Social Engineering Statistics: How Can Your Business Avoid Being One?

Have you heard the story of the Trojan horse? 

Other than the well-known story from Greek mythology where the Greek army was able to lay siege on the city of Troy by deceiving them with an offering, it is also a cyber security term; it refers to a virus that downloads onto a computer disguised as a legitimate program. 

This is a form of social engineering attack, and in this blog, we will cover many more statistics about it that may surprise you. If you’re already familiar with social engineering and how it works, we recommend you skip to the last part of the blog, where we discuss how to protect your organization from it. 

TL;DR

Social engineering scams are on the rise, with 98% of cyberattackers using social engineering techniques. These scams exploit human vulnerabilities to gain access to information, posing serious threats to organizations.

The only way to prevent social engineering attacks is by creating a security aware culture which involves awareness programs for the employees led by the security team, phishing simulations, and implementing security policies.

What is social engineering? 

Social engineering is a strategy used by malicious attackers to exploit a human mind’s vulnerabilities and gain access to sensitive information. Usually, fear, relationships, and social expectations manipulate the victim into divulging information or performing actions that put them or their organization at risk. Up to 98% of cyber attacks involve some form of social engineering. 

Types of social engineering attacks

There are different types of social engineering attacks, and each differs in the medium, nature, and ultimate target. 

Phishing

Phishing is a sophisticated attack that aims to deceive individuals into revealing sensitive information or doing something harmful. Cybercriminals draft convincing emails or texts, pretending to be banks, governments, or other well-trusted sources. 

Phishing poses a significant threat to businesses as it targets the weakest links in an organization, the human element. A successful phishing attack can destroy the entire network, leading to data breaches, financial losses, or reputational damages. 

Spear phishing

Spear phishing attacks is a type of a social engineering attack wherein cybercriminals specifically target organizations to get access to confidential and sensitive information.

The difference between phishing and spear phishing is the target. Phishing, in general, is a “bulk” activity—think of it like shooting aimlessly—but spearfishing targets a specific individual or a group of individuals in an organization to divulge sensitive data that the bad actor wants.  

Smishing

Smishing, or SMS phishing, uses text messages to trick people into downloading malware or sharing sensitive information. It is a quite popular form of social engineering, as mobile phone open rates range between 8% and 14%, compared to email open rates that hardly go above 2%. 

The critical difference between phishing and smishing lies in the medium of the attack. 

Quid Pro Quo

“Quid pro quo” means “something for something” in Latin. It is a social engineering attack type wherein a threat actor offers a service in exchange for information or access. It is reciprocity at its finest. The social engineer impersonates an IT technician, offering assistance. They get in touch with potential victims by providing help or service. In exchange for addressing the issue, they ask for sensitive information and login credentials or request the employee to temporarily disable security features like 2FA. 

Honey trapping

Honey trapping is a type of social engineering wherein the bad actor creates a fake profile that appeals to the target. Threat actors often use flattery to build a connection with the victim. The attacker cultivates a relationship, usually an emotionally manipulative one. Once the relationship is built, the target exploits the connection to extract sensitive information. 

Whaling

Whaling is a phishing attack that targets high-profile company employees, commonly referred to as “whales” in cybercrimes. These attacks are personalized, as threat actors invest a fair amount of time researching the target.

While it seems like an easily avoidable attack, whaling isn’t as apparent as it seems.

Baiting

Baiting is a social engineering attack type that uses temptation to lure victims and manipulates them into divulging secret or sensitive information. These messages often use false promises or curiosity hooks to grab readers’ attention. 

Baiting’s delivery mechanisms include emails, social media, text messages, or USB drives. The threat actors leave infected USB drives in locations, potentially tempting curious individuals to plug them into their devices. 

While these tactics seem like elaborate schemes of the past, their prevalence in today’s world is all too real. The statistics paint a concerning picture of how social engineering attacks have risen and the impact they have created.

Social engineering statistics: The rise and prevalence of attacks

Social engineering attacks are rising, reflecting their sophistication and the vulnerability of human elements in cybersecurity. More than half of the data breaches in 2020-2021 were due to cyber criminals exploiting the human element.  The pandemic only exacerbated the attacks, with Google reporting a surge in phishing websites, a whopping 350%. 

