• blogangle-right
  • 60+ Social Engineering Statistics [Updated 2025]

60+ Social Engineering Statistics [Updated 2025]

  • December 31, 2024
Author

Emily Bonnie

Senior Content Marketing Manager

Reviewer

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

In the world of cybersecurity, the greatest threat isn't always a rogue piece of code or a system bug. It’s something much harder to remediate – the human element. 

Unlike traditional cyber threats that seek to exploit system vulnerabilities, social engineering attacks bypass technical defenses by manipulating people into revealing confidential information or making security mistakes. 

That's why understanding social engineering is so vital. It's not just about implementing the latest security controls; it's about recognizing the human vulnerabilities within our organizations and learning how to fortify them.

So let's delve deeper into the world of social engineering, understand the extent of the threat it poses with the latest social engineering statistics, and explore how organizations can guard against this formidable threat.

What are social engineering attacks?

Social engineering is a method used by cybercriminals that involves tricking people into sharing confidential information such as passwords and credit card numbers, or access to their computer systems where they install malicious software. Instead of breaking into a system directly, social engineers manipulate people into making security mistakes or giving away sensitive information.

The trust we place in others, our desire to be helpful, and even our fears are all vulnerabilities that cybercriminals eagerly exploit. They don't need advanced hacking skills if they can simply trick an employee into clicking a malicious link or revealing a password.

Social engineering is among the most common types of cyberattacks used by bad actors to exploit an organization — and attacks are growing more sophisticated. Social engineers are using increasingly personalized tactics to gain trust and avoid suspicion. Voice cloning and deepfake technology make it possible for threat actors to impersonate their targets in even more convincing ways. In one high-profile instance, the AI-created voice of a bank director was used to trick a bank manager into transferring $35 million to threat actors.

Social engineering attacks are an especially dangerous threat to organizations specifically because of the human element. Mistakes made by legitimate users are more difficult to detect, predict, and remediate. In many cases, victims don’t even realize they’ve been tricked.

Most common types of social engineering attacks

  1. Ransomware attacks: Malicious software encrypts a victim's files, making them inaccessible until a ransom is paid.
  2. Phishing attacks: Generic emails are sent to large numbers of people, tricking them into revealing sensitive information.
  3. Spear phishing: Phishing scams tailored to specific individuals, often using personal information to appear more legitimate.
  4. CEO fraud/Whaling: High-ranking executives are impersonated to trick employees into performing actions like transferring funds.
  5. Business Email Compromise (BEC): Similar to CEO fraud, but the attacker infiltrates the email account of the executive to make the requests seem more legitimate.
  6. Smishing: Phishing via SMS. The attacker sends a text message prompting the recipient to reveal sensitive information or click a malicious link.
  7. Vishing: Voice phishing, where the attacker impersonates a trusted entity over a phone call.
  8. Baiting: The attacker leaves a physical device, like a USB stick loaded with malware, in a place where the target will find it.
  9. Piggybacking/Tailgating: The attacker gains physical access to a restricted area by following someone who is authorized to be there.
  10. Pretexting: The attacker fabricates a believable scenario (or pretext) to steal the victim's personal information.
  11. Quid Pro Quo/Tech support scams: The attacker offers a service or benefit in exchange for information or access.
  12. Scareware: Malware is embedded in free software, which is then distributed to unsuspecting users.
  13. Watering hole attacks: The attacker infects websites that their target is known to visit with the intent of compromising the target's device.

Recommended reading

The 13 Most Common Types of Social Engineering Attacks + How to Defend Against Them

Social engineering statistics for 2025

We combed through data reports by trusted authorities like the FBI, Verizon, IBM, Kaspersky, and many more to find the latest must-know social engineering statistics. 

Malware and ransomware statistics 

1. 59% of organizations globally experienced a ransomware attack in 2024. (Statista)

2. Ransomware payments surged to a record high of $460 million in the first half of 2024. (Chainalysis)

3. 2024 saw the largest ransomware payment ever recorded — approximately $75 million paid to the Dark Angels ransomware group. (Chainalysis)

4. The median loss associated with ransomware and other extortion breaches was $46,000 in 2024. (Verizon)

5. The median ransom payment jumped from just under $200,000 in early 2023 to $1.5 million in mid-June 2024. (Chainalysis)

6. After experiencing a ransomware attack, roughly 46% of organizations worldwide paid a ransom to get their encrypted data back. (Statista)

7. 97% of companies were able to retrieve their data after a ransomware attack in 2023, with 70% relying on data backups. (Statista)

8. Roughly one-third of breaches (32%) in 2024 involved ransomware or another extortion technique. (Verizon)

9. 16.3% of ransomware victims paid the ransom to recover their data in 2024, compared to just 6.9% in 2023. (HornetSecurity)

10. 14% of ransomware victims reported their backup storage was also affected during the attack, either encrypted or rendered inaccessible. (HornetSecurity)

11. Over half of all ransomware incidents in 2024 originated from email and phishing attacks. (HornetSecurity)

12. Small organizations remain the most vulnerable to ransomware, with 55.8% of attacks targeting companies with 1-50 employees. (HornetSecurity)

