12 Social Engineering Statistics That Will Make You Question Everything
1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.20 out of 5)
Loading...

12 Social Engineering Statistics That Will Make You Question Everything

Social engineering is all about bad guys hacking your employees instead of your network. Here are a dozen social engineering stats you should share with your team & leadership to prepare for attacks you’ll likely face in 2023 and beyond…

Social engineering describes how cybercriminals try to “hack” the people within your organization instead of the technology. This approach is all about using psychological tactics to get people to do something they normally wouldn’t or share information they shouldn’t. Social engineering can be used to get you to give up your login credentials or maybe click on a link to a website that auto-installs ransomware onto your device.

All it takes is one employee’s single moment of unawareness or ignorance for a hacker to use them to bring your organization to its knees. But we aren’t here to discuss the intricacies of social engineering; that’s a topic for another time. You’re here to get into the nitty-gritty data that no one enjoys reading but needs to know: social engineering stats. We’ve pulled together some social engineering statistics from 2021 and 2022 to help prepare you for what’s to come in 2023.

Let’s hash it out.

12 Social Engineering Statistics Your Company Needs to Know in 2022, 2023 and Beyond

Social engineering statistics are a great way to keep your thumb on the pulse of the industry’s most impactful cyber threats. Social engineering is a set of malicious skills that cybercriminals love to use to get their hands on your most sensitive data. But rather than regurgitate a massive list of information derived from other sources, however, our goal here is to cultivate the most telling social engineering statistics that we think you should know as we enter the new year.

1. Social Engineering Ranks #1 as the Top Attack Type in 2022

LookingGlass Cyber and ISACA (formerly the Information Systems Audit and Control Association) reports that social engineering continues to rank as the leading attack type analyzed in 2022. Unsurprising, really, when you consider how useful a tool it is to cybercriminals.

It seems only fitting that we place this stat at the top of our social engineering statistics list since, you know, that’s kind of what this article is all about.

IBM reports in their 2022 Cost of a Data Breach report that the average cost of a data breach with social engineering as the initial attack vector surpassed a cool $4 million. To put that in perspective, it’s more than the Federal Emergency Management Agency (FEMA) paid the Massachusetts Department of Transportation for Winter Storm Kenan’s road snow plowing and sanding costs in January 2022.

3. Social Engineering-Based Data Breaches Took 270 Days to Identify and Contain

But the news from IBM doesn’t stop there. Their 2022 report also showed that these data breaches — those with social engineering as the initial attack vector — took nearly nine months for the companies to:

  • Identify the breaches (201 mean time days), and
  • Contain them (69 mean time days).

This means that social engineering-based breaches performed slightly better than the average data breach in 2022, which took 207 and 70 mean time days, respectively, to identify and contain.

A bar chart that shows the difference in time between identifying and containing a breach for social engineering-based attacks and data breaches involving other initialization vectors. The data comes from IBM's 2020 Cost of a Data Breach report.
Image data sources: IBM’s 2022 Cost of a Data Breach report. The chart shows the difference between the time required to identify and contain a breach for social engineering-based data breaches and those involving other initialization vectors.

4. 82% of Data Breaches Involve the “Human Element”

Next on our list of social engineering statistics is some great data from Verizon. The company shared in its 2022 Data Breach Investigations Report (DBIR) that four in five of the breaches analyzed involved human-related factors. Considering that social engineering is the dastardly art of using psychological tactics to target your human employees, it makes sense that most breaches would take this approach.

Cybercriminals can use social media, data aggregation sites, and other publicly available information sources to learn about you and your company. Once they have gathered this information, they can pair that knowledge with social engineering tactics to gain a foothold into your organization, they’re home free.

5. 90% of Cyber Attacks Are Targeting Your Employees Instead of Your Tech

Yup, you read that correctly: nine in 10 cyber attacks against organizations target people rather than your IT and cybersecurity defenses. Why? Because, as Arctic Wolf Networks points out in their 2022 State of Cybersecurity Trends report, focusing on employees is a low-risk effort that results in high rewards for attackers.

