Antivirus Insider

You are here: Home / Cybersecurity / Social Engineering Statistics 2026: Latest Data Every Business Should Know

Social Engineering Statistics 2026: Latest Data Every Business Should Know

by Leave a Comment

Social engineering remains one of the most effective cyberattack methods because it targets people rather than technology. Attackers use phishing emails, fake phone calls, fraudulent messages, and AI-generated impersonations to manipulate victims into revealing sensitive information or transferring funds. These attacks affect organizations of every size, from healthcare providers and financial institutions to local businesses and government agencies. As cybercriminals increasingly combine human manipulation with artificial intelligence, understanding the latest statistics is essential for building stronger defenses. Explore the data below to see how social engineering continues to reshape the cybersecurity landscape.

Editor’s Choice

  • The latest breach investigations found that nearly 60% of all data breaches involve a human element, including social engineering, credential misuse, or human error.
  • Internet crime losses reported to authorities exceeded $16 billion in 2024, representing a 33% increase from the previous year.
  • Credential abuse accounted for 22% of breaches investigated in the latest breach report, making it the most common initial access vector.
  • Phishing remained one of the leading attack methods, contributing to 16% of recorded breaches globally.
  • The average global cost of a data breach reached $4.88 million in 2024, the largest annual increase since the pandemic.
  • Consumers reported $12.5 billion in fraud losses during 2024, highlighting the growing effectiveness of social engineering scams.
  • Business Email Compromise (BEC) scams have generated more than $55 billion in global exposed losses since authorities began tracking them.

Recent Developments

  • The 2025 breach investigations report showed that attackers increasingly combine phishing campaigns with credential theft and ransomware operations.
  • Human involvement in cyber incidents remained consistently high, contributing to roughly six out of every ten breaches.
  • AI-assisted cyberattacks increased by approximately 89% year over year, according to recent cybersecurity assessments.
  • Organizations increasingly report deepfake-enabled impersonation attempts targeting executives and finance teams.
  • Reported ransomware complaints targeting critical infrastructure increased 9% during 2024.
  • Nearly 860,000 internet crime complaints were submitted in 2024, demonstrating the sustained scale of cyber-enabled fraud.
  • Security researchers identified credential theft, phishing, and identity-based attacks as the fastest-growing attack categories entering 2026.
  • Modern social engineering campaigns increasingly leverage data exposed through previous mega-breaches to personalize attacks.
  • Organizations using AI-powered security automation reported significantly lower breach costs than those without such tools.

General Social Engineering Statistics

  • Social engineering remains one of the most common tactics used by cybercriminals because it exploits trust rather than technical vulnerabilities.
  • Phishing continues to rank among the most frequently reported cybercrimes worldwide.
  • One-third of people who reported scams also experienced direct financial losses.
  • Nearly 60% of breaches involve some form of human interaction or manipulation.
  • Social engineering attacks increasingly target collaboration platforms, messaging apps, and cloud services in addition to email.
  • Attackers frequently use stolen personal information from previous breaches to improve social engineering success rates.
  • Credential harvesting remains a primary objective of phishing campaigns because stolen credentials enable access to multiple systems.
  • Email-based attacks continue to generate billions of dollars in annual losses across businesses and consumers.
  • Cybersecurity professionals consistently rank social engineering among the highest organizational risks because it bypasses many technical controls.

Key Social Engineering Attack Insights

  • Social engineering attacks cost organizations an average of $130,000 per incident in 2024.
  • Phishing accounted for 65% of all social engineering attacks, making it the leading attack method.
  • 89% of social engineering attacks were driven by financial motives, highlighting profit as the primary objective.
  • AI-powered phishing campaigns achieved a 42% higher success rate than traditional email-only scams.
  • Credential theft was the most common attack outcome, representing 29% of reported incidents.
  • Data theft accounted for 18% of social engineering attack outcomes across organizations.
  • Extortion represented 13% of social engineering attack consequences, ranking third among major outcomes.
  • The combined share of credential theft, data theft, and extortion reached 60% of all reported attack outcomes.
  • Organizations face growing risks as AI-enhanced phishing significantly improves attacker effectiveness by 42%.
  • The dominance of phishing (65%) and financially motivated attacks (89%) underscores the importance of employee security awareness training.
Key Social Engineering Attack Statistics
Reference: Spacelift