13. Of the small businesses that were targeted by ransomware, 1 in 5 ended up paying the ransom to recover their data. Among those who did, 60% paid  between $10,000 and $100,000 in ransom. (HornetSecurity)

14. Nearly 1 in 10 organizations do not know how their systems were infiltrated by ransomware, and 1 in 3 ransomware victims are unaware if any data was exfiltrated. (HornetSecurity)

15. 81% of organizations say they train their employees to recognize and flag potential ransomware attacks. (HornetSecurity)

16. 67% of IT professionals say the rise of generative AI has increased their fear of being targeted by a ransomware attack. (HornetSecurity)

17. 55% of organizations have purchased ransomware insurance policies. (HornetSecurity)

18. 40% of ransomware incidents involve the use of desktop sharing software and 35% involve the use of email. (Verizon)

19. Ransomware is currently considered the top cybersecurity concern for organizations, with over half of surveyed companies ranking it as their primary threat in 2024. (Arctic Wolf)

20. The healthcare, financial services, and information technology sectors are the most likely sectors to experience a ransomware attack. (FBI)

21. Ransomware breaches take an average of 326 days to contain — 49 days longer than the average data breach. (IBM)

22. The average cost of a ransomware attack — not including the cost of the ransom itself — is $4.54 million. (IBM)

23. The average cost of a ransomware breach is 13.1% higher for organizations that don’t pay the ransom. (IBM)

24. Email is the most common malware delivery method. (Verizon)

25. 450,000 new pieces of malware are registered by the AV-Test Institute every day. (AV-Test)

26. Experts estimate a ransomware attack on businesses occurs every 11 seconds. (Cybercrime Magazine)

Phishing statistics

27. 94% of businesses are reported to have experienced a phishing attack in 2024, with most of them experiencing negative impacts from these attacks. (Egress)

28. The median time for users to fall for phishing emails is less 60 seconds. (Verizon)

29. The median time to click on a malicious link after the email is opened is 21 seconds, and then it takes only another 28 seconds to enter the data. (Verizon)

30. Phishing and pretexting via email account for 73% of all breaches. (Verizon)

31. An average 2.9% of employees click on phishing emails. (Verizon)

32. Phishing schemes were the number one crime type with 300,497 complaints. (FBI

33. The average CEO receives 57 targeted phishing attacks every year. (Barracuda)

34. 43% of phishing attacks impersonate Microsoft brands. (Barracuda)

35. IT staff receive an average of 40 targeted phishing attacks every year. (Barracuda)

36. 95% of successful network intrusions rely on spear phishing techniques. (Security Intelligence)

37. Phishing impersonation attacks, where attackers pose as emails from a well-known brand or service to trick victims into clicking on a phishing link, make up 49% of all socially engineered threats. (Barracuda)

38. Only half of employees are able to correctly define spear phishing. (Proof Point)

39. 62% of organizations use a security awareness training program to reduce the likelihood of a successful phishing attack. (Arctic Wolf)

40. Phishing is the second most common cause of a breach and the costliest, with an average $4.91 million in breach costs. (IBM)

41. Most imitated brands in phishing attacks: Zscaler and Barracuda
-Microsoft
-WeTransfer
-DHL
-Google
-eFax
-DocuSign
-USPS
-Dropbox
-Xerox
-Facebook
-Amazon
-OneDrive
-PayPal
-Roblox
-WhatsApp
-Microsoft 365
-Adobe
-Fidelity

Business email compromise statistics

42. Business Email Compromise (BEC) accounts for 24-25% of financially motivated attacks.  (Verizon)

43. 1 in 10 social engineering attacks are business email compromise (BEC) attacks. (Barracuda)

44. 77% of BEC attacks target employees outside of finance and executive roles. 1 in 5 BEC attacks target sales employees. (Barracuda)

45. Business email compromise (BEC) attacks account for 6% of all breaches with an average cost of $4.89 million. (IBM)

Data breach statistics

46. 68% of data breaches in 2024 were attributed to human error, including social engineering scams. (Verizon)

47. The average cost of a data breach reached an all-time high in 2024 of $4.88 million, a 10% increase from 2023. (IBM)

48. Cyberattacks using stolen or compromised credentials increased 71% year-over-year. (IBM X-Force

49. 61% of organizations use some level of security AI and automation. (IBM)

50. 80% of breaches are believed to be caused by external threats. (Verizon)

51. 98% of cyberattacks rely on social engineering. (Purplesec)

52. The average business faces over 700 social engineering attacks each year. (Barracuda)

53. The average cost of a social engineering attack was $130,000 in 2024. (CRC Group)

54. 20% of confirmed data breaches involve social engineering. (Verizon)

55. More than 70% of employees admit to risky behavior that leaves their organizations vulnerable. (Proof Point)

56. 83% of organizations have experienced more than one data breach. (IBM)

57. Breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at organizations with no security AI and automation deployed — a 65.2% difference in average breach cost. Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach. (IBM)

58. 90% of cyberattacks target an organization’s employees. (Arctic Wolf)

59. The average organization is targeted by over 700 social engineering attacks a year. (Barracuda)

60. 89% of social engineering attacks were motivated by financial gain, 11% by espionage. (Verizon)

61. Pretexting constitutes 27% of social engineering breaches. (Verizon)

Guarding against an invisible threat: How to prevent social engineering attacks

Unlike other types of cybersecurity threats that exploit system vulnerabilities, social engineering targets the most unpredictable element in an organization – the human factor. That’s why awareness and education are your first and best lines of defense. By understanding social engineering attacks, their phases, and the common types, your team is already better prepared to recognize and counteract these cyber threats before they can impact your organization.

