used to trick a bank manager into transferring $35 million to threat actors.

Social engineering attacks are an especially dangerous threat to organizations specifically because of the human element. Mistakes made by legitimate users are more difficult to detect, predict, and remediate. In many cases, victims don’t even realize they’ve been tricked.

Most common types of social engineering attacks

  • Ransomware attacks: Malicious software encrypts a victim's files, making them inaccessible until a ransom is paid.
  • Phishing attacks: Generic emails are sent to large numbers of people, tricking them into revealing sensitive information.
  • Spear phishing: Phishing scams tailored to specific individuals, often using personal information to appear more legitimate.
  • CEO fraud/Whaling: High-ranking executives are impersonated to trick employees into performing actions like transferring funds.
  • Business Email Compromise (BEC): Similar to CEO fraud, but the attacker infiltrates the email account of the executive to make the requests seem more legitimate.
  • Smishing: Phishing via SMS. The attacker sends a text message prompting the recipient to reveal sensitive information or click a malicious link.
  • Vishing: Voice phishing, where the attacker impersonates a trusted entity over a phone call.
  • Baiting: The attacker leaves a physical device, like a USB stick loaded with malware, in a place where the target will find it.
  • Piggybacking/Tailgating: The attacker gains physical access to a restricted area by following someone who is authorized to be there.
  • Pretexting: The attacker fabricates a believable scenario (or pretext) to steal the victim's personal information.
  • Quid Pro Quo/Tech support scams: The attacker offers a service or benefit in exchange for information or access.
  • Scareware: Malware is embedded in free software, which is then distributed to unsuspecting users.
  • Watering hole attacks: The attacker infects websites that their target is known to visit with the intent of compromising the target's device.

Recommended reading

The 13 Most Common Types of Social Engineering Attacks + How to Defend Against Them

Social engineering statistics for 2026

We combed through data reports by trusted authorities like the FBI, Verizon, IBM, Kaspersky, and many more to find the latest must-know social engineering statistics. 

Malware and ransomware statistics 

1. Microsoft’s Digital Defense Report 2025 found ransomware and extortion drove over half of cyberattacks globally. (Microsoft)

2. 59% of organizations globally experienced a ransomware attack in 2024. (Statista)

3. Ransomware payments surged to a record high of $460 million in the first half of 2024. (Chainalysis)

4. 2024 saw the largest ransomware payment ever recorded — approximately $75 million paid to the Dark Angels ransomware group. (Chainalysis)

5. The median loss associated with ransomware and other extortion breaches was $46,000 in 2024. (Verizon)

6. The median ransom payment jumped from just under $200,000 in early 2023 to $1.5 million in mid-June 2024. (Chainalysis)

7. After experiencing a ransomware attack, roughly 46% of organizations worldwide paid a ransom to get their encrypted data back. (Statista)

8. 97% of companies were able to retrieve their data after a ransomware attack in 2023, with 70% relying on data backups. (Statista)

9. Ransomware payments dropped by 35.8% in 2024 compared to 2023, partly due to law enforcement actions. (Chainalysis)

10. Only 13% of victims paid the ransom in 2025, down from 16.3% in 2024, while 62% used immutable backups. (Hornetsecurity)

11. Roughly one-third of breaches (32%) in 2024 involved ransomware or another extortion technique. (Verizon)

12. 16.3% of ransomware victims paid the ransom to recover their data in 2024, compared to just 6.9% in 2023. (HornetSecurity)

13. 14% of ransomware victims reported their backup storage was also affected during the attack, either encrypted or rendered inaccessible. (HornetSecurity)

14. Over half of all ransomware incidents in 2024 originated from email and phishing attacks. (HornetSecurity)

15. Small organizations remain the most vulnerable to ransomware, with 55.8% of attacks targeting companies with 1-50 employees. (HornetSecurity)

16. Of the small businesses that were targeted by ransomware, 1 in 5 ended up paying the ransom to recover their data. Among those who did, 60% paid  between $10,000 and $100,000 in ransom. (HornetSecurity)

17. Nearly 1 in 10 organizations do not know how their systems were infiltrated by ransomware, and 1 in 3 ransomware victims are unaware if any data was exfiltrated. (HornetSecurity)

18. 81% of organizations say they train their employees to recognize and flag potential ransomware attacks. (HornetSecurity)

19. 55% of organizations have purchased ransomware insurance policies. (HornetSecurity)

20. 40% of ransomware incidents involve the use of desktop sharing software and 35% involve the use of email. (Verizon)