Frequency and Volume of Social Engineering Incidents

  • Authorities received 859,532 internet crime complaints in 2024, averaging more than 2,350 reports per day.
  • Reported cybercrime losses reached $16.6 billion in 2024, representing a 33% increase from the previous year.
  • Phishing remained the most reported cybercrime category in 2024, accounting for exactly 193,407 individual complaints.
  • Modern data breaches frequently leverage social engineering tactics, involving pretexting in over 40% of incidents and phishing in 31%.
  • Credential theft served as the initial access vector in 38% of all data breaches, making stolen logins a primary outcome of social engineering.
  • Targeted attacks leveraging phishing and pretexting via email continue to account for 73% of total breaches in vulnerable sectors.
  • The human element remains a critical cybersecurity vulnerability, factoring into 68% of all analyzed data breaches.
  • Financially motivated pretexting incidents predominantly resulted in Business Email Compromise, carrying a median transaction loss of $50,000.
  • The median time for targeted users to fall for phishing emails and compromise their credentials is less than 60 seconds.

Phishing, Vishing, and Smishing Statistics

  • Phishing contributed to 16% of all investigated breaches in the latest breach investigations report.
  • Email remains the dominant phishing channel, accounting for the majority of credential harvesting attempts worldwide.
  • SMS phishing, commonly known as smishing, increased significantly as attackers exploited mobile-first communication habits.
  • Voice phishing, or vishing, has become more sophisticated due to AI-generated voice cloning technology.
  • Research found that nearly one-third of users have interacted with a phishing message at least once before recognizing the threat.
  • Mobile phishing attacks increased by more than 50% year over year in several monitored regions during 2024.
  • Financial institutions remain among the most impersonated organizations in phishing campaigns.
  • Security researchers identified Microsoft 365 login pages as one of the most frequently spoofed targets in credential theft campaigns throughout 2025.
  • QR-code phishing attacks expanded rapidly during 2024 and 2025 as attackers used fake invoices, parking notices, and package delivery alerts.
  • AI-generated phishing emails demonstrated significantly higher engagement rates than traditional phishing messages in controlled security experiments.

The Financial Cost of Social Engineering Attacks

  • The average global cost of a data breach reached $4.88 million in 2024, up from $4.45 million in 2023.
  • Financial-sector organizations faced an average breach cost of approximately $6.08 million.
  • Reported internet crime losses exceeded $16 billion during 2024, setting a new record.
  • Consumers reported $12.5 billion in fraud-related losses in 2024.
  • Victims aged 60 and older lost approximately $4.8 billion to internet-enabled crimes in 2024.
  • Business Email Compromise remained a multibillion-dollar threat, producing more than $2.9 billion in annual adjusted losses according to recent reporting.
  • Phishing-related breaches required an average of 261 days to identify and contain, increasing recovery costs.
  • Social engineering incidents required an average of 257 days to identify and contain.
  • Organizations deploying security AI and automation reduced breach costs by an average of $1.9 million compared with organizations lacking those capabilities.
Rising Annual Losses to Fraud and Cybercrime (2024)

Business Email Compromise Statistics

  • Business Email Compromise generated $3.046 billion in reported losses in the US during 2025.
  • Global exposed losses from BEC scams have surpassed $55 billion over the past decade.
  • Authorities received 24,768 complaints directly related to BEC attacks in 2025.
  • The average financial loss per successful wire fraud via BEC reached $286,000.
  • Approximately 40% of all BEC emails analyzed recently were found to be AI-generated.
  • BEC attacks surged by an astonishing 1,760% from 2022 due to the adoption of generative AI tools.
  • Over 66 million targeted BEC attacks are detected and stopped per month on average.
  • The healthcare sector experienced an average financial loss of $261,000 per BEC incident.

