Social Engineering Statistics: How Can Your Business Avoid Being One?
Heer Chheda
Jul 29, 2024Have you heard the story of the Trojan horse?
Other than the well-known story from Greek mythology where the Greek army was able to lay siege on the city of Troy by deceiving them with an offering, it is also a cyber security term; it refers to a virus that downloads onto a computer disguised as a legitimate program.
This is a form of social engineering attack, and in this blog, we will cover many more statistics about it that may surprise you. If you’re already familiar with social engineering and how it works, we recommend you skip to the last part of the blog, where we discuss how to protect your organization from it.
TL;DR
Social engineering scams are on the rise, with 98% of cyberattackers using social engineering techniques. These scams exploit human vulnerabilities to gain access to information, posing serious threats to organizations. |
The only way to prevent social engineering attacks is by creating a security aware culture which involves awareness programs for the employees led by the security team, phishing simulations, and implementing security policies. |
What is social engineering?
Social engineering is a strategy used by malicious attackers to exploit a human mind’s vulnerabilities and gain access to sensitive information. Usually, fear, relationships, and social expectations manipulate the victim into divulging information or performing actions that put them or their organization at risk. Up to 98% of cyber attacks involve some form of social engineering.
Types of social engineering attacks
There are different types of social engineering attacks, and each differs in the medium, nature, and ultimate target.
Phishing
Phishing is a sophisticated attack that aims to deceive individuals into revealing sensitive information or doing something harmful. Cybercriminals draft convincing emails or texts, pretending to be banks, governments, or other well-trusted sources.
Phishing poses a significant threat to businesses as it targets the weakest links in an organization, the human element. A successful phishing attack can destroy the entire network, leading to data breaches, financial losses, or reputational damages.
Spear phishing
Spear phishing attacks is a type of a social engineering attack wherein cybercriminals specifically target organizations to get access to confidential and sensitive information.
The difference between phishing and spear phishing is the target. Phishing, in general, is a “bulk” activity—think of it like shooting aimlessly—but spearfishing targets a specific individual or a group of individuals in an organization to divulge sensitive data that the bad actor wants.
Smishing
Smishing, or SMS phishing, uses text messages to trick people into downloading malware or sharing sensitive information. It is a quite popular form of social engineering, as mobile phone open rates range between 8% and 14%, compared to email open rates that hardly go above 2%.
The critical difference between phishing and smishing lies in the medium of the attack.
Quid Pro Quo
“Quid pro quo” means “something for something” in Latin. It is a social engineering attack type wherein a threat actor offers a service in exchange for information or access. It is reciprocity at its finest. The social engineer impersonates an IT technician, offering assistance. They get in touch with potential victims by providing help or service. In exchange for addressing the issue, they ask for sensitive information and login credentials or request the employee to temporarily disable security features like 2FA.
Honey trapping
Honey trapping is a type of social engineering wherein the bad actor creates a fake profile that appeals to the target. Threat actors often use flattery to build a connection with the victim. The attacker cultivates a relationship, usually an emotionally manipulative one. Once the relationship is built, the target exploits the connection to extract sensitive information.
Whaling
Whaling is a phishing attack that targets high-profile company employees, commonly referred to as “whales” in cybercrimes. These attacks are personalized, as threat actors invest a fair amount of time researching the target.
While it seems like an easily avoidable attack, whaling isn’t as apparent as it seems.
Baiting
Baiting is a social engineering attack type that uses temptation to lure victims and manipulates them into divulging secret or sensitive information. These messages often use false promises or curiosity hooks to grab readers’ attention.
Baiting’s delivery mechanisms include emails, social media, text messages, or USB drives. The threat actors leave infected USB drives in locations, potentially tempting curious individuals to plug them into their devices.
While these tactics seem like elaborate schemes of the past, their prevalence in today’s world is all too real. The statistics paint a concerning picture of how social engineering attacks have risen and the impact they have created.
Social engineering statistics: The rise and prevalence of attacks
Social engineering attacks are rising, reflecting their sophistication and the vulnerability of human elements in cybersecurity. More than half of the data breaches in 2020-2021 were due to cyber criminals exploiting the human element. The pandemic only exacerbated the attacks, with Google reporting a surge in phishing websites, a whopping 350%.
Here’s a breakdown of the social engineering stats
Phishing
- Proof point reported that 83% of the targeted users fell victim to phishing attacks in 2022. (Source)
- More than 30% of the phishing emails that were delivered came from Russia. (Source)
- Contrary to popular belief, millennials and Gen-Z users are more likely to fall for a phishing scam. (Source)
- According to Cisco, 90% of all attacks begin with a phishing email. (Source)
- Recipients open 30% of phishing emails. (Source)
- The time it takes to fall for a phishing email is less than 60 seconds. (Source)
- Social engineering attempts through phishing emails jumped to 1.76 billion, a 51% increase from 2022. And Facebook was the most impersonated brand with 23% of the phishing emails mentioning the company in the phishing URL. (Source)
- 56% of organizations receive phishing emails on a daily or weekly basis. (Source)
- One person in 86% of the organizations surveyed by CISCO clicked on a phishing link in 2021. (Source)
- Phishing is the most common entry point for a ransomware attack. (Source)
- According to IBM’s data report, spear phishing is the leading cause of data breaches. (Source)
- Out of the users that receive infected attachments, 12% of them click on it. (Source)
- 84% of the phishing sites exist for less than 24hrs. (Source)
- 1 in 8 employees are likely to accidentally share their credentials when requested in a phishing email. (Source)
- Before 2019, 65% of attackers used spear phishing as their primary infection vector. (Source)
- MacAfee estimated that 97% of people. Globally, cannot identify a sophisticated phishing email. (Source)
Business email compromise
- The FBI’s IC3 reported that BEC scams account for over $51 billion in losses and that unless tools are developed to stop these attacks, the number is expected to grow. (Source)
- The US Treasury Department recorded that more than 1,100 BEC emails were sent monthly in 2018, and business losses exceeded $300 million a month. (Source)
- BEC fraud attempts are made using display name spoofing; 54% of them accounted for the same. (Source)
- Mimecast reported that BEX scammers often target CEOs and CFOs. (Source)
- More than 70% of people know the risks of unknown links in emails but proceed to click anyway. (Source)
- Nearly 30% of emails pass default security. (Source)
- Scammers made $1.8billion USD in 2020. (Source)
- Microsoft office files account for 48% of malicious email attachments. (Source)
Data breaches
- Social engineering, due to human errors, accounts for 74% of data breaches. (Source)
- Healthcare and finance are the most targeted industries for data breaches involving social engineering. (Source)
- According to a Stanford University study, one in four employees admitted to clicking on malicious links in emails. (Source)
- The average cost of data breaches due to social engineering is estimated at an average of $4.1 million. (Source)
- Over 80% of the data breaches involved weak or stolen passwords. (Source)
- It took organizations about 207 days to identify a breach, and about 70 days to contain the breach. (Source)
- A data breach exposed the personal information of 9% of LinkedIn members, in 2021. (Source)
- More than 6 out of 10 companies said that their data was potentially compromised due to hardware or silicon-level security breach, in 2020. (