21. Ransomware is currently considered the top cybersecurity concern for organizations, with over half of surveyed companies ranking it as their primary threat in 2024. (Arctic Wolf)

22. The healthcare, financial services, and information technology sectors are the most likely sectors to experience a ransomware attack. (FBI)

23. Ransomware breaches take an average of 326 days to contain — 49 days longer than the average data breach. (IBM)

24. The average cost of a ransomware attack — not including the cost of the ransom itself — is $4.54 million. (IBM)

25. The average cost of a ransomware breach is 13.1% higher for organizations that don’t pay the ransom. (IBM)

26. Email is the most common malware delivery method. (Verizon)

27. 450,000 new pieces of malware are registered by the AV-Test Institute every day. (AV-Test)

28. Experts estimate a ransomware attack on businesses occurs every 11 seconds. (Cybercrime Magazine)

Phishing statistics

29. Phishing was the most common breach vector in 2024, accounting for roughly 16% of breaches with an average cost of $4.88 million. (IBM)

30. Financial services and online payment platforms made up 30.9% of phishing targets, with millions of QR-code phishing emails sent. (APWG)

31. Phishing and pretexting are the leading social engineering actions against SMBs in 2025, with prompt-bombing attacks on the rise. (Verizon)

32. The Anti-Phishing Working Group (APWG) recorded 1,003,924 phishing attacks in Q1 2025 and 1,130,393 phishing attacks in Q2 2025, a 13% QoQ increase. (APWG)

33. Cofense reported its Phishing Defense Center analyzed an average of one malicious email every 42 seconds in 2024. (Cofense)

34. 94% of organizations faced phishing attacks in 2024, with 96% of successful incidents causing negative business impacts. (Egress)

35. Phishing-as-a-service (PhaaS) was behind 30% of credential attacks in 2024 and could reach 50% in 2025. (Barracuda)

36. The median time for users to fall for phishing emails is less 60 seconds. (Verizon)

37. The median time to click on a malicious link after the email is opened is 21 seconds, and then it takes only another 28 seconds to enter the data. (Verizon)

38. Phishing and pretexting via email account for 73% of all breaches. (Verizon)

39. An average 2.9% of employees click on phishing emails. (Verizon)

40. Phishing schemes were the number one crime type with 300,497 complaints. (FBI

41. The average CEO receives 57 targeted phishing attacks every year. (Barracuda)

42. 43% of phishing attacks impersonate Microsoft brands. (Barracuda)

43. IT staff receive an average of 40 targeted phishing attacks every year. (Barracuda)

44. 95% of successful network intrusions rely on spear phishing techniques. (Security Intelligence)

45. Phishing impersonation attacks, where attackers pose as emails from a well-known brand or service to trick victims into clicking on a phishing link, make up 49% of all socially engineered threats. (Barracuda)

46. Only half of employees are able to correctly define spear phishing. (Proof Point)

47. 62% of organizations use a security awareness training program to reduce the likelihood of a successful phishing attack. (Arctic Wolf)

48. Phishing is the second most common cause of a breach and the costliest, with an average $4.91 million in breach costs. (IBM)

49. Most imitated brands in phishing attacks: Zscaler and Barracuda
-Microsoft
-WeTransfer
-DHL
-Google
-eFax
-DocuSign
-USPS
-Dropbox
-Xerox
-Facebook
-Amazon
-OneDrive
-PayPal
-Roblox
-WhatsApp
-Microsoft 365
-Adobe
-Fidelity

AI-driven social engineering statistics

50. 91% of security professionals said their organizations faced AI-enabled email attacks in the past six months. (Abnormal Security)

51. More than one-third of 2025 social-engineering incidents involved AI-adjacent methods like SEO poisoning or fake prompts. (Palo Alto Networks)

52. Microsoft’s Digital Defense Report 2025 stated adversaries are increasingly using AI to scale phishing and influence campaigns. (Microsoft)

53. 60% of security leaders admitted to sharing sensitive data with AI tools. (Arctic Wolf)

54. 67% of IT professionals say the rise of generative AI has increased their fear of being targeted by a ransomware attack. (HornetSecurity)

55. 61% of organizations use some level of security AI and automation. (IBM)

56. Breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at organizations with no security AI and automation deployed — a 65.2% difference in average breach cost. Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach. (IBM)

57. AI-driven cyber-attacks have exploded by over 4,000% in the last three years. (TechMagic)

58. More than 82.6% of all phishing emails analyzed between September 2024-February 2025 used AI in some form. (KnowBe4)

59. Browser-based phishing attacks saw a 140% increase last year, tied to generative AI threats and zero-hour phishing. (Security Magazine)