The Impact of AI and Deepfakes on Social Engineering

  • In 2025, AI-enabled adversaries increased their overall cyberattacks by 89% year-over-year.
  • Fraudsters now require as little as three seconds of audio to create a voice clone with an 85% match.
  • Over 62% of organizations experienced a deepfake incident involving social engineering in the prior 12 months.
  • Malicious voice deepfakes used in contact center fraud experienced a massive 680% year-over-year surge.
  • Analysts project that by 2026, 30% of enterprises will no longer trust standalone identity verification due to AI-generated deepfakes.
  • Financial fraud losses originating from generative AI technologies are projected to hit $40 billion by 2027.
  • Deepfakes now account for 6.5% of all fraud attacks, marking a staggering 2,137% increase since 2022.
  • Approximately 41% of surveyed organizations faced deepfake-enabled social engineering on audio calls, and 35% on video calls.
  • Humans can correctly detect AI-generated media, including audio, video, and images, with only 53.7% accuracy.
  • The average financial loss from a successful deepfake-driven AI fraud incident reached $280,000 for affected businesses.

Social Engineering by Demographics and Region

  • Adults aged 60 and older suffered the highest financial impact with $7.7 billion in reported losses in 2025.
  • Individuals in their 30s and 40s reported a combined $4.6 billion lost to internet-based social engineering crimes.
  • Victims under the age of 20 represented the lowest demographic financial impact with $67.1 million in reported losses.
  • Organizations in Asia face the highest regional cyber risk, with 26% of global attacks occurring there.
  • North America continues to be heavily targeted, accounting for 23% of the global organizational cybercrime risk.
  • California ranked highest in the United States for elder fraud losses, totaling $1.06 billion from social engineering.
  • Europe accounted for 24% of global organizational risk but maintained higher overall cyber resilience confidence.
  • Over 55% of localized ransomware and social engineering attacks globally targeted small businesses with 1 to 50 employees.
Global Cybercrime Risk Distribution by Region

Social Engineering Statistics by Industry and Sector

  • Healthcare organizations continued to experience the highest average breach costs, exceeding $9.77 million per incident.
  • The financial sector recorded one of the highest average breach costs at approximately $6.08 million per breach.
  • Financial services are top targets for Business Email Compromise (BEC), causing $2.77 billion in staggering global losses.
  • Educational institutions face high volumes of phishing attacks, which now take an average of 206 days to detect and contain.
  • Manufacturing organizations experienced increased ransomware activity, contributing to the $4.88 million global average data breach cost.
  • Technology companies are repeatedly targeted for their intellectual property, which was compromised in 43% of all data breaches.
  • Retail companies face increasing credential theft attacks, directly contributing to the $27.2 billion lost to identity fraud last year.
  • Critical infrastructure organizations reported growing phishing attempts, with the human element factoring into 68% of all cybersecurity breaches.

The Impact of Social Engineering on Small Businesses

  • More than 40% of all cyberattacks specifically target small and medium-sized businesses.
  • Nearly 1 in 4 small businesses experience a significant cyber incident every single year.
  • Phishing remains the primary attack vector, representing over 80% of reported social engineering incidents.
  • Approximately 60% of small businesses that suffer a severe data breach close within six months.
  • Business Email Compromise (BEC) costs small businesses an average of $50,000 per successful attack.
  • Less than 30% of small businesses employ dedicated cybersecurity personnel to defend against threats.
  • Security awareness training is implemented by only about 40% of small enterprises globally.
  • Successful ransomware and social engineering attacks cause an average downtime of 21 days.
  • Human error manipulated by social engineering is responsible for over 70% of credential theft.
  • Small organizations represent roughly 43% of all targeted spear-phishing campaigns.

