98% of all cyber attacks rely on some form of social engineering. This broad category includes any attack that uses deception or manipulation to trick their target, such as phishing or baiting.
In this article, we’ll dig into 30 key social engineering statistics. Read on.
1. 98% of Cyber Attacks Involve Some Form of Social Engineering
In the broad world of cyber attacks, 98% involve social engineering on some level. It could involve masquerading as a trusted contact to encourage an employee to click a malicious link or email, pretending to be a reliable banking institution to capture login credentials, or similar activities designed to gain entry into target systems.
Once trust is established – which is the social engineering part of the equation – other attacks can occur. Whether it be the distribution of malware, identity theft, or anything else, social engineering was essentially the gateway.
[Source: Purplesec]
2. Up to 90% of Malicious Data Breaches Involve Social Engineering
On the data breach front, social engineering is a popular approach for gaining access to target systems. In some cases, it’s easier to trick an employee into handing over sensitive information – leading to system access – than it is to gain entry through brute force. As a result, between 70 and 90% of data breaches involve social engineering.
[Source: KnowBe4]
3. 84% of Organizations Fell Victim to a Phishing Attack in 2022
In 2022, approximately 84% of organizations in the United States fell victim to at least one email phishing attack.
[Source: Proof Point]
4. The Average Organization Is Targeted by 700+ Social Engineering Attacks Annually
During a given year, organizations face an astonishing 700+ social engineering attacks ever year. Considering there are around 260 workdays annually, that means facing off against about 2.7 per day.
[Source: ZD Net]
5. Social Engineering Attacks Cost Companies $130,000 On Average
Social engineering attacks are costly, even if they don’t lead to broader data breaches. On average, companies lose $130,000 through money theft or destroyed data. In cases where social engineering leads to a major data breach, the totals can reach hundreds of thousands, if not millions of dollars.
[Source: Security Info Watch]
6. 36% of All Data Breaches Involve Phishing
Phishing remains one of the most popular social engineering techniques; one study identified that phishing attacks were involved in 36% of all data breaches. For more information, see our full guide to phishing statistics.
[Source: Verizon]
7. Men Are 225% More Likely to Fall for Phishing Attacks Than Women
Data shows that men are far more likely to fall victim to phishing attacks than women. Overall, when asked to provide credentials through a phishing attack, men did so 4.05% of the time on average. However, women only engaged by providing credentials 1.80% of the time. Overall, men were 225% more likely to fall for the phishing attack and provide credentials than women.
[Source: KnowBe4]
8. Facebook Is the Most Impersonated Website, Representing 18% of Phishing URLs
Since trust and familiarity are critical for social engineering and phishing attacks, attackers often mimic brands that easily qualify as household names. As of mid-2023, 18% of phishing pages impersonated Facebook. Microsoft – which led the way in 2020 – came in a bit behind at 15%.
[Source: Vade]
9. Amazon is the Most Impersonated in Emails
On the phishing email front, Amazon is the clear winner. The company is impersonated in 17.7% of all email phishing attempts, putting it a bit ahead of second-place DHL, with 16.5 percent, and well above third-place eSign (by DocuSign) with 12.7%.
[Source: Tech Radar]
10. In 86% of Organizations, at Least One Person Has Clicked a Phishing Link
While most companies hope that their employees can spot the signs of social engineering, it’s often far harder than many people expect. Overall, at least one person has clicked a phishing link in 86% of organizations. While not all of them provided information or took actions that led to a breach, it shows just how often people are dubbed into at least taking the initial step.
[Source: CISCO]
11. 12% of External Malicious Actors Use Phishing to Gain Entry
External malicious actors may use a variety of techniques to gain entry into a company’s systems. While stolen credentials is one of the most common at 49% (and social engineering can play a role in their acquisition), phishing is also a popular strategy for securing entry. Overall, 12% of external malicious actors leverage phishing as a means of gaining access to an organization’s systems.
[Source: Verizon]
12. Small Business Employees Are Subject to 350% More Social Engineering Attacks Than Enterprises
Small businesses are a prime target for many malicious actors. Social engineering attacks are a particularly popular way to gain entry, and small business employees experience 350% more social engineering attacks compared to employees at enterprise-level companies.
[Source: River City Bank]
13. 50% of Social Engineering Attacks Are Pretexting Incidents
Pretexting incidents are a type of social engineering where malicious actors fabricate a scenario, such as posing as a known party and outlining a situation that justifies the request for sensitive information. Among social engineering attacks, 50% are classified as pretexting incidents.
[Source: Verizon]
14. CEOs are Targeted by Phishing Attacks 57 Times Per Year on Average
Since CEOs typically have full access to company data and systems – and they’re often easy to identify within the organizational structure – they’re a common focus of social engineering attacks. On average, CEOs are targeted 57 times annually, which breaks down to a little more than once per week.
[Source: ZD Net]
15. Google Delisted Over 2.1 Million Phishing Sites in 2020
Over the course of 2020, Google delisted more than 2.1 million sites due to suspected phishing. Comparatively, only 27,000 were delisted due to suspected malware.
