21 Social Engineering Statistics – 2022

Social engineering attacks rely not on hacking computer systems, but on manipulating people. Yet social engineering methods play a part in million of cyberattacks. In this article, we’ll dig into 21 key social engineering statistics. Read on.

1. 98% of Cyber Attacks Involve Some Form of Social Engineering

In the broad world of cyber attacks, 98% involve social engineering on some level. It could involve masquerading as a trusted contact to encourage an employee to click a malicious link or email, pretending to be a reliable banking institution to capture login credentials, or similar activities designed to gain entry into target systems.

Once trust is established – which is the social engineering part of the equation – other attacks can occur. Whether it be the distribution of malware, identity theft, or anything else, social engineering was essentially the gateway.

[Source: Purplesec]

2. The Average Organization Is Targeted by 700+ Social Engineering Attacks Annually

During a given year, organizations face an astonishing 700+ social engineering attacks ever year. Considering there are around 260 workdays annually, that means facing off against about 2.7 per day.

[Source: ZD Net]

3. Up to 90% of Malicious Data Breaches Involve Social Engineering

On the data breach front, social engineering is a popular approach for gaining access to target systems. In some cases, it’s easier to trick an employee into handing over sensitive information – leading to system access – than it is to gain entry through brute force. As a result, between 70 and 90% of data breaches involve social engineering.

[Source: KnowBe4]

4. 25% of All Data Breaches Involve Phishing

A form of social engineering, phishing relies on emails or malicious sites to solicit sensitive information from a target. Typically, the attacker masquerades as a trusted contact or entity, hoping to convince someone to hand over data like login credentials.

Within the data breach landscape, phishing is involved 25% of the time. For more information, see our full guide to phishing statistics.

[Source: Verizon]

5. In the United States, 83% of Organizations Fell Victim to a Phishing Attack in 2021

In 2021, approximately 83% of organizations in the United States fell victim to at least one email phishing attack. That’s a 46% increase over 2020.

[Source: Proof Point]

6. Facebook Is the Most Impersonated Website, Representing 14% of Phishing Pages

Since trust and familiarity are critical for social engineering and phishing attacks, attackers often mimic brands that easily qualify as household names. In 2021, 14% of phishing pages impersonated Facebook. Microsoft – which led the way in 2020 – came in a bit behind at 13%.

[Source: PR Newswire]

7. Yet Amazon is the Most Impersonated in Emails, Representing 17.7% of Phishing Emails

On the phishing email front, Amazon is the clear winner. The company is impersonated in 17.7% of all email phishing attempts, putting it a bit ahead of second-place DHL, with 16.5 percent, and well above third-place eSign (by DocuSign) with 12.7%.

[Source: Tech Radar]

8. On Average, Social Engineering Attacks Cost Companies $130,000 Through Money Theft or Data Destruction

Social engineering attacks are costly, even if they don’t lead to broader data breaches. On average, companies lose $130,000 through money theft or destroyed data.

It is important to note that social engineering can lead to broader breaches. In those cases, the totals can reach hundreds of thousands, if not millions of dollars.

[Source: Security Info Watch]

9. CEOs are Targeted by Phishing Attacks 57 Times Per Year on Average

Since CEOs typically have full access to company data and systems – and they’re often easy to identify within the organizational structure – they’re a common focus of social engineering attacks. On average, CEOs are targeted 57 times annually, which breaks down to a little more than once per week.

[Source: ZD Net]

10. IT Pros Are Targeted 40 Times Annually on Average

IT staffers are another popular focus, also because they typically have more access privileges than other employees. Overall, IT pros are targeted 40 times each year, which works out to a bit more than three times per month.

[Source: ZD Net]

11. 95% of Enterprise Network Attacks That Succeed Relied on Spear Phishing to Gain Entry

Spear phishing is a highly targeted form of phishing aimed at particular individuals within a company. Often, the goal is to secure sensitive data – like login credentials – from individuals most likely to have advanced levels of access. This approach is behind 95% of successful enterprise network attacks.

[Source: Security Intelligence]

12. 69% of Public Administration Breaches Involve Social Engineering

Overall, social engineering attacks pose the greatest threat in the public administration sector. Sixty-nine percent of public administration breaches involve social engineering.

[Source: Verizon]

13. Google Delisted Over 2.1 Million Phishing Sites in 2020

Over the course of 2020, Google delisted more than 2.1 million sites due to suspected phishing. Comparatively, only 27,000 were delisted due to suspected malware.

[Source: Google]

14. 84% of Phishing Sites Have SSL Certificates

Typically, an SSL certificate – which results in an “https” instead of an “http” in front of the URL – is a considered a sign of safety. However, that isn’t inherently the case. In total, around 84% of phishing sites examined during Q4 2020 had SSL certificates.

[Source: APWG]

15. 86% of Organizations Faced Bulk Phishing in 2021

Bulk phishing – the process of sending the same email en masse to employees of an organization –became more prevalent in 2021, with 86% of organizations experiencing that form of attack. In comparison, just 77% of companies encountered the same approach in 2020.

[Source: Proof Point]

16. Smishing Attacks Increase in 2021, with 74% of Organizations Encountering the Approach

Smishing is a phishing attack that relies on text messages instead of email or other communication methods. Like phishing, there was a marked rise in smishing in 2021. Seventy-four percent of organizations were targeted by this kind of attack in 2021, while just 61% faced it in 2020.

[Source: Proof Point]

17. Social Media Attacks Rise, with 74% of Organizations Targeted by This Strategy in 2021

With an increasing number of companies relying on social media to advertise offerings and engage with customers, social media-based social engineering attacks also rose in 2021. While 61% of companies encountered this strategy in 2020, 74% dealt with it in 2021.

[Source: Proof Point]

18. Only 53% of Employees Can Correctly Define Phishing

In a sign that employee awareness of classic social engineering attack vectors may be lacking, a mere 53% of workers can accurately define phishing as of 2021. That’s a 10-percentage point decline from the year prior, which should be concerning with remote work being so common.

When asked about smishing, just 23% were able to correctly define it. For vishing, 24% got the right answer.

[Source: Proof Point]

19. In 86% of Organizations, at Least One Person Has Clicked a Phishing Link

While most companies hope that their employees can spot the signs of social engineering, it’s often far harder than many people expect. Overall, at least one person has clicked a phishing link in 86% of organizations. While not all of them provided information or took actions that led to a breach, it shows just how often people are dubbed into at least taking the initial step.

[Source: CISCO]

20. 11% of Organizations Hit by a Phishing Attack in 2021 Were Fined

Many organizations are required to follow strict rules regarding data security. While the healthcare and financial industries are the clearest examples, other sectors face stringent regulatory control when it comes to data management, too. As a result, 11% of organizations that were hit by a successful phishing attack also faced regulatory fines or similar financial penalties.

[Source: Proof Point]

21. Just 27% of Companies Practice Social Engineering Awareness Training

Knowing how to spot the signs of social engineering can make a difference, decreasing the likelihood that a person will engage with suspicious links or provide sensitive data to attackers. However, a mere 27% of companies provide employees with social engineering awareness training. That leaves many organizations far more vulnerable than they potentially could be if they took this simple step.

[Source: Get App]

About the Author

Find Catherine on

Catherine Reed

Leave a Comment