Social Engineering Statistics: Psychological Crime

Niek has worked at Eftsure for several years and has developed a clear understanding of the cyber threat landscape and the controls Australian businesses put in place to combat these threats.

High-profile hacks emphasise the threat of social engineering.

Large enterprises like Toyota, Sony Pictures, Target, and other well-known brands have fallen victim to social engineering attacks, according to Gatefy. Along with phishing, smishing, or spear phishing attempts, social engineering statistics demonstrate a highly effective strategy for attackers to gain access to sensitive information and credential logins.

What makes social engineering dangerous is the ability to use psychological manipulation.

Relying on human error rather than penetrating vulnerable system systems directly. With enough background research and investigation processes, external perpetrators become threatening. We break down key social engineering statistics that impact organisations annually.

Author’s Top Picks

  • The country that covered social engineering the most in its security awareness training was Australia (39%).
  • Nearly 98% of all cyber-attacks involve some form of social engineering to deliver malicious attachments.
  • According to research comparing free email service providers, Gmail accounted for 91% of all email domains associated with bait attacks.
  • 70% of information can be lost when it comes to social engineering training, the only type of social engineering attack that was taught was phishing.
  • In 2022, 12.4% of Australian businesses reported financial losses. There are currently 166,047 numbers of reports and $425 million lost to whaling and spear phishing.

Social Engineering Statistics 2022

1. Social engineering patterns demonstrate that 82% of data breaches involve the human element.

According to MAT journals, social engineering is a human behaviour-based technique for cyber attackers to compromise security vulnerabilities to steal sensitive information. What makes social engineering difficult for organisations to prevent, is because of its trickery and psychological manipulation of employees.

2. Top cyber patterns in the food services and professional services industry include system intrusion, social engineering, and basic web application attacks. This represents 89-90% of data breaches.

Other key findings involve external threat actors being the primary perpetrator (90%) and financial gain (91%) as the main motivation behind these social engineering attacks. According to the Data Breach Investigations Report (DBIR), these social types of attacks have increased over 5 years.

3. Reports of SMS/text phishing (smishing), voice phishing (vishing), and social media-based attacks all increased by more than 20%.

The most common social engineering attacks include phishing, spear phishing, whaling, smishing, vishing, baiting, piggybacking, tailgating, pretexting, business email compromise (BEC), and scareware. Sophisticated cybercriminals are always investigating and targeting employees on social media, website information, and public google information.

4. Of the 99% of organisations who said they had a security awareness training program, only 27% of the respondents covered social engineering.

Cyber security awareness training should include theory and simulations for employees and employers to understand how these cyber-attacks are orchestrated. Unfortunately, very few understand the process behind a socially engineered attack. Social engineering is a multistep process that involves investigation, fetching, execution, and exiting.

5. The country that covered social engineering the most in its security awareness training was Australia (39%).

Social engineering is being less spoken about in security awareness training. This is the same for smishing, vishing, role-based training, and multi-factor authentication. According to social engineering statistics, only 25% of respondents said their organisation allocates two or more hours to formal employee training each year.

6. 75% of respondents stated social engineering/phishing attacks as the top threat to cyber security at their organisation.

Previous CISO at Horizon Power Jess Campbell said, “With the increase in maturity over the years of edge security, the easiest way in is through the weakest link, which generally tends to be individuals.” Employees are still being fooled to click on malicious links or reveal sensitive information.

7. Social engineering attacks cost organisations $130,000 on average from money theft or data destruction.

The cost of cybercrime does not stop after the attack happens. After a data breach, businesses must pay recovery fees such as credit monitoring for affected parties and new cybersecurity software to prevent such attacks. Indirect costs are another consequence like tarnished reputation, productivity losses, and more.

8. 21% of current or former employees use social engineering against their previous and current employers.

One mistake organisation does after an employee departs from the company is not removing access to company information in time. Other than financial gain, revenge is another motivation behind an attack from former employees.

9. 60% of participating IT professionals consider new employees to be the most susceptible to social engineering attacks.

According to VPN alert, one reason why social engineering attacks are effective is that managers are not protecting sensitive data that do not to be accessed by employees. This also involves protecting data from deletion or modification. This fundamental cybersecurity practice, known as the CIA, is not currently being implemented.

10. Nearly 98% of all cyber-attacks involve some form of social engineering to deliver malicious attachments.

Social engineering statistics demonstrate most attacks involve malicious attachments like Microsoft documents, invoices, PDFs, excel spreadsheets, or presentations. These types of messages involve some form of impersonation like accounts payable managers or CFOs.

11. According to Proofpoint, researchers found almost 1,000 (14%) malicious social engineering campaigns leveraging legitimate services like Microsoft, Dropbox, or Google Drive to deliver malicious files.

Microsoft and Google Drive are reputable trusted brands that employees use daily. External attackers understand this and impersonate companies like Microsoft to abuse the company’s trust. A key takeaway is how much businesses underestimate cybercriminals’ abilities and the boldness of attacks.

Baiting Statistics

12. More than a third of global businesses are likely to be targeted by a baiting attack.

Baiting is a type of social engineering attack where an attacker uses a false promise to trap victims to steal personal information or inflict their operating system with malware. This is also known as a reconnaissance attack. This technique allows attackers to assess specific email addresses in hopes to find targeted victims.

13. In a controlled experiment that involved leaving exposed USB devices, 45-98% of people plug in the USB drives they find.

Baiting feeds on human curiosity and greed. This human component allows attackers to produce many types of baiting attack techniques such as tempting offers or dropping malware-infected devices. In one 2016 case, Australia’s Victoria Police Force issued a warning regarding unmarked USB flash drives containing malicious software (malware) dropped in random letterboxes in Melbourne.

14. Along with the planted USB drives, only 16% of the users bothered to scan the drives in anti-virus software before loading the files.

Awareness and vigilance are the only defence mechanisms against baiting attacks. Individuals should think carefully before taking any action regarding finding random USB sticks. Especially if they are planted on your desk or in your drawer.

15. Just over 35% of the 10,500 organisations analysed were targeted by at least one bait attack in 2021.

The goal of a baiting attack is to verify the existence of an email address or have the targeted individual involved in a conversation. Attackers may have thousands of business emails evaluated in order to identify any emails that may bounce back as “undeliverable”. These are being sent by newly created email accounts from email providers like Gmail or Outlook.

16. According to research comparing free email service providers, Gmail accounted for 91% of all email domains associated with bait attacks.

Gmail tops the most used domain to send email bait attacks compared to any other free email service provider. On average, an organisation may receive three distinct emails per company. The contents of baited emails may include an empty body with the subject line as “hi” to see if the email has been delivered or replied to.

17. AI-powered automated email security is 40% more likely to catch a baited phishing message than conventional solutions