Breakdown of Social Engineering Attack Methods

  • Phishing dominates social engineering attacks, accounting for 65% of all reported incidents.
  • Other attack methods collectively represent 22%, making them the second largest category.
  • SEO poisoning and malvertising contribute 12% of social engineering attacks, highlighting search-based threats.
  • Smishing and MFA bombing are the least common attack types, responsible for just 1% of incidents.
  • Nearly two-thirds (65%) of social engineering attacks rely on phishing, far exceeding all other methods.
  • Phishing attacks alone occur almost 3 times more often than all other categorized attack types combined (23%).
  • SEO poisoning/malvertising attacks are 12 times more common than smishing/MFA bombing attacks.
  • Only 13% of attacks come from SEO poisoning, malvertising, smishing, and MFA bombing combined.
Types of Social Engineering Attacks
Reference: Electro IQ

Credential Theft and Account Takeover Statistics

  • Credential abuse was the most common initial access vector in breaches, accounting for 22% of all cases.
  • The overall account takeover attack rate rose to 2.5% recently, marking a 4% year-over-year increase.
  • Fintech and finance sectors experienced a massive 122% surge in account takeover attacks year-over-year.
  • Infostealers compromised 30% of corporate devices and 46% of unmanaged devices, holding company credentials.
  • Approximately 55% of all fraud in digital banking is now tied directly to account takeover attempts.
  • Deepfakes now account for 1 in 5 biometric fraud attempts, heavily contributing to modern account takeover.
  • Breaches involving stolen or compromised credentials took an average of 276 days to identify and contain.
  • Around 83% of organizations experienced at least one account takeover incident over the past year.
  • A staggering 72% of younger users reuse passwords, fueling the high success rate of credential stuffing attacks.

Insider Threats and Pretexting Data

  • Over 30% of all data breaches are caused by internal employees or organizational insiders.
  • Pretexting is involved in more than 50% of social engineering cyber incidents.
  • Finance and HR employees are targeted in 70% of pretexting campaigns across industries.
  • Executive and IT impersonation accounts for nearly 60% of all pretexting tactics.
  • Over 74% of organizations report feeling more vulnerable to threats due to remote work.
  • Negligent insiders are responsible for 55% to 60% of all insider threat incidents.
  • Unauthorized data sharing incidents have increased by 44% over the last three years.
  • Business email compromise involving impersonation costs businesses an average of $5.9 million.
  • Over-privileged users are responsible for nearly 80% of accidental data exposures.
  • Behavioral monitoring reduces the time to detect insider threats from 85 days to under 30 days.

Phishing Email Timing Trends

  • Sunday is the most common day for phishing campaigns, accounting for 22% of all phishing emails sent.
  • Friday ranks second, with 19% of phishing emails being distributed before the weekend.
  • Monday sees 15% of phishing email activity, making it the third most targeted day.
  • Tuesday and Saturday each account for 13% of phishing emails sent.
  • Wednesday represents 11% of phishing email distribution, below the weekly average.
  • Thursday has the lowest phishing activity, with only 7% of emails sent on that day.
  • Weekend days (Saturday and Sunday) collectively account for 35% of all phishing emails sent during the week.
When Are Phishing Emails Sent?
Reference: StationX

The Role of Human Error in Cyber Breaches

  • 82% of data breaches involve the human element, such as errors or social engineering.
  • The median time for an employee to click a malicious phishing link is just 21 seconds.
  • Over 80% of hacking-related breaches involve brute force or the use of stolen credentials.
  • 31% of organizations attribute their cloud data breaches directly to misconfiguration or human error.
  • 17% of employees accidentally email the wrong external party, potentially exposing sensitive information.
  • 68% of breaches in recent surveys were caused by non-malicious human factors and mistakes.
  • Consistent security simulations trigger a 40% drop in phishing susceptibility within 90 days.
  • 56% of IT leaders believe that remote work increases the likelihood of breaches caused by human error.
  • Business Email Compromise attacks exploiting employee trust cost organizations an average of $4.67 million per incident.
  • Approximately 82.6% of detected phishing emails targeting psychological behaviors are now AI-generated.

Effectiveness of Security Awareness and Training

  • Regular security training drops employee phishing susceptibility from 33% to under 5% within a year.
  • Robust awareness programs reduce the average financial cost of a data breach by over $230,000.
  • Approximately 74% of all cyber breaches involve the human element, making education essential.
  • Organizations conducting monthly phishing simulations see a 60% faster reporting rate for actual threats.
  • Companies with continuous security education experience up to a 72% reduction in successful cyberattacks.
  • Employees given interactive training are five times more likely to identify targeted social engineering.
  • Proper security awareness reduces risky employee behaviors like password sharing by nearly 50%.
  • Investment in cybersecurity education yields a reported return on investment (ROI) of up to 562%.