Systems can be patched and vulnerabilities can be mitigated. But cybercriminals typically target the weakest links in your chain armor because it’ll equate to the biggest payout with the least effort. They know that your employees are human, and humans are bound to make mistakes. Cybercriminals are banking on that fact. It’s for this reason that you must do what you can to increase employees’ cyber awareness through regular training and education.

6. 47% of Social Engineering-Related Security Incidents Resulted in Data Disclosures

Verizon also reported that in the 2,249 reported incidents they analyzed involving social engineering, 1,063 resulted in being disclosed. That number constitutes almost half of the incidents they analyzed. What sorts of data are we talking about? Everything from personally identifiable information (24%) to login credentials (63%).

This means that nearly two in three social engineering attacks aim to manipulate you or your colleagues into handing over your login credentials. They could do this by pretending to be a member of your organization’s IT team, or by sending you a phishing email that will take you to a website with a fake login portal. When you enter your genuine credentials, the attacker will steal them and can use them for whatever nefarious purposes they desire.

Check out this informative video that shows how easy it is to use social engineering on an unsuspecting target:

7. Organizations Face 700+ Social Engineering Attacks Annually

Ugh. Just when you thought these social engineering stats couldn’t get any worse, we deliver this whammy from Barracuda’s 2021 Spear Phishing: Top Threats and Trends report. Basically, this means the average organization is the target of almost two social engineering attacks per day.

When you consider that all it takes is one slip-up to have your data stolen, altered, or destroyed, then it puts into perspective how much every attempt matters. 

8. Nearly 33% of Crimes Reported to the IC3 Involved Phishing, Vishing, Smishing or Pharming

Phishing has long been considered the most common form of social engineering and plays a role in many data breaches and other cyber crimes globally. In its 2021 Internet Crime Report, the IC3 reported receiving an average of 552,000 complaints per year (between 2016 and 2021) globally with a whopping price tag of $18.7 billion. (The FBI’s Internet Crime Complaint Center (IC3) is a federal government organization that handles cybercrime complaints.)

Keep in mind, however, that this represents only reported losses — there’s no telling how many more cyber crimes occurred that went unreported or undiscovered.

In 2021, 847,376 complaints were reported with $6.9 billion in adjusted losses. Of those, 323,972 complaints involved phishing over multiple platforms (email, phones, SMS text messages) and pharming. The following table compares this to other crime types in 2021:

A bar chart comparing the top five types of cyber crimes using data from the Internet Crime Complaint Center.
Image data source: The Internet Crime Complaint Center’s 2021 Internet Crime Report.

9. Reported BEC/EAC Incidents Result in Nearly $2.4 Billion in Adjusted Losses

Social engineering can be carried out using many attack methods, including using compromised legitimate email accounts or impersonating them with closely spelled copycat accounts. In its 2021 Internet Crime Report, the IC3 reported nearly 20,000 complaints of business email compromise (BEC) / email account compromise (EAC) with a hefty price tag totaling nearly $2.4 billion.

This means that the total adjusted losses of these reported cyber crimes cost more than the estimated losses of the massive Marshall Fire (estimated to have cost more than $2 billion) that killed two people and destroyed more than 6,000 acres and 1,156 homes and businesses.

10. Phishing Kits That Bad Guys Can Use to Carry Out Social Engineering Cost as Little as $10

Phishing-as-a-service (PHaaS) has been gaining interest over the last decade because it makes it easier for non-technical bad guys to do bad things. Two of the most popular PHaaS options identified by Zscaler’s ThreatLabs in their 2022 State of Phishing Report are phishing kits and open-source phishing frameworks:

  • Phishing kits tend to cost anywhere from $10 to potentially hundreds of dollars. They’re pre-packaged DIY kits that can be deployed to carry out phishing attacks with minimal effort.
  • Open-source phishing frameworks, as the name would imply, are free. However, they tend to take more organization and coordination.

11. Personal Data of 5 Million Employees & Passengers Exposed in a Single Ransomware Attack

In November 2022, AirAsia found itself the target of a ransomware attack that resulted in the theft of sensitive data relating to five million employees and customers. This included employees’ personally identifiable data (PII) and customers’ booking information.

The following (redacted) screenshot from DataBreaches.net shows a quick look at some of the categories of data that were exposed in the breach:

A screenshot from DataBreaches.net that shows redacted AirAsia data provided by the Daixin Team hacker group.
Image source and caption: A screenshot from DataBreaches.net, which contains redacted information relating to AirAsia’s employees’ personal and work-related information. This data was published by DataBreaches.net, which received the information from the hacker group known as Daixin Team.

This is just one example of why PII is invaluable data to cybercriminals. It can be basic information (your name, address, phone number) or significantly more sensitive information (your social security number, account numbers, etc.). Not only can attackers use it to help trick cyber security solutions, they can use it to trick you or your colleagues as well. PII is the perfect fodder for crafting great (and believable) phishing emails or tricking employees into doing something because they believe they’re dealing with your authentic customers.

Let’s consider the classic SIM-swapping scam. A bad guy calls up a cell phone service provider while pretending to be you with the goal of convincing the provider’s customer service employee to export your phone’s SIM card data to a new device. The attacker lays it on thick, telling a sob story about how you lost your phone and had to buy a new one. Because they have that knowledge of your personal information, they can use it to verify your identity while pretending to be you.

12. Cybercriminals Steal $3.1 Million From Victims by Tricking Healthcare Payment Processors

Alright, it’s time to wrap up our list of social engineering statistics. The internet is an amazing thing. It enables us to have the world’s information at our fingertips. But along with that privilege comes the risks associated with it: if you have access to so much information, then it means bad guys do as well.

In September 2022, the FBI released an advisory warning of reports that cybercriminals were targeting healthcare payment processors. The goal? To redirect victims’ payments to account controlled by the bad guys. According to the report:

“In each of these reports, unknown cyber criminals used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites. In one case, the attacker changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million from victims’ payments.”

Final Thoughts: How to Avoid Becoming One of These Social Engineering Statistics

We hope you’ve found this information informative and useful. We like actionable data here at Hashed Out and figured it would be best to provide some context to these numbers.

If you want to see some social engineering examples, we’ve got you covered. But the general rule of thumb when it comes to avoiding falling prey to social engineering scams is to take a moment before acting and asking yourself several important questions:

  • Are you expecting the message? Don’t be click-happy. If you receive an unexpected or unsolicited message containing attachments or links to a website, ask yourself whether you’re expecting the information. To be safe, reach out to check with the person who supposedly sent the file via another official channel (via their company phone number or by walking over to their desk) directly to see if they sent it.
  • Did you check the sender’s email address? Social engineers love to use display names that look like the official sender. To avoid falling for this tactic, inspect email addresses closely to ensure the information is accurate. Even an email address with a single letter that’s different could be the difference between avoiding a scam and falling prey to one. Just ask Shark Tank star and entrepreneur Barbara Corcoran’s bookkeeper. (Luckily for Corcoran, she was able to get her money back once the scam was discovered.)  
  • Did you check the links to see if they match the text they’re embedded in? It’s a common social engineering tactic to hide the true URL of a web page within the anchor text of a fake one. By disguising it, they’re making it appear like a legitimate link to people who don’t look beyond the surface. Simply hover your mouse over the link (without clicking on it!), and the true URL will display.
  • Does the communication (and any requests within it) make sense? This one requires a bit of critical thinking. Read through the message again and ask yourself whether it makes sense. For example, would a marketing employee ask for access to employee payroll-related information? Would your company’s CEO reach out to you directly to initiate a big wire transfer? In most cases, the answer to both of these questions is “not likely.”
  • Would the person sending the email or text message reach out to you like this? Perhaps you receive an email from a vendor. However, you typically receive a phone call from that individual instead. This could be a red flag that it’s not the legitimate sender, or that their email account may have been hacked. Reach out to them directly via phone or another official channel to check before engaging with the email.
  • If the sender is asking you for cryptocurrency or gift cards, know it’s virtually guaranteed to be a scam. Cryptocurrencies and pre-paid gift cards are two of cybercriminals’ favorite ways to get money through fraud. They convince their target (i.e., you) to abandon common sense and to send money using one of these financial means. So, if someone asks you to send money or buy pre-paid gift cards for one reason or another, don’t do anything until you speak with that person directly either face to face or over the phone using an official phone number.

Looking for other cyber security statistics or cyber crime statistics? We’ve got you covered.

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.