17+ Sinister Social Engineering Statistics for 2023

Updated · May 20, 2023

Cybercriminals manipulate technologies to steal data but how exactly do they trick people into divulging sensitive personal information?

Be it by phishing, baiting, tailgating, vishing, smishing, or water-holing, social engineering statistics show fooling people is a highly effective way for hackers to gain credentials, access data, and then launch large-scale attacks.

Let’s take a quick look at these stats to see the staggering impact social engineering has around the globe.

Astonishing Social Engineering Stats to Keep In Mind in 2022

  • Cybercriminals use social engineering in 98% of attacks.
  • There are 75 times as many phishing websites as malware sites.
  • 75% of companies worldwide were victims of phishing in 2020.
  • With 241,342 successful incidents, phishing was the most common cybercrime in 2020 in the US.
  • A ransomware attack is successful every 11 seconds.
  • In 2019, the cost per compromised record was $150 on average.
  • The US government allocated nearly $19 billion for cybersecurity in 2021.

What Is Social Engineering?

Basically, it’s convincing someone to perform a particular action.

Cybercriminals who use social engineering lure you to share your personal information, open infectious files, or give them access to restricted data.

Let’s take a look at some of the latest social engineering statistics.

1. Cyber attacks employ social engineering 98% of the time.

(Source: Purplesec)

In other words, many employees can’t detect social engineering threats and unknowingly open the doors for cybercriminals to steal money, access data, and tarnish your reputation.

Although there are some (21% if we consider both current and former employees) who may intentionally use social engineering hacks to get back at you.

2. Over 70% of all data breaches are due to social engineering.

(Source: GlobalSign)

It’s easier to fool people rather than to infiltrate a secure computer system, so it’s no surprise that about 70% to 90% of all data infiltration is due to phishing and social engineering attacks.

Cybercriminals can target any individual or company, though statistics show that healthcare institutions, government agencies, and universities are the preferred targets for social engineering scams because of the information they store.

3. There are more than two million phishing websites.

(Source: IDAGENT)

As of Jan 17, 2021, the search engine powerhouse, Google recorded 2,145,013 phishing sites.

What happens is that hackers constantly feed the Dark Web with the data they steal, which then serves as fuel for further cyberattacks.

Just in 2020, hackers added approximately 22 million new records to the Dark Web.

4. 96% of phishing attacks use email.

(Source: Tessian)

Although the number of phishing sites is staggering, the latest social engineering stats reveal that only 3% of phishing attacks are carried out through a website, and 1% is via phone (either vishing or smishing).

A phishing email tricks individuals into taking action immediately. They typically cite emergencies to get you to reveal sensitive information.

The most common words cybercriminals use in emails are: urgent, request, important, payment, and attention.

5. About 43% of phishing attackers impersonate Microsoft.

(Source: Spamtitan)

Social engineering emails usually impersonate a well-known company to increase the chances of you opening them.

Microsoft is the preferred fake identity for attackers to adopt, given that about 1.2 billion people use the Office package.

DHL comes in the second position, with 18% of cybercriminals using the brand name.

Other often impersonated brands are PayPal, LinkedIn, Google, and Chase.

6. The most common attachment in phishing emails is Windows executable files.

(Source: ESET Threat Report)

Phishing stats say attackers send a Windows executable file (usually disguised as a PDF, Excel, or Word file) 74% of the time.

They can also use script files (11%) or compressed files (4%), but executables are preferable because the program runs the moment you open it.

7. 18% of phishing victims lose money.

(Source: Tessian)

How dangerous is social engineering?

Pretty dangerous. It seems money is not the main motivator for cybercriminals—information is.

After a successful phishing attack, 60% of companies report lost data, 52% declare compromised credentials, and 29% complain of malware infection, which ends up damaging the company’s entire computer network.

Social Engineering Statistics in 2022

Companies are spending millions of dollars to protect themselves and their customers from data breaches, but it seems those are wasted efforts unless they train employees, as well.

Social engineering is a burning issue because it exploits people’s natural tendency to trust others and tricks them into revealing sensitive information.

8. The average organization faces 700 social engineering threats per year.

(Source: ZDNet)

So, how many businesses are targeted by spear-phishing attacks each day?

We know that in one year, attackers sent 12 million spear-phishing emails to three million mailboxes, affecting 17,000 organizations.

That means 46.5 companies receive an average of two spear-phishing emails each day.

9. Only 27% of companies provide social engineering awareness training.

(Source: GetApp)

Businesses around the world spend millions on security technologies, but they don’t take the time to educate employees on social engineering and data breaches.

The latest stats say that about 43% of employees don’t receive data security training regularly, and an alarming 8% have never received any.

10. 45% of millennial employees don’t know what phishing is.

(Source: Proofpoint)

Social engineering statistics by age show that the older employees are, the more familiar they are with the subject.

65% of employees older than 39 can define phishing correctly, compared to just 47% of 18- to 22-year-olds.