Leading Causes of Ransomware Infections Worldwide

  • Spam/phishing emails are the leading ransomware infection method, cited by 54% of respondents worldwide.
  • Poor user practices contribute to 27% of ransomware infections, making them the second most common cause.
  • Lack of security awareness training is linked to 26% of ransomware incidents, highlighting the importance of employee education.
  • Weak passwords and poor access management account for 21% of ransomware infections across organizations.
  • Open RDP access is responsible for 20% of ransomware attacks, exposing systems to remote exploitation.
  • Report clickbait contributes to 17% of ransomware infections through deceptive online content.
  • Malicious websites and ads are associated with 14% of ransomware incidents worldwide.
  • Lost or stolen credentials play a role in 10% of ransomware infections, enabling unauthorized access to systems.
Ransomware Infection Causes
Reference: Secureframe

Future Projections and Trends for Social Engineering

  • AI-generated phishing campaigns are now achieving a 54% click-through rate while reducing campaign costs by 95%.
  • Deepfake fraud attempts have skyrocketed by 2,137% over three years, with audio deepfakes surging by 680% year-over-year.
  • Credential theft and phishing initiate 16% of all data breaches, frequently escalating into ransomware attacks that account for 44% of incidents.
  • Identity-based intrusions now account for nearly 70% of all cyber incidents, outpacing traditional software vulnerabilities.
  • Mobile-centric social engineering is rapidly expanding, with 68% of phishing attacks specifically targeting smartphone users.
  • Malicious QR code phishing volumes exploded by 146% in early 2026, peaking at an unprecedented 18.7 million attacks in a single month.
  • Proactive AI-assisted defense tools and multifactor authentication have proven effective in preventing up to 99% of mass password-guessing attacks.
  • Human error continues to be the most critical vulnerability, directly contributing to 60% of all confirmed corporate security breaches.

Frequently Asked Questions (FAQs)

What percentage of data breaches involve a human element?

Nearly 60% of data breaches involved a human element, including social engineering, credential misuse, and user errors, according to the latest breach investigations findings.

How much money was lost to internet crime in 2024?

Reported internet crime losses reached approximately $16.6 billion in 2024, representing a 33% increase compared to 2023.

What share of breaches involved stolen credentials?

Stolen credentials were used in 22% of investigated breaches, making credential abuse one of the most common initial access methods.

How many internet crime complaints were filed in 2024?

Victims submitted nearly 860,000 internet crime complaints during 2024, averaging more than 2,300 complaints per day.

How much have Business Email Compromise (BEC) scams cost globally?

Business Email Compromise scams have generated more than $55 billion in global exposed losses since authorities began tracking the crime category.

Conclusion

Social engineering continues to evolve faster than many traditional cyber threats. The latest data shows that attackers increasingly rely on phishing, credential theft, Business Email Compromise, deepfakes, and AI-generated impersonation campaigns to exploit human behavior. At the same time, breach investigations consistently demonstrate that human involvement remains a factor in nearly 60% of security incidents.

For organizations, the challenge extends beyond deploying technical controls. Effective defense now requires a combination of identity protection, employee education, phishing-resistant authentication, continuous monitoring, and AI-powered threat detection. Small businesses, large enterprises, government agencies, and consumers all face growing exposure to sophisticated manipulation tactics.

Looking ahead, AI-enhanced social engineering will likely increase the scale, speed, and realism of attacks. Organizations that invest in security awareness, strong authentication controls, and proactive cyber resilience strategies will be better positioned to reduce risk and limit financial losses in the years ahead.

References

About Editorial Staff

We are the Team AI and we love to play with computers. We are very interested in and passionate about computer security. We have a long experience in removing computer virus . We review various antivirus programs on this blog. Team is manged by Barry.

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest