In the world of cybersecurity, the greatest threat isn't always a rogue piece of code or a system bug. It’s something much harder to remediate – the human element. 

Unlike traditional cyber threats that seek to exploit system vulnerabilities, social engineering attacks bypass technical defenses by manipulating people into revealing confidential information or making security mistakes. 

That's why understanding social engineering is so vital. It's not just about implementing the latest security controls; it's about recognizing the human vulnerabilities within our organizations and learning how to fortify them.

So let's delve deeper into the world of social engineering, understand the extent of the threat it poses with the latest social engineering statistics, and explore how organizations can guard against this formidable threat.

What are social engineering attacks?

Social engineering is a method used by cybercriminals that involves tricking people into sharing confidential information such as passwords and credit card numbers, or access to their computer systems where they install malicious software. Instead of breaking into a system directly, social engineers manipulate people into making security mistakes or giving away sensitive information.

The trust we place in others, our desire to be helpful, and even our fears are all vulnerabilities that cybercriminals eagerly exploit. They don't need advanced hacking skills if they can simply trick an employee into clicking a malicious link or revealing a password.

Social engineering is among the most common techniques used by bad actors to exploit an organization — and attacks are growing more sophisticated. Social engineers are using increasingly personalized tactics to gain trust and avoid suspicion. Voice cloning and deepfake technology make it possible for threat actors to impersonate their targets in even more convincing ways. In one high-profile instance, the AI-created voice of a bank director was used to trick a bank manager into transferring $35 million to threat actors.

Social engineering attacks are an especially dangerous threat to organizations specifically because of the human element. Mistakes made by legitimate users are more difficult to detect, predict, and remediate. In many cases, victims don’t even realize they’ve been tricked.

Most common types of social engineering attacks

1. Ransomware attacks: Malicious software encrypts a victim's files, making them inaccessible until a ransom is paid.
2. Phishing attacks: Generic emails are sent to large numbers of people, tricking them into revealing sensitive information.
3. Spear phishing: Phishing scams tailored to specific individuals, often using personal information to appear more legitimate.
4. CEO fraud/Whaling: High-ranking executives are impersonated to trick employees into performing actions like transferring funds.
5. Business Email Compromise (BEC): Similar to CEO fraud, but the attacker infiltrates the email account of the executive to make the requests seem more legitimate.
6. Smishing: Phishing via SMS. The attacker sends a text message prompting the recipient to reveal sensitive information or click a malicious link.
7. Vishing: Voice phishing, where the attacker impersonates a trusted entity over a phone call.
8. Baiting: The attacker leaves a physical device, like a USB stick loaded with malware, in a place where the target will find it.
9. Piggybacking/Tailgating: The attacker gains physical access to a restricted area by following someone who is authorized to be there.
10. Pretexting: The attacker fabricates a believable scenario (or pretext) to steal the victim's personal information.
11. Quid Pro Quo/Tech support scams: The attacker offers a service or benefit in exchange for information or access.
12. Scareware: Malware is embedded in free software, which is then distributed to unsuspecting users.
13. Watering hole attacks: The attacker infects websites that their target is known to visit with the intent of compromising the target's device.

Social engineering statistics for 2023

We combed through the most recent data reports by trusted authorities like the FBI, Verizon, IBM, Kaspersky, and many more to find the latest must-know social engineering statistics. 

Malware and Ransomware statistics 

1. There were 493 million ransomware attacks worldwide in 2022. Statista
2. According to a 2020 cybersecurity survey, 68% of US organizations had experienced a ransomware attack and paid the ransom. 22% said they had not been infected, and 10% said they were infected but did not pay. Statista
3. 2022 saw a 13% increase in ransomware breaches — an increase as big as the last 5 years combined. Verizon 
4. 40% of ransomware incidents involve the use of desktop sharing software and 35% involve the use of email. Verizon 
5. 700 million attacks used ransom or extortion in 2021. Arctic Wolf 
6. 70% of IT and security leaders saw ransomware as their top security threat concern in 2022. Arctic Wolf
7. The healthcare, financial services, and information technology sectors are the most likely sectors to experience a ransomware attack. FBI 
8. 11% of breaches in 2022 were ransomware attacks, 41% more than in 2021. IBM 
9. The percentage of users impacted by targeted ransomware doubled in the first 10 months of 2022. Kaspersky 
10. New ransomware variants continue to emerge. In the course of 2022, Kaspersky detected over 21,400 ransomware strains. Kaspersky 
11. Average ransom payments in Q4 2022 surged 58% over Q3 to $408,644, while the median payment rose 342% to $185,972. Coveware
12. In 2021, the FBI IC3 received 3,729 ransomware complaints with losses of more than $49.2 million. FBI 
13. 70% of IT and corporate executives said ransomware was their top security threat concern in 2022. Phishing is the second-most concerning threat. Arctic Wolf 
14. 2021 saw some of the highest ransom demands on record, with one financial institution paying $40 million to decrypt its data. SonicWall
15. Ransomware breaches take an average of 326 days to contain — 49 days longer than the average data breach. IBM 
16. Average cost of a ransomware attack — not including the cost of the ransom itself — was $4.54 million. IBM
17. The average cost of a ransomware breach is 13.1% higher for organizations that don’t pay the ransom. IBM 
18. In 2022, there were 5.5 billion malware attacks worldwide. Statista
19. Email is the most common malware delivery method. Verizon 
20. 450,000 new pieces of malware are registered by the AV-Test Institute every day. AV-Test 
21. Experts estimate a ransomware attack on businesses occurs every 11 seconds. Cybercrime Magazine

Phishing statistics

1. Phishing was by far the most commonly reported cybercrime in 2022, affecting more than 5x the number of individuals than any other type of cybercrime. Statista
2. By Q3 2022, nearly 1.3 million unique phishing sites were detected worldwide, a more than 15% increase from Q2 2022. Statista
3. A 2021 survey shows 48% of organizations based in the US experienced between 4-9 successful phishing attacks that year. Statista
4. A 2021 survey of IT security specialists worldwide found that 79% of organizations experienced spear phishing attacks. 13% of respondents said their organization saw more than 50 attacks. Statista
5. An average 2.9% of employees click on phishing emails. Verizon
6. Phishing schemes were the number one crime type with 300,497 complaints FBI 
7. There were 323,972 reported complaints to the FBI regarding phishing, fishing, smashing, and/or pharming, a 34% increase over 2021. FBI 
8. Phishing emails, Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities were the top three initial infection vectors for ransomware incidents in 2021. FBI
9. Phishing attacks rose 29% in 2021 compared to 2020. Zscaler
10. Retail and wholesale were the most targeted industries in 2021, seeing a 436% increase in phishing attacks. Zscaler
11. SMS phishing saw a 700% increase in the first half of 2021. Zscaler 
12. The average CEO receives 57 targeted phishing attacks every year. Barracuda 
13. 43% of phishing attacks impersonate Microsoft brands. Barracuda 
14. IT staff receive an average of 40 targeted phishing attacks every year. Barracuda 
15. Phishing impersonation attacks, where attackers pose as emails from a well-known brand or service to trick victims into clicking on a phishing link, make up 49% of all socially engineered threats. Barracuda 
16. SlashNext reports 80,000 malicious URLs are detected daily. This equates to 255M phishing attacks detected in 2022 — a 61% increase over 2021. SlashNext
17. 2022 saw a 50% increase in mobile phishing threats. SlashNext 
18. In 2022, the associated dollar loss of phishing was $52 million. FBI 
19. 62% of organizations use a security awareness training program to reduce the likelihood of a successful phishing attack. Arctic Wolf 
20. Phishing is the second most common cause of a breach and the costliest, with an average $4.91 million in breach costs. IBM
21. Most imitated brands in phishing attacks in 2021: ZscalerandBarracuda
    -Microsoft
    -WeTransfer
    -DHL
    -Google
    -eFax
    -DocuSign
    -USPS
    -Dropbox
    -Xerox
    -Facebook
    -Amazon
    -OneDrive
    -PayPal
    -Roblox
    -WhatsApp
    -Microsoft 365
    -Adobe
    -Fidelity

Business Email Compromise statistics

1. 1 in 10 social engineering attacks are business email compromise (BEC) attacks. Barracuda 
2. 77% of BEC attacks target employees outside of finance and executive roles. 1 in 5 BEC attacks target sales employees. Barracuda 
3. Business email compromise (BEC) attacks made up 10% of all social engineering attacks in 2021. Barracuda 
4. Business email compromise (BEC) attacks account for 6% of all breaches with an average cost of $4.89 million. IBM

Data breach statistics

1. As of 2022, the average cost of a data breach in the United States was $9.44 million, up from $9.05 million in 2021. The global average cost per data breach was $4.35 million in 2022. Statista
2. 80% of breaches are believed to be caused by external threats. Verizon
3. 20% of confirmed data breaches involve social engineering. Verizon
4. 82% of breaches involve a human element. Verizon
5. 83% of organizations have experienced more than one data breach. IBM 
6. Breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at organizations with no security AI and automation deployed — a 65.2% difference in average breach cost. Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach. IBM 
7. Stolen or compromised login credentials are the most common cause of a data breach, acting as the primary attack vector in 19% of all data breaches in 2022. IBM 
8. 90% of cyberattacks target an organization’s employees. Arctic Wolf
9. The average organization is targeted by over 700 social engineering attacks a year. Barracuda 
10. 89% of social engineering attacks were motivated by financial gain, 11% by espionage. Verizon
11. Pretexting constitutes 27% of social engineering breaches. Verizon
12. 2021 saw a 7% increase in reported data breaches, with potential losses exceeding $6.9 billion. Ransomware and business e-mail compromise (BC) schemes were among the top complaints reported to the FBI. FBI

Guarding against an invisible threat: How to prevent social engineering attacks

Unlike other types of cybersecurity threats that exploit system vulnerabilities, social engineering targets the most unpredictable element in an organization – the human factor. That’s why awareness and education are your first and best lines of defense. By understanding social engineering attacks, their phases, and the common types, your team is already better prepared to recognize and counteract these cyber threats before they can impact your organization.

1. Create a culture of security awareness

Developing a robust cybersecurity framework begins by nurturing a culture of security awareness. This isn't a task that should be left solely to your IT department, it's a collective responsibility. Everyone in your organization must understand the threats they face and their role in preventing them.

Security awareness training should be a regular part of the onboarding process for new hires and should continue throughout an employee's tenure. This training should also evolve to match the sophistication of social engineering tactics. Remember, a chain is only as strong as its weakest link.

2. Learn to recognize social engineering tactics

Your employees should be familiar with the tactics that social engineers employ. Here are some key measures:

• Check email addresses: Hackers often impersonate trusted sources. Always verify the sender's email address. For instance, 'support@micros0ft.com' might appear legitimate at first glance, but notice the number '0' replacing the letter 'o'.
• Don’t click on suspicious links: Hover over links to display the actual URL before clicking. Beware of URLs that do not match the supposed destination or that are unnecessarily long with random characters.
• Watch for commonly used subject lines: Phrases like "Password Reset Required Immediately," "Your Account Has Been Suspended," and "Unauthorised Login Attempt" are commonly used to spark urgency and fear.
• Contact the sender directly: If an email or message seems suspicious, contact the sender directly using known contact information, not the details provided in the suspicious communication.

3. Conduct regular phishing testing

Phishing testing is a proactive approach to strengthen your organization's defense. Regularly conducting simulated phishing campaigns can help assess your team's response and identify areas that need improvement. This approach also helps employees understand the importance of security protocols and allows them to apply their training in a safe environment.

4. Complete regular patching and security updates

Regardless of how security-aware your employees are, outdated software, hardware, and applications can provide an easy way in for hackers. Regular patching and security updates are crucial to fix known vulnerabilities and keep your systems secure. Consider automated patch management systems to streamline this process.

5. Implement continuous monitoring

Continuous monitoring is a crucial step in detecting and responding to security incidents promptly. Analyzing website traffic and activity for anomalies can help spot unusual behavior that may indicate a social engineering attempt. Using machine learning and AI, modern security systems can detect patterns and provide real-time alerts for suspicious activity.

Social engineering is a significant threat that requires a strategic response. By fostering a culture of security awareness, regularly training employees, conducting phishing testing, keeping all systems updated, and continuously monitoring for suspicious activity, organizations can effectively guard against malicious attacks.

Protect against social engineers and cybercriminals with Secureframe Train

Our security and compliance automation platform includes proprietary security awareness training, making it easy to assign, track, and report on required employee training. Our engaging training programs are kept up-to-date, so the latest best practices are learned and applied throughout your organization. You can also segment your workforce and assign just the training required for each group or role.

Learn more about Secureframe Training, or schedule a demo with a product expert.