Business email compromise statistics

60. Wire-transfer BEC scams increased by 33% in Q2 2025 compared to Q1. (APWG)

61. The FBI’s IC3 logged 21,442 BEC complaints in 2024, with reported losses exceeding $2.7 billion, making it the second-costliest cybercrime type. (FBI IC3)

62. Business Email Compromise (BEC) accounts for 24-25% of financially motivated attacks.  (Verizon)

63. Cloudflare was the most popular domain registrar used by BEC scammers in Q1 2025. (Fortra)

64. FBI advisories estimate total exposed losses from BEC between 2013 and 2023 exceeded $55.4 billion globally. (FBI IC3)

65. The median monthly BEC volume in H1 2025 was up 54% compared to 2023, peaking at 20 attacks per 1,000 mailboxes in June 2024. (Abnormal Security)

66. 1 in 10 social engineering attacks are business email compromise (BEC) attacks. (Barracuda)

67. 77% of BEC attacks target employees outside of finance and executive roles. 1 in 5 BEC attacks target sales employees. (Barracuda)

68. Business email compromise (BEC) attacks account for 6% of all breaches with an average cost of $4.89 million. (IBM)

Data breach statistics

69. 86% of social-engineering incidents caused business disruption such as downtime or reputational damage. (Palo Alto Networks)

70. 68% of data breaches in 2024 were attributed to human error, including social engineering scams. (Verizon)

71. The average global cost of a data breach in 2025 is $4.4 million. (IBM)

72. SMBs are targeted nearly four times more often than large enterprises in 2025. (Verizon)

73. The financial sector (17.4%) and business services (11.1%) were among the most targeted industries in 2024. (Google Cloud Mandiant)

74. ENISA’s Finance Threat Landscape 2024/25 showed social engineering attacks resulted in financial loss in 50% of cases, fraud in 28%, and data exposure in others. (ENISA)

75. Cyberattacks using stolen or compromised credentials increased 71% year-over-year. (IBM X-Force

76. More than one-third of social engineering incidents in 2025 involved non-phishing tactics such as SEO poisoning, fake prompts, or help-desk manipulation. (Palo Alto Networks)

77. Stolen credentials (16%) surpassed email phishing (14%) as the second most common initial access vector in 2024. (Google Cloud Mandiant)

78. The FBI’s IC3 received 859,532 complaints in 2024, with reported losses of $16.6 billion, a 33% increase over 2023. (FBI IC3)

79. 80% of breaches are believed to be caused by external threats. (Verizon)

80. 98% of cyberattacks rely on social engineering. (Purplesec)

81. The average business faces over 700 social engineering attacks each year. (Barracuda)

82. The average cost of a social engineering attack was $130,000 in 2024. (CRC Group)

83. 20% of confirmed data breaches involve social engineering. (Verizon)

84. More than 70% of employees admit to risky behavior that leaves their organizations vulnerable. (Proof Point)

95. 83% of organizations have experienced more than one data breach. (IBM)

85. 90% of cyberattacks target an organization’s employees. (Arctic Wolf)

87. The average organization is targeted by over 700 social engineering attacks a year. (Barracuda)

88. 89% of social engineering attacks were motivated by financial gain, 11% by espionage. (Verizon)

89. Pretexting constitutes 27% of social engineering breaches. (Verizon)

Guarding against an invisible threat: How to prevent social engineering attacks

Unlike other types of cybersecurity threats that exploit system vulnerabilities, social engineering targets the most unpredictable element in an organization – the human factor. That’s why awareness and education are your first and best lines of defense. By understanding social engineering attacks, their phases, and the common types, your team is already better prepared to recognize and counteract these cyber threats before they can impact your organization.

1. Create a culture of security awareness

Developing a robust cybersecurity framework begins by nurturing a culture of security awareness. This isn't a task that should be left solely to your IT department, it's a collective responsibility. Everyone in your organization must understand the threats they face and their role in preventing them.

Security awareness training should be a regular part of the onboarding process for new hires and should continue throughout an employee's tenure. This training should also evolve to match the sophistication of social engineering tactics. Remember, a chain is only as strong as its weakest link.