Here’s a breakdown of the social engineering stats 

Phishing

1. Proof point reported that 83%  of the targeted users fell victim to phishing attacks in 2022. (Source)
2. More than 30% of the phishing emails that were delivered came from Russia. (Source)
3. Contrary to popular belief, millennials and Gen-Z users are more likely to fall for a phishing scam. (Source)
4. According to Cisco, 90% of all attacks begin with a phishing email. (Source)
5. Recipients open 30% of phishing emails. (Source)
6. The time it takes to fall for a phishing email is less than 60 seconds.  (Source)
7. Social engineering attempts through phishing emails jumped to 1.76 billion, a 51% increase from 2022. And Facebook was the most impersonated brand with 23% of the phishing emails mentioning the company in the phishing URL. (Source)
8. 56% of organizations receive phishing emails on a daily or weekly basis. (Source)
9. One person in 86% of the organizations surveyed by CISCO clicked on a phishing link in 2021. (Source)
10. Phishing is the most common entry point for a ransomware attack. (Source)
11. According to IBM’s data report, spear phishing is the leading cause of data breaches. (Source)
12. Out of the users that receive infected attachments, 12% of them click on it. (Source)
13. 84% of the phishing sites exist for less than 24hrs. (Source)
14. 1 in 8 employees are likely to accidentally share their credentials when requested in a phishing email. (Source)
15. Before 2019, 65% of attackers used spear phishing as their primary infection vector. (Source)
16. MacAfee estimated that 97% of people. Globally, cannot identify a sophisticated phishing email. (Source)

Business email compromise

17. The FBI’s IC3 reported that BEC scams account for over $51 billion in losses and that unless tools are developed to stop these attacks, the number is expected to grow. (Source)
18. The US Treasury Department recorded that more than 1,100 BEC emails were sent monthly in 2018, and business losses exceeded $300 million a month. (Source)
19. BEC fraud attempts are made using display name spoofing; 54% of them accounted for the same. (Source)
20. Mimecast reported that BEX scammers often target CEOs and CFOs. (Source)
21. More than 70% of people know the risks of unknown links in emails but proceed to click anyway. (Source)
22. Nearly 30% of emails pass default security.  (Source)
23. Scammers made $1.8billion USD in 2020. (Source)
24. Microsoft office files account for 48% of malicious email attachments. (Source)

Data breaches 

25. Social engineering, due to human errors, accounts for 74% of data breaches. (Source)
26. Healthcare and finance are the most targeted industries for data breaches involving social engineering. (Source)
27. According to a Stanford University study, one in four employees admitted to clicking on malicious links in emails. (Source)
28. The average cost of data breaches due to social engineering is estimated at an average of $4.1 million. (Source)
29. Over 80% of the data breaches involved weak or stolen passwords. (Source)
30. It took organizations about 207 days to identify a breach, and about 70 days to contain the breach. (Source)
31. A data breach exposed the personal information of 9% of LinkedIn members, in 2021. (Source)
32. More than 6 out of 10 companies said that their data was potentially compromised due to hardware or silicon-level security breach, in 2020. (Source)
33. Of the successful data breaches, 70% of them originated from endpoint devices. (Source)
34. 80% of successful breaches are zero-day attacks. (Source)
35. 61% of data breaches involve credential data. (Source)
36. The average cost of a mega breach (involving 50 million to 65 million records) is $387 million. (Source)
37. Money is the biggest motivator for breaches, accounting for more than 80%. (Source)
38. Social engineering cyber attacks are almost 80% effective.  (Source)
39. 8% of breaches were caused by a misuse from the authorized users. (Source)
40. Healthcare has the highest average cost per breach, at $10.93 million in 2023. (Source)
41. Compromised credentials are responsible for 19% of all data breaches. (Source)
42. More than half of the companies who experience a breach do not report an attack vector. (Source)
43. The use of strong encryption can reduce the average cost of a data breach by $220,000. (Source)
44. The use of AI and automation in security response can reduce breach costs by up to $173,074. (Source)

Malware and ransomware

45. Over 92% of the malware was inserted using emails. (Source)
46. Phishing emails are the leading cause of malware infections. (Source)
47. The average payment demanded for a ransom is around $400,000 in 2023. (Source)
48. In 2023, 65% of financial organizations experienced a malware attack, of which 40% paid more than $1 million in ransom. (Source)
49. Small businesses are frequently targeted by attackers, as opposed to larger organizations. (Source)
50. More than 600 million ransomware attacks were carried out, globally, in 2021. (Source)
51. A ransomware attack happens every 11 seconds. (Source)
52. 61% of organizations suffered a ransomware attack in 2020. (Source)
53. More than half of Americans don’t know what to do when a breach does happen. (Source)
54. Organizations don’t trust antivirus softwares to stop malware attacks, about 69% of them. (Source)
55. 72.7% of organizations fell prey to a ransomware attack in 2023. (Source)
56. The cost of ransomware is expected to grow to $265b billion USD by 2031. (Source)
57. 14% of breaches exploited vulnerabilities as their first entry point. (Source)
58. The average cost of downtime due to ransomware attacks is $283,800. (Source)
59. 83% of organizations have experienced more than one data breach. (Source)
60. In 2023, Zero Day attacks exceeded ransomware attacks and malware attacks. (Source)
61. In 2023, ransomware accounted for 24% incidents wherein malware was used. (Source)
62. 66% of businesses attacked by ransomware reported significant revenue loss. (Source)
63. In 2021, 58% of state and local governmental organizations were hit by a ransomware attack. (Source)
64. The average remediation cost of ransomware was $1.85 million in 2021. (Source)

