70 Social Engineering Statistics for 2025

1. Human error (including social engineering) caused 68% of data breaches in 2024.
2. 89% of social engineering attacks were financially motivated.
3. 65% of social engineering attacks were phishing.
4. AI-powered phishing campaigns have a 42% higher success rate than conventional email-only scams.
5. 73% of organizations targeted by social engineering attacks were based in North America.
6. Between May 2024 and May 2025, 93% of social engineering intrusions were financially motivated.
7. The average cost of a social engineering attack was $130,000 in 2024
8. The average cost of a BEC attack is $4.89 million.
9. 43% of phishing attacks mimic Microsoft brands.
10. The most common outcomes of social engineering attacks were credential theft (29%), data theft (18%), and extortion (13%).
11. Manufacturing remains the most targeted sector, accounting for 26% of incidents.

The scale of social engineering attacks reached historic levels throughout 2024 and early 2025. In Q1 2025, the Anti-Phishing Working Group reported the most significant quarterly number of phishing incidents since late 2023, and this trend appears to be continuing. Phishing — masquerading as a reputable company to send emails asking individuals to reveal sensitive information — is not the only form of social engineering. Other types include:

• Smishing — SMS version of phishing
• Vishing — using phone calls for phishing
• Pretexting — creating a fabricated story to trick people into revealing sensitive information or taking damaging actions
• Business email compromise (BEC) — impersonating a trusted person, like a CEO or supplier, to fool employees into sending money or sensitive information to fraudulent accounts
• Prompt bombing — bombarding users with MFA login requests

Phishing

Phishing includes subcategories such as spear phishing, which targets specific individuals with personalized messages.

• 1,003,924 phishing attacks were reported in Q1 2025 
• The FBI received 193,407 phishing complaints in 2024
• 94% of businesses experienced a phishing attack in 2024
• 96% of organizations affected experienced negative consequences, including account takeovers.
• 79% of account takeovers started with phishing emails.
• Phishing breaches cost an average of $4.88 million in 2024, representing an almost 10% increase from 2023’s $4.45 million.
• Just 20% of people successfully recognize and report phishing attacks when sent a simulation.
• The median time to click on phishing simulation links was just 21 seconds, with 28 seconds to submit sensitive data.
• 71% of users engaged in risky security actions they knew were dangerous.
• In the first quarter of 2025, 60.7% of failed phishing simulations involved emails impersonating internal teams, with 49.7% specifically targeting HR. 
• PDFs were the most common bad email attachment at 45.2%, followed by HTML at 17.4% and ZIP at 10.4%
• 42% of malicious PDFs hid links with obfuscation (altering them to conceal their true destination), 28% hid links in streams, and 7% used passwords.
• 1.5% of employees still click dangerous links in phishing simulations, even after repeated awareness training.

Smishing

Smishing attacks are becoming highly effective compared with traditional email phishing. 

• Click-through rates for SMS phishing in 2024 ranged from 19% to 36%, compared with just 2% & to 4% for email phishing, making smishing up to nine times more effective. 
• Smishing incidents rose 18% globally in 2024 and 22% in Q3 2024 specifically. 
• By 2024, smishing accounted for 39% of all mobile threats, representing the single largest category of mobile-based attacks.
• Organized groups such as the “Smishing Triad” have intensified global SMS phishing, using over 200,000 fraudulent domains.
• Smishing affected 76% of businesses in 2024.
• In the same year, smishing incidents increased 328%.
• Losses per incident averaged $800 globally.

Vishing

Voice-based attacks accelerated dramatically in 2024:

• Vishing attacks skyrocketed 442% between the first and second halves of 2024, often relying on AI-generated voice clones to impersonate executives.

Pretexting

The dominant tactic of 2024 was pretexting.

• Pretexting accounted for 50% of all social engineering attacks — almost twice the previous year’s proportion and marking the first time pretexting overtook traditional phishing as the most common social engineering method.
• Pretexting is now responsible for 27% of all social engineering-based breaches.

Business Email Compromise (BEC)

There has been explosive growth in BEC attacks targeting executives.

