Social Engineering Statistics to Know in 2024

As technology is evolving and every day brings a new shield against technical cyberattacks, attackers have found a more accessible target to get into the systems: yes, all of us. Because deceiving a user became a doodle compared to more complicated systems and their tens of security precautions. That's where attackers are turning to social engineering tactics to circumvent the technical securities placed. 

Social engineering is intentionally manipulating individuals or a group of people to reveal confidential and unauthorized information willingly. As such, it is vital to comprehend the subject matter and acknowledge the facts to avoid underestimating the threat posed by our devices and to take the necessary precautions to prevent falling into the trap.

Common Types of Social Engineering Attacks

Attackers always come up with new techniques, but there are a few that are more popular than others. Before we delve into the alarming statistics, let's look at what social engineering attacks are and the types of tactics that attackers typically utilize.

1. Phishing: In phishing attacks, attackers trick victims into revealing sensitive information, such as login credentials, financial information, and personal information. It is possible to conduct email phishing attacks, SMS phishing attacks, voice phishing attacks, and so on. 

2. Quid Pro Quo: Quid Pro Quo translates to "something for something", in which an attacker provides sensitive information or access to something valuable. A quid pro quo attack is when a social engineer offers a service, usually "tech support," in exchange for access to secure information.

3. Spoofing: Attackers manipulate or falsify data to fool individuals or systems into believing the information is authentic, referred to as spoofing. Spoofing attacks use vulnerabilities and a lack of verification mechanisms to trick users into divulging sensitive information, gaining unauthorized access, or causing confusion and disruption by exploiting vulnerabilities in various communication protocols.

4. Baiting: Baiting involves offering tempting items, such as free software downloads or malware-infected USB drives. This trap could take the form of an enticing attachment.

5. Account takeover: In account takeover, unauthorized individuals gain illicit access to someone else's online account by exploiting weak passwords, social engineering, or security vulnerabilities. In this menacing tactic, attackers gain control over the victim's digital identity, allowing them to steal sensitive information, commit fraud, and damage reputations and finances.

Social Engineering Statistics to Know in 2024

According to IBM's 2023 Cost of a Data Breach report:

• Data breaches initiated through social engineering techniques averaged costs over $4.5 million.
• The most common vector in the 2022 report was stolen credentials, but phishing took the lead by a small margin over stolen credentials.
• As a result of stolen or compromised credentials, it took nearly 11 months (328 days) on average this year to identify and contain data breaches and about 10 months (308 days) to resolve breaches initiated by malicious insiders.  

Based on a latest study by Statista:

• There were 1,270,883 unique phishing sites detected around the world.
• Phishing attacks are most frequently targeted at financial institutions.
• ​​An estimated 18% of attacks targeted web-based software and webmail.
• Smishing (SMS Phishing) attacks target 76% of global businesses.
• Phishing attacks affected 599 brands only in October 2022.

Social engineering accounts for 98% of all cyber-attacks.

The FBI's latest report on internet crimes shows that Phishing, Vishing, Smishing, and Pharming account for the largest number of victims with 323,972.

As per Verizon’s 2022 Data Breach Investigations Report:‍

• ‍82% of breaches were caused by human error.
• Even though only 2.9% of employees may actually click on phishing emails, a statistic that has remained relatively consistent over time, criminals still continue to take advantage of it.

As stated by Forbes, organizations' average phish-prone percentage (the percentage of users who fall victim to social engineering scams) drops from 32.4% to 5% after a year of training.

Clayton State University found that 41% of higher education cybersecurity incidents and breaches started with social engineering. 

“Education is one of the most vulnerable sectors, as well as one of the most targeted by attackers, and yet the cybersecurity budget for these sectors is less than 1% of their overall IT budget, according to a report published by CIS.”

According to Barracuda’s Spear Phishing report:

• Annually, CEOs receive 57 targeted phishing attacks.
• Each year, IT staff receives an average of 40 targeted phishing attacks.
• Business email compromises (BECs) account for one out of ten social engineering attacks.
• A typical organization is targeted by over 700 social engineering attacks each year.

In Q2 2023, Microsoft topped the list of most impersonated brands for phishing scams. (MSSP Alert)

Social engineering attacks cost an average of $130,000. (Splunk)

Online fraud cost Canada around $100 million in 2021.

Based on the FBI's Internet Crimes Report (2022), Forbes Advisor developed a guide to phishing statistics by state in 2023. Here is the breakdown of the most and least affected residents:

• Nevada is the state most affected by phishing, ranking third in both phishing victims and financial loss per capita. Since 2018, the state has seen a 207% increase in financial loss due to phishing, suggesting scammers are becoming more successful in targeting Nevada residents.
• Kansas is the least affected state by phishing scams. It has the lowest financial loss in the country with an average of $293.70, compared to the national average of $12,879. The number of Kansas residents affected by phishing scams has dropped by almost 97% since 2028.

UW-Madison's Office of Cybersecurity conducted phishing campaigns for campus divisions. Initial CTR was 10% (2014-2016), but decreased to 4% since late 2016, which indicates the importance of running security awareness programs.

Cyber attacks target small businesses in 43 percent of cases. Social engineering attacks make up 62% of the attacks. (UNG)

Over 80% of Americans have been targeted by deceptive emails.

83% of cyber attacks suffered by UK businesses in 2022 were phishing attacks.

54% of phishing emails in 2022 were linked to websites with the '.com' domain. Only 8.9% of domains are '.net'.

Google blocks around 100 million phishing emails every day.

In 2022, IC3 received 300,497 reports of phishing attacks.

In 2020, the Federal Trade Commission received 4.7 million complaints, including 2.2 million fraud reports (46% of all complaints) and 1.4 million reports of identity theft (29% of total reports).

A 5 million user account was compromised in a social engineering attack on Robinhood, a trading app.

As per Sift’s Q3 2023 Digital Trust & Safety Index:

• Account takeover attacks increased 354% year-over-year in 2023.‍
• 73% of consumers believe the brand is responsible for account takeover attacks and for protecting credentials; consequently, they abandon the brand.
• Among account takeover victims, only 43% were notified by the company.

24% of victims of account takeover fraud changed their contact information after the incident (such as their email address or phone number).

A record $176 million has been extorted by ransomware attackers in the first half of 2023, making it the second costliest year in ransomware history. 

E-commerce companies took an average of 250 hours to recover from account takeovers in 2020.

Account takeovers are primarily driven by 75% of "credential stuffing" attacks.

Wrap-up

It is crucial to be more vigilant and train users about the increasing threat of social engineering attacks across all sectors. By being aware of and actively defending against tactics like phishing, quid pro quo, and account takeover, we can protect sensitive information and maintain the integrity of our digital interactions. It is imperative to foster a culture of cybersecurity awareness and implement robust security practices to mitigate these risks and safeguard the digital future against the ever-evolving landscape of social engineering threats.