Web-based attacks & IoT 

65. 64% of companies have experienced some form of web-based attacks. (Source)
66. 61% oforganizations have faced an Internet of Things security issue. (Source)
67. 90% of Remote Code Execution attacks are associated with cryptomining. (Source)
68. In 2023, at least 344 U.S. organizations were impacted by vulnerabilities in MOVEit products used by themselves or their vendors. (Source)
69. The number of Internet of Things (IoT) connected devices is projected to reach 75.44 billion by 2025, significantly expanding the attack surface for cybercriminals. (Source)

Cyber security attacks

70. More than 1 in 4 companies have faced cyber fatigue, when it comes to proactively safeguarding themselves against cyber attacks. (Source)
71. 84% of critical infrastructure incidents could have been mitigated if the initial access vector had been addressed. (Source)
72. In a study conducted by Statista, 72% of the global respondents were concerned about the online security risks associated with working remotely.  (Source)  
73. AI advancements like ChatGPT pose a potential threat in the cybersecurity landscape. (Source)
74. The cost of a cyber attack for a small business is estimated to be around $200,000 USD. (Source)
75. 60% of SMEs that suffer a successful cyber attack go out of business. (Source)
76. The global cybersecurity market size is expected to grow to $345.4 billion by 2026. (Source)
77. 54% of companies say their IT departments are not sophisticated enough to handle advanced cybersecurity threats. (Source)
78. The education sector saw a 44% increase in cyberattacks in 2022 compared to 2021. (Source)
79. On Average, only 5% of companies’ folders are properly protected. (Source)

What do the numbers tell us? 

The numbers clearly show the nature and frequency of cyber attacks. And to stack on that, these attacks have evolved and become sophisticated. We can understand that attackers are adaptable and can exploit current events and loopholes in new technologies. 

The figures underscore the vulnerability of SMBs, suggesting that they are an easier target 

for attackers. Perhaps the most important thing to take away from this is the vulnerability of human elements in organizations. As humans, we are very evidently curious. And while it 

drives innovation and growth, it can also lead to suspicious links being clicked. 

So, how do you prevent these attacks? 

How to prevent cybersecurity attacks

To prevent cybersecurity attacks, you need to take a proactive approach that combines cyber security tools with human-centric strategies, as it builds resilience and a culture that permeates every level of your organization.

Here are a few strategies that you can employ to prevent your organization from being a statistic.

Security awareness training and creating a security-aware culture.

Creating a culture of security awareness is pivotal in preventing attacks of any kind. As the human element is often the most vulnerable, this strategy recognizes it while employing technical guardrails.  

Security awareness usually starts with management. They should proactively champion security initiatives and lead by example wherever possible. Management should also conduct security awareness programs that cover current threats and defense strategies. 

Like Dwight’s fire safety drill, you can conduct regular phishing simulations and other exercises to test your employee’s vigilance and reaction. Just don’t induce a heart attack (if you know, you know). 

You can embed security checkpoints into everyday processes and ensure open communication so that employees feel comfortable raising concerns and doubts. 

Recognize social engineering tactics.

Social engineering is built on the premise of creating a false sense of urgency so that the 

victims can make a decision under duress. The usual ploy is something like, “This requires your immediate attention,” and it is pretty easy to fall into this trap. You should train your employees to check a couple of things, like the sender’s email address, email signature, and other tiny details that could point out any inconsistencies. They should also be trained to verify these emails through official communication channels.

Attackers can also impersonate figures of authority and leverage employees’ natural tendency to follow through. Train your employees to identify two key things here; 

1. The nature of the request. What’s an acceptable ask? What would authorities often ask for vs what is something an authority would not ask for? 
2. Verify the identity of the individual making the request, regardless of the position or the authority they claim to be or have. 

Employees should also be trained to be skeptical of unsolicited requests or offers, as organization processes rarely involve such instances.  

Conduct regular phishing testing.

Understand the benefits of training and testing your employees. These tests help you recognize the effectiveness of cybersecurity awareness and training and reinforce good practices. By employing controlled methods and fake phishing scenarios, you can significantly reduce the risk of falling into actual scams. 