2. Learn to recognize social engineering tactics

Your employees should be familiar with the tactics that social engineers employ. Here are some key measures:

  • Check email addresses: Hackers often impersonate trusted sources. Always verify the sender's email address. For instance, 'support@micros0ft.com' might appear legitimate at first glance, but notice the number '0' replacing the letter 'o'.
  • Don’t click on suspicious links: Hover over links to display the actual URL before clicking. Beware of URLs that do not match the supposed destination or that are unnecessarily long with random characters.
  • Watch for commonly used subject lines: Phrases like "Password Reset Required Immediately," "Your Account Has Been Suspended," and "Unauthorised Login Attempt" are commonly used to spark urgency and fear.
  • Contact the sender directly: If an email or message seems suspicious, contact the sender directly using known contact information, not the details provided in the suspicious communication.

3. Conduct regular phishing testing

Phishing testing is a proactive approach to strengthen your organization's defense. Regularly conducting simulated phishing campaigns can help assess your team's response and identify areas that need improvement. This approach also helps employees understand the importance of security protocols and allows them to apply their training in a safe environment.

4. Complete regular patching and security updates

Regardless of how security-aware your employees are, outdated software, hardware, and applications can provide an easy way in for hackers. Regular patching and security updates are crucial to fix known vulnerabilities and keep your systems secure. Consider automated patch management systems to streamline this process.

5. Implement continuous monitoring

Continuous monitoring is a crucial step in detecting and responding to security incidents promptly. Analyzing website traffic and activity for anomalies can help spot unusual behavior that may indicate a social engineering attempt. Using machine learning and AI, modern security systems can detect patterns and provide real-time alerts for suspicious activity.

Social engineering is a significant threat that requires a strategic response. By fostering a culture of security awareness, regularly training employees, conducting phishing testing, keeping all systems updated, and continuously monitoring for suspicious activity, organizations can effectively guard against malicious attacks.

Protect against social engineers and cybercriminals

Social engineering works because it preys on human behavior — urgency, curiosity, or trust — and those instincts don’t disappear with firewalls or endpoint security. That’s why preparation is your strongest defense. Training people to spot red flags, building response muscle memory through simulations, and making security part of daily culture helps ensure that when a real attempt happens, your team reacts instinctively and correctly.

And preparation isn’t just about awareness; it’s about equipping your workforce with the right resources. From playbooks and phishing test templates to risk assessment checklists, the tools you provide can mean the difference between a stopped attack and a costly breach.

To make preparation easier, we’ve put together a downloadable cybersecurity awareness kit that includes templates, checklists, and training resources designed to help teams build strong security practices and respond to cyberthreats. Use it to jump-start your internal awareness program, reinforce what employees learn in training, and give your organization a playbook for handling real-world scenarios before they happen.

Cybersecurity Awareness Kit

Building a strong cybersecurity program can feel overwhelming, especially for growing teams with limited time and resources. This free Cybersecurity Awareness Kit brings together essential tools so you can train employees, test your defenses, and improve resilience.

FAQs

What percentage of attacks are social engineering?

Social engineering accounts for approximately 70-90% of cyberattacks, with phishing being the most prevalent method.

What are the most common social engineering attacks?

The most common social engineering attacks include phishing, spear phishing, pretexting, baiting, and tailgating.

Which category of social engineering is the most common?

Phishing is the most common category, as it is widely used to trick individuals into providing sensitive information or downloading malware.

Is social engineering increasing?

Yes, social engineering attacks are increasing, fueled by the widespread use of digital communication platforms and attackers' evolving tactics.

What is the best defense against social engineering attacks?

The best defense includes employee training, multi-factor authentication (MFA), email filtering tools, and clear security policies.

How much money is lost due to social engineering?

The average cost of a social engineering attack is $130,000.

Emily Bonnie

Senior Content Marketing Manager

Emily Bonnie is a seasoned digital marketing strategist with over ten years of experience creating content that attracts, engages, and converts for leading SaaS companies. At Secureframe, she helps demystify complex governance, risk, and compliance (GRC) topics, turning technical frameworks and regulations into accessible, actionable guidance. Her work aims to empower organizations of all sizes to strengthen their security posture, streamline compliance, and build lasting trust with customers.

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

Rob Gutierrez is an information security leader with nearly a decade of experience in GRC, IT audit, cybersecurity, FedRAMP, cloud, and supply chain assessments. As a former auditor and security consultant, Rob performed and managed CMMC, FedRAMP, FISMA, and other security and regulatory audits. At Secureframe, he’s helped hundreds of customers achieve compliance with federal and commercial frameworks, including NIST 800-171, NIST 800-53, FedRAMP, CMMC, SOC 2, and ISO 27001.