However, the opposite is true for vishing—34% of employees in the 18-22 age group know what vishing is, whereas just 20% of employees who are older than 55 are familiar with the term.

11. 43% of IT workers were victims of social engineering attacks in 2020.

(Source: ZDNet)

However, the most common targets are neither CEOs nor people in IT.

Employees who don’t have a financial or executive role receive 80% of the threats.

12. About 30% of employees fail a phishing test.

(Source: Knowbe4)

The Phish-Prone Percentage (PPP) varies depending on the industry, but we can consider a global average PPP of 31.4%.

If we break it down by organization size, the sectors that are most at risk are small healthcare centers and pharmaceuticals (34% PPP), medium-sized hospitality establishments (42.3% PPP), and large energy organizations (52.4% PPP).

Cybersecurity and social engineering awareness campaigns brought the 30% fail rate down to around 5%.

13. 60% of employees in the US click on emails even if they think them suspicious.

(Source: Graphus)

A recent study showed that although 78% of participants had recently received training against social engineering threats, 60% admitted to opening suspicious emails.

Social engineering statistics say that 45% of them don't report the issue to the IT department after clicking.

14. Distraction caused 47% of employees to fall for phishing scams during the pandemic.

(Source: LinkedIn)

COVID-19 also impacted companies’ ability to face cybersecurity threats. A recent study shows that 56% of IT departments report an increase in their response time for cyberattacks.

Additionally, 42% of businesses say they’re unprepared to fend off cyberattacks that target remote workers.

Social Engineering News

Over the years, many companies across different industries have been the unfortunate targets of data breaches.

A few examples that come to mind are the 2017 Equifax Breach (which affected nearly 150 million consumers), the 2020 Marriott Breach (which impacted 5.2 million guests), and the Twitter Breach (which targeted 130 accounts in 2020).

Now, let’s look at some global stats.

15. Mongolia had the highest phishing attack rate in 2020.

(Source: Statista)

Social engineering statistics by country show Mongolia was the most targeted country, with 15.54% of online users affected by phishing attacks during the third quarter of 2020.

Israel came in second place with 15.24%, followed by France (12.58%) and Brazil (11.86%).

16. Phishing emails affected over one million businesses in the UK.

(Source: INFOTECH)

The email attacks affected 1.3 million businesses in the UK, costing them nearly £7 billion.

It’s particularly difficult for small businesses to fend off these attacks because most of them (73%) don't have IT security measures in place.

17. Phishing was the most common cybercrime in the United States in 2020.

(Source: Vade Secure)

The latest phishing statistics reveal that the FBI registered 241,342 attacks in 2020, compared to 114,702 in 2019.

Last year, around 59% of cyberthreats used the COVID-19 pandemic to target online users.

For example, cybercriminals pretended to be government agents who needed your personal information to sign you up for financial support or early vaccination.

18. More than $15,000 is lost every minute due to phishing.

(Source: Varonis)

The latest social engineering stats reveal that around $17,700 is lost every minute due to phishing. That equates to $1,062,000 million per hour and $25,488,000 million per day.

19. Social engineering attacks cost companies $130,000 on average.

(Source: Security Info Watch)

That’s just considering the money and data that the average company loses. However, there are additional associated costs that the business must cover, such as recovery fees and security updates.

Now factor in how common cyberattacks are (internet privacy stats say one occurs every 39 seconds) and it should come as no surprise that experts predict the global annual cost of cybercrime will reach an astronomical $10.5 trillion by 2025.

Ways to Prevent a Social Engineering Attack

Cyber attackers can manipulate you and get access to your credentials, passwords, and information. But you can prevent that from happening.

We at Web Tribunal thought we’d give you some tips on how to protect yourself from social engineering frauds:

  • Be wary – Don’t open unknown email attachments, double-check URLs, and keep in mind that if something sounds too good to be true, it probably is.
  • Use two-factor authentication – It’s a simple way to strengthen account security. Keeping your software up to date and installing a good antivirus are good ideas too.
  • Don’t reuse passwords – Unique and complicated are your best bet, but they’re also hard to come up with and memorize. If you need help with that, you can get a password manager. They’re safe to use and do their part in protecting you from online threats.
  • Keep up to date with social engineering trends – Cybercriminals are often coming up with new ways to trick you into giving them what they want. Look up examples of social engineering and read up on what the latest scamming techniques are so you don’t fall for them.
  • Consider using identity protection software – They scan the Dark Web for your information, notify you of any breaches, keep track of your credit score, and some even offer identity theft insurance.

Wrap Up

If the social engineering statistics that we just covered prove anything, it’s that social engineering is a threat to millions of companies and individuals around the globe.

With technological advancement, hacking evolves as well—emails often don’t look as scammy as they are anymore.

So, keep your eyes peeled, educate your employees on the dangers of social engineering, and take some steps to protect your identity online.

Better safe than sorry, right?

Nick Galov
Nick Galov

Unaware that life beyond the internet exists, Nick is poking servers and control panels, playing with WordPress add-ons, and helping people get the hosting that suits them.