Define the objectives, length, frequency, and impact of phishing scenarios you wish to simulate. Ideally, the tests you decide should vary in each factor to keep your employees updated on evolving cyber threats. Ensure that these policies are conducted ethically and comply with the company policies.

Conduct different types of phishing attacks and measure the results. Carefully analyze the results, which include tracking metrics such as click rates, report rates, and the time taken to report suspicious activity or emails. These areas can help you better tailor your awareness programs. 

Update your security and implement patches.

Patching and security updates should be a critical aspect of your organization’s cyber security strategy to prevent social engineering attacks. Timely patching and updating your security addresses any known vulnerabilities in your operating systems, software, or applications. 

Ensure you have a robust vulnerability management tool that regularly scans your system to identify vulnerabilities and weaknesses. Prioritize patching based on risk assessments. 

Test your patches before you deploy them across the entire network to ensure they don’t cause conflicts or cause business operations to fail. Some software allows you to automate the entire patch management process, and these tools ensure consistency and reduce the time of release and implementation.

Some of your legacy systems or applications may no longer be able to receive updates, develop strategies to isolate them and plan for their replacement. If you can’t replace them, see if you can implement compensating control measures. 

Monitor continuously

Continuous monitoring allows you to detect and respond to potential threats proactively. Social engineering also helps you detect unusual patterns or behaviors that could indicate an attack or an ongoing compromise. 

Ensure your system analyzes user behavior patterns to detect deviations from natural activity. You can also deploy email filtering to detect suspicious attachments and phishing emails that could indicate a business email compromise attack. 

You must continuously monitor all endpoints for signs of compromise or attacks. It could be installing malicious software or changes to the system’s configuration. 

With a robust continuous monitoring system and strategy, you can significantly enhance your ability to deflect threats and respond to attacks in real-time.

Final thoughts… 

The pervasive use of technology and the sophistication of social engineering attacks demand immediate and comprehensive actions from organizations, regardless of their size and industry. Social engineering statistics clearly indicate the unpredictable nature of attacks and their target—human nature. 

To effectively address and combat these issues, you must adopt a layered approach beyond addressing threats with traditional tech defenses. Humans are at the forefront of any comprehensive strategy, driving strength but also a point of vulnerability. 

Leverage the human brain to your advantage. Foster a transparency and security awareness culture where employees are actively manning your organization’s walls. Invest in technology by installing antivirus softwares, firewalls, intrusion detection and prevention systems, and multi-factor authentication.

Combining the power of tools and the ability of well-trained, vigilant employees can create an impenetrable security network. 

Sprinto as your cyber security guard

Sprinto is a GRC automation platform that helps you achieve and maintain compliance with Infosec standards, reducing your vulnerability to social engineering attacks. It gives you visibility into your compliance health and control status with the live dashboard, allowing you to quickly identify and address any weaknesses. 

You can use Sprinto’s training templates to help educate your workforce on recognizing and responding to social threats, ensuring that your employees are a strong first line of defense. 

Sprinto also ensures that you are continuously compliant across various frameworks, ensuring a strong security posture. 

FAQs

What are the four types of social engineering?

The four most common types of social engineering attacks are:

1. Phishing: Phishing attempts are social engineering attacks that use fraudulent emails, websites, or messages to trick people into divulging sensitive information by clicking on malicious links. 
2. Pretexting: Pretexting is when bad actors create a fabricated scenario to manipulate victims into revealing sensitive information or performing actions they usually wouldn’t do. 
3. Scareware is deceptive software designed to trick users into believing their device is infected with malware or facing a serious security breach or threat. It typically sends out fake alerts or warnings to scare users into purchasing unnecessary software or services. 
4. Ransomware: Ransomware is malicious software that encrypts the target’s files and locks them out of their devices, demanding a ransom for the decryption key that enables them to regain access. It is a direct attack that can spread through various vectors. 

What is social engineering data?

Social engineering data is the information that is gathered and used by threat actors to craft convincing social engineering attacks. This data includes:

1. Personal information
2. Professional details
3. Social media activity 
4. Public Records 
5. Recent events or news related to the target. 

This data is collected from sources like open-source intelligence, data breaches, and social media research. 

What are the 4 phases of a social engineering attack?

The 4 phases of a social engineering attack namely are:

1. Gathering information: Attackers collect data about their victims through various sources. The phase aims to build a comprehensive profile. 
2. Developing a relationship: The attackers connect with the target, building rapport and gaining the user’s trust. 
3. Exploiting: Once the attacker has established trust, the bad actor manipulates the target. It could involve requesting sensitive information, persuading the target to click on malicious links, or gaining access to the control network. 
4. Execution: Once the attacker can achieve its goal, it starts covering tracks to avoid detection.