Social Engineering Statistics 2025: When Cyber Crime & Human Nature Intersect
5 votes, average: 4.20 out of 55 votes, average: 4.20 out of 55 votes, average: 4.20 out of 55 votes, average: 4.20 out of 55 votes, average: 4.20 out of 5 (5 votes, average: 4.20 out of 5, rated)
Loading...

Social Engineering Statistics 2025: When Cyber Crime & Human Nature Intersect

These 30 social engineering attack statistics reveal human vulnerabilities and how bad guys love to exploit them (to your detriment)

Social engineering doesn’t hack your company’s devices or digital assets; it “hacks” the people who have access to them.

Bad guys have been influencing the behaviors of others throughout recorded history. Whether it’s conning someone into buying a mule they don’t own or manipulating others into sharing secret intel, criminals will continue using human emotions and psychology to get what they want. But in the years since criminal activities moved into the digital world, we’ve seen how heavily cybercriminals rely on these same basic social engineering skills.

Cybercriminals continue to use these psychology-based tactics to trick, coerce, manipulate, threaten, or otherwise get targeted individuals to do their bidding.

So, what insights do the top social engineering statistics for 2025 offer?

Let’s hash it out.

TL;DR: Key Social Engineering Statistics You Should Know

Don’t have time to read an entire article about social engineering statistics? No worries — we’ve cultivated the top handful for you:

social engineering graphic: Blog image display version of an infographic on social engineering attack statistics

We’ve got you covered with the latest cyber crime statistics for 2025 and cyber security statistics.

Social Engineering Statistics: The Cost of These Attacks

While it’s true that social engineering attacks have far-reaching implications in terms of the reputational harm and loss of customer trust, let’s be real — you want to know the bottom-line impacts.

  1. U.S. consumers reported $12.5 billion in fraud-related losses in 2024 alone. Government impostor scams alone cost consumers $789 million in that period. (U.S. Federal Trade Commission’s “New FTC Data Shows a Big Jump in Reported Losses to Fraud to $12.5 billion in 2024.”)
  2. Social engineering is no longer the #1 threat (although it remains in the top three attack patterns) — exploits have claimed that “honor.” Verizon’s latest data indicates that social engineering is slowly shifting down the rankings as an initial access vector as vulnerability exploits move up the list. (Source: Verizon’s 2025 Data Breach Investigations Report [DBIR])
  3. A social engineering attack costs organizations an average of $130,000 in stolen data or monetary theft. If the attack is paired with other attack methods, that number can often skyrocket into the millions. (Source: CRC Group’s “Social Engineering & Cybercrime Remain Top Cyber Insurance Concerns”)
  4. More than $1 trillion globally has been lost to online scammers in the past year. (Source: WEF Global Cybersecurity Outlook 2025 report)
  5. Call center scams targeting seniors and crypto traders raked in a sickening $1.9 billion in reported losses in 2024. (Source: FBI IC3’s 2024 Internet Crime Report)
  6. North Korea’s IT worker scam is estimated to generate $250-600 million annually. (Source: United Nations’ Security Council Report S/2024/215)
  7. Those annoying fake road toll scams you keep getting? They cost U.S. victims nearly $130k in reported losses in 2024 alone. (Source: FBI IC3’s 2024 Internet Crime Report)
Two examples of the many road toll scam SMS text messages the article author received in the past couple of months.
Image caption: A screenshot showing two of the many road toll scam SMS messages I received over the past couple of months. These are examples of the types of phony road toll scams that have circulated widely in 2024 and 2025.

Social Engineering Statistics: A Look at the Frequency of These Attacks

  1. The number of phishing attacks decreased by 20% globally in 2024. However, these attacks are becoming increasingly targeted and hyper-focused as bad guys shift to voice and video to avoid email security measures. (Source: Zscaler’s ThreatLabz 2025 Phishing Report)
  2. Phishing attacks targeting the United States dropped nearly 32% in 2024. However, the country still firmly ranks #1. (Source: Zscaler’s ThreatLabz 2025 Phishing Report)
  3. Social engineering attacks represent 22% of data breaches involving external threat actors specifically. Of those, phishing accounted for 57%. (Source: Verizon’s 2025 Data Breach Investigations Report [DBIR])
  4. Phishing and spoofing attacks rank #1, accounting for nearly 23% of all the cyber crime complaints reported to the FBI’s IC3 in 2024 alone. That’s 193,407 of the 859,532 complaints, which is bad on its own but even worse when you consider that’s just the number of reported complaints — it doesn’t account for the crimes that have gone unreported. (Source: FBI IC3 2024 Internet Crime Report)
  5. FBI’s IC3 receives 100+ reports of scammers impersonating the cyber crime-fighting agency. (Source: FBI IC3 2024 Internet Crime Report)
  6. Small businesses are targeted nearly 4x as often as their larger counterparts. (Source: Verizon’s 2025 Data Breach Investigations Report)
  7. Fake road toll scams have skyrocketed 2900% from 2,000 scams reported in 2023 to 60,000 in 2024. (Source: FBI IC3 2024 Internet Crime Report)
  8. The “human factor” still reigns supreme as a factor in 60% of data breaches.  According to Verizon’s 2025 DBIR report, “breaches involving humans were responsible for the majority of cases we received.” (Source: Verizon’s 2025 Data Breach Investigations Report)
  9. ~20% of businesses report experiencing one or more ATO incidents per month. These attacks often involve attackers using social engineering tactics to phish account holders for information or steal credentials. (Source: Barracuda’s 2025 Email Threats Report)
Social engineering attack statistics graphic relating to the frequency of account takeover (ATO) attacks on businesses. Data is from Barracuda's 2025 Email Threats Report.
Social engineering statistics graph data source: Barracuda’s 2025 Email Threats Report.