[Source: Google]
16. 84% of Phishing Sites Have SSL Certificates
Typically, an SSL certificate – which results in an “https” instead of an “http” in front of the URL – is a considered a sign of safety. However, that isn’t inherently the case. In total, around 84% of phishing sites examined during Q4 2020 had SSL certificates.
[Source: APWG]
17. 86% of Organizations Faced Bulk Phishing in 2021
Bulk phishing – the process of sending the same email en masse to employees of an organization –became more prevalent in 2021, with 86% of organizations experiencing that form of attack. In comparison, just 77% of companies encountered the same approach in 2020.
[Source: Proof Point]
18. IT Pros Are Targeted 40 Times Annually on Average
IT staffers are another popular focus, also because they typically have more access privileges than other employees. Overall, IT pros are targeted 40 times each year, which works out to a bit more than three times per month.
[Source: ZD Net]
19. 69% of Public Administration Breaches Involve Social Engineering
Overall, social engineering attacks pose the greatest threat in the public administration sector. Sixty-nine percent of public administration breaches involve social engineering.
[Source: Verizon]
20. 76% of Organizations Faced Smishing Attacks in 2022
Smishing is a phishing attack that relies on text messages instead of email or other communication methods. Like phishing, there was a rise in smishing in 2022. 76% of organizations were targeted by this kind of attack in 2022, which is slightly higher than the 75% that experienced it in 2021.
[Source: Statista]
21. Social Media Attacks Rise, with 74% of Organizations Targeted by This Strategy in 2021
With an increasing number of companies relying on social media to advertise offerings and engage with customers, social media-based social engineering attacks also rose in 2021. While 61% of companies encountered this strategy in 2020, 74% dealt with it in 2021.
[Source: Proof Point]
22. Only 53% of Employees Can Correctly Define Phishing
In a sign that employee awareness of classic social engineering attack vectors may be lacking, a mere 53% of workers can accurately define phishing as of 2021. That’s a 10-percentage point decline from the year prior, which should be concerning with remote work being so common.
When asked about smishing, just 23% were able to correctly define it. For vishing, 24% got the right answer.
[Source: Proof Point]
23. 11% of Organizations Hit by a Phishing Attack in 2021 Were Fined
Many organizations are required to follow strict rules regarding data security. While the healthcare and financial industries are the clearest examples, other sectors face stringent regulatory control when it comes to data management, too. As a result, 11% of organizations that were hit by a successful phishing attack also faced regulatory fines or similar financial penalties.
[Source: Proof Point]
24. Just 56% of Companies Provide Security Awareness Training
Knowing how to spot the signs of social engineering can make a big difference, decreasing the likelihood that a person will fall for these attacks. However, just 56% of companies provide employees with security awareness training, and a mere 35% conduct phishing simulations. That leaves many organizations far more vulnerable than they potentially could be if they took this simple step.
[Source: Proof Point]
25. 95% of Enterprise Network Attacks Relied on Spear Phishing to Gain Entry
Spear phishing is a highly targeted form of phishing aimed at particular individuals within a company. Often, the goal is to secure sensitive data – like login credentials – from individuals most likely to have advanced levels of access. This approach is behind 95% of successful enterprise network attacks.
[Source: Security Intelligence]
26. Business Email Compromise Attacks Have Nearly 28% Open Rate
Business email compromise (BEC) attacks are a type of social engineering (specifically spear phishing) attack where a malicious actor masquerades as a trusted company employee or leader or a trusted external partner. Often, the attacker uses techniques like domain spoofing or lookalike domains to trick recipients into believing the message is from a reliable source.
Overall, BEC attacks have median open rates of almost 28%. That’s far higher than the 12% average open rate across all phishing emails and shows how powerful masquerading as a trusted party can be when launching an attack.
[Source: Abnormal Security & F-Secure]
27. 15% of Read Emails Associated with BEC Attacks Are Replied to by Employees
BEC attack messages can be quite convincing, and a surprising number of BEC attack emails receive replies from the recipient. Overall, 15% of the opened BEC attack emails managed to get a response from the targeted employee.
[Source: Abnormal Security]
28. 78% of Replies to BEC Attacks Come from Entry-Level Sales Professionals
Among employees who read and reply to BEC attacks, entry-level sales professionals are the most likely to engage. Overall, 78% of reads and replies to BEC attacks originate from entry-level sales staff members.
[Source: Abnormal Security]
29. 36% of BEC Email Replies Come from Employees Who’ve Previously Engaged with an Attack
Among BEC attack email replies, 36% of the responses were initiated by employees who previously engaged with an attack, showing there’s a high risk of re-engagement after an incident.
[Source: Abnormal Security]
30. 64% of Identity Management Experts Failed to Identify Best Practices to Reduce Phishing
In a survey, professionals who self-identified as identity management experts proved ill-equipped when it came to reducing phishing attacks. Overall, 64% of them failed to select the correct common best practices – such as two-factor authentication – for reducing phishing when responding to a multiple-choice survey.
[Source: Silicon Angle]