• In 2024, BEC attack volume soared by 103%, more than twice the previous year’s volume. 
• The average CEO receives 57 targeted attacks every year.
• 89% of BEC attacks involve impersonating leaders, such as CEOs. 
• More than $6.3 billion was transferred through BEC in 2024. 
• The median amount extracted from BEC victims is $50,000. 
• 60% of social engineering attacks led to data leaks, and half of these cases were BEC.

Prompt bombing

Also known as multi-factor authentication (MFA) fatigue attacks, prompt bombing is a social engineering tactic where attackers send repeated calls or push notifications to a person’s authenticator app or phone, hoping the individual will eventually accept one of them.

• Prompt bombing attacks represented 14% of social engineering incidents in 2024. 
• ​​Prompt bombing succeeded in more than 20% of social attacks within the public sector in 2025.

The United States continues to be the biggest financial victim of social engineering attacks, but the Asia-Pacific region has overtaken North America to become the most attacked region worldwide. AI is a factor in an escalating number of global attacks.

North America

• The United States lost $16.6 billion in social engineering attacks in 2024, a 33% increase from $12.5 billion the previous year. 
• California was the most affected state, with $2.54 billion in losses.
• Texas recorded $1.35 billion in losses. 
• Canadian authorities reported over 150,000 fraud reports from January 2021 through 2024, with over $600 million stolen.
• The Canadian Communications Security Establishment mitigated 1.6 million smishing messages and 37,000 new phishing URLs during its 2023-2024 reporting period. 
• Americans aged 60 and older lost $4.8 billion in 2024, a 43% increase from 2023.

Europe

• In 2024, 60% of all social engineering attacks in the EU were phishing attacks.
• By early 2025, more than 80% of phishing emails were using AI.
• 38.2% of recorded incidents targeted public administration, with France (27%), Italy (26.3%), and Germany (16.2%) most affected.
• In the United Kingdom, 84% of breaches were phishing attacks.
• The EU security agency ENISA forecasts that more than 80% of social engineering activity worldwide will be driven by AI-powered phishing by early 2025.

Asia-Pacific

• 34% of global social engineering incidents now target the Asia-Pacific region.
• Social actions account for 25% of breaches in the Asia-Pacific region. 
• Of those, 40% of breaches involved pretexting, 34% involved prompt bombing, and 26% involved phishing. 
• In 2024, the Asia-Pacific region recorded a 30.5% year-over-year increase in phishing attacks across Australia, New Zealand, Japan, and Singapore.
• Median monthly attack rates rose 26.9%, to 600 attacks per 1,000 mailboxes.
• Singapore recorded a 49% increase in phishing attempts, with the banking and financial Services sector most targeted. 
• 12% of phishing emails in Singapore contained AI-generated content.
• India experienced a 409% increase in cryptojacking incidents, in which victims are tricked into clicking links or opening email attachments that allow cryptomining malware to be installed on their devices.

Latin America

• In 2024, phishing attempts rose by 140% in Latin America.
• Mexico experienced 55% of Latin America’s total attacks.
• 19.06% of users in Peru encountered phishing in 2024 — the highest user exposure rate worldwide.
• The fourth-highest exposure rate globally was to users in Ecuador (16.90%). 

Middle East and Africa

• 80% of Middle Eastern cyberattacks result in the breach of confidential data, including trade secrets and personal information.
• Cybercriminals use social engineering in 61% of cyberattacks and malware in 51%, often combining them.
• Africa’s phish-prone percentage increased from 32.8% to 36.7% in 2024, meaning that more than a third of employees at African companies will fall for phishing schemes. 
• The phishing encounter rate in Kenya is 16.38%, putting it among the top ten countries worldwide.

Social engineering no longer depends on opportunistic attempts to manipulate people into revealing sensitive information; it has become an industrialized operation with professional infrastructure, AI-enhanced capabilities, and advanced expertise in organizational psychology. Defensive technologies and training programs may be improving, but attackers are adapting quickly, focusing on more vulnerable regions and swiftly exploiting new channels. 

Our statistics demonstrate that it is impossible to prevent all social engineering, so organizations must focus on strengthening their detection, response, and recovery capabilities. Measures include:

• educating employees on recognizing scams, including attack simulations
• implementing strong technical controls such as MFA and firewalls
• enforcing clear policies for information handling 
• keeping systems up to date
• encouraging employees to feel comfortable verifying requests for information and reporting suspicious activities.