Social Engineering Statistics: Taking a Closer Look at Attackers’ Methods

So, how do bad guys do what they do?

  1. The detection of voice phishing attacks, paired with social engineering tactics, increased by a whopping 442% from 1H to 2H of 2024. According to CrowdStrike’s researchers: “Various eCrime adversaries are increasingly adopting vishing, callback phishing, and help desk social engineering attacks to gain a foothold into networks.” (Source: CrowdStrike 2025 Global Threat Report)
  2. ~25% of state-sponsored social engineering campaigns begin with idle conversations. (Source: Proofpoint The Human Factor 2025, Vol. 1: Social Engineering)
  3. One in five phishing emails relies solely on social engineering. (Source: KnowBe4’s Phishing Threat Trends Report)
  4. One crypto startup founder suspects that around 95% of the job applications he receives for legitimate positions in his firm come from North Korean operatives pretending to be American IT workers. (Source: Fortune’s article “North Korean IT Workers Infiltrating Fortune 500 Companies.”)
  5. A woman in Arizona used 60 stolen identities to help North Korean IT workers fraudulently get jobs at 300 companies. This netted millions of dollars for the North Korean government. (Source: Fortune’s article “North Korean IT Workers Infiltrating Fortune 500 Companies.”)
  6. 90%+ of pure social engineering advanced persistent threat (APT) campaigns use collaboration as their “in” to get targets to cooperate. (Source: Proofpoint The Human Factor 2025, Vol. 1: Social Engineering)
  7. 39% of cloud initial assets had email phishing as the initial infection vector. Another 12% was split between SIM swapping and voice phishing, both of which attacks often rely on social engineering tactics. (Source: Mandiant M-Trends 2025 Report)
  8. 220,000+ people are trafficked in South-East Asia and forced to work in online scam farms, where they often carry out social engineering attacks. (Source: WEF Global Cybersecurity Outlook 2025 report)
  9. Bad guys can exploit gaps in email security, as nearly half of organizations don’t have a configured DMARC policy in place. This leaves legitimate organizations at risk of being impersonated by cybercriminals who can spoof their sender domain. (Source: Barracuda’s 2025 Email Threats Report)
Social engineering attack statistics graphic relating to North Korean threat actors using social engineering tactics to impersonate legitimate American IT workers. Data from Fortune
Social engineering statistics graph data source: Fortune’s article “North Korean IT Workers Infiltrating Fortune 500 Companies.”

Social Engineering Statistics: Crime in the Age of Generative AI & LLMs

Generative AI (genAI) and language learning model (LLMs) are now taking social engineering attacks to a whole new level. Messages that previously required time and resources to meticulously hone can now be generated at near rapid-fire speed.

  1. In 2023, a genAI tool was able to craft an effective phishing email using five simple prompts in just 5 minutes. Compare this to the 16+ hours on average that IBM’s X-Force team says it takes their seasoned social engineers to research in depth and write the message for the intended target. Imagine how much faster genAI tools have likely become over the past two years… (IBM’s AI vs. Human Deceit: Unravelling the New Age of Phishing Tactics)
Social engineering statistics graph: The click rates for emails crafted by human versus those crafted by AI
Social engineering statistics graph data source: IBM’s X-Force research article: “AI vs. human deceit: Unravelling the new age of phishing tactics.” This graph illustrates the A/B testing results of emails that were created by IBM’s X-Force team and AI to see how they performed.
  1. What makes matters worse is that three in five of these organizations indicate that they’ve sustained successful ATO attacks.  (Source: Proofpoint Research: 2024 Account Takeover Statistics)
  2. Phishing emails generated entirely by AI outperformed the control group by 42%. AI-generated emails with “human-in-the-loop” expert interventions performed even better, having a click-through rate of 56%. (Source:Evaluating Large Language Models’ Capability to launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects” by Heiding, Lermen, Kao, Schneier, and Vishwanath)
  3. Nearly half (47%) of organizations indicate that genAI-based threats are their biggest concern. (Source: World Economic Forum’s [WEF] Global Cybersecurity Outlook 2025 Insight Report)
  4. 99% of Proofpoint’s monitored customers were the targets of account takeover attacks in 2024. (Source: Proofpoint Research: 2024 Account Takeover Statistics)

Editor’s Note: This blog post was published originally by Casey Crane on Jan. 13, 2023. It was updated and republished by the same author with new content and the industry’s latest social engineering statistics data on June 20, 2025.

1 comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.