1. Create a culture of security awareness

Developing a robust cybersecurity framework begins by nurturing a culture of security awareness. This isn't a task that should be left solely to your IT department, it's a collective responsibility. Everyone in your organization must understand the threats they face and their role in preventing them.

Security awareness training should be a regular part of the onboarding process for new hires and should continue throughout an employee's tenure. This training should also evolve to match the sophistication of social engineering tactics. Remember, a chain is only as strong as its weakest link.

2. Learn to recognize social engineering tactics

Your employees should be familiar with the tactics that social engineers employ. Here are some key measures:

  • Check email addresses: Hackers often impersonate trusted sources. Always verify the sender's email address. For instance, 'support@micros0ft.com' might appear legitimate at first glance, but notice the number '0' replacing the letter 'o'.
  • Don’t click on suspicious links: Hover over links to display the actual URL before clicking. Beware of URLs that do not match the supposed destination or that are unnecessarily long with random characters.
  • Watch for commonly used subject lines: Phrases like "Password Reset Required Immediately," "Your Account Has Been Suspended," and "Unauthorised Login Attempt" are commonly used to spark urgency and fear.
  • Contact the sender directly: If an email or message seems suspicious, contact the sender directly using known contact information, not the details provided in the suspicious communication.

3. Conduct regular phishing testing

Phishing testing is a proactive approach to strengthen your organization's defense. Regularly conducting simulated phishing campaigns can help assess your team's response and identify areas that need improvement. This approach also helps employees understand the importance of security protocols and allows them to apply their training in a safe environment.

4. Complete regular patching and security updates

Regardless of how security-aware your employees are, outdated software, hardware, and applications can provide an easy way in for hackers. Regular patching and security updates are crucial to fix known vulnerabilities and keep your systems secure. Consider automated patch management systems to streamline this process.

5. Implement continuous monitoring

Continuous monitoring is a crucial step in detecting and responding to security incidents promptly. Analyzing website traffic and activity for anomalies can help spot unusual behavior that may indicate a social engineering attempt. Using machine learning and AI, modern security systems can detect patterns and provide real-time alerts for suspicious activity.

Social engineering is a significant threat that requires a strategic response. By fostering a culture of security awareness, regularly training employees, conducting phishing testing, keeping all systems updated, and continuously monitoring for suspicious activity, organizations can effectively guard against malicious attacks.

Protect against social engineers and cybercriminals with Secureframe Train

Our security and compliance automation platform includes proprietary security awareness training, making it easy to assign, track, and report on required employee training. Our engaging training programs are kept up-to-date, so the latest best practices are learned and applied throughout your organization. You can also segment your workforce and assign just the training required for each group or role.

Learn more about Secureframe Training, or schedule a demo with a product expert. 

Use trust to accelerate growth

Request a demoangle-right
cta-bg

FAQs

What percentage of attacks are social engineering?

Social engineering accounts for approximately 70-90% of cyberattacks, with phishing being the most prevalent method.

What are the most common social engineering attacks?

The most common social engineering attacks include phishing, spear phishing, pretexting, baiting, and tailgating.

Which category of social engineering is the most common?

Phishing is the most common category, as it is widely used to trick individuals into providing sensitive information or downloading malware.

Is social engineering increasing?

Yes, social engineering attacks are increasing, fueled by the widespread use of digital communication platforms and attackers' evolving tactics.

What is the best defense against social engineering attacks?

The best defense includes employee training, multi-factor authentication (MFA), email filtering tools, and clear security policies.

How much money is lost due to social engineering?

The average cost of a social engineering attack is $130,000.

Emily Bonnie

Senior Content Marketing Manager

Emily Bonnie is a seasoned digital marketing strategist with over ten years of experience creating content that attracts, engages, and converts for leading SaaS companies. At Secureframe, she helps demystify complex governance, risk, and compliance (GRC) topics, turning technical frameworks and regulations into accessible, actionable guidance. Her work aims to empower organizations of all sizes to strengthen their security posture, streamline compliance, and build lasting trust with customers.

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

Rob Gutierrez is an information security leader with nearly a decade of experience in GRC, IT audit, cybersecurity, FedRAMP, cloud, and supply chain assessments. As a former auditor and security consultant, Rob performed and managed CMMC, FedRAMP, FISMA, and other security and regulatory audits. At Secureframe, he’s helped hundreds of customers achieve compliance with federal and commercial frameworks, including NIST 800-171, NIST 800-53, FedRAMP, CMMC, SOC 2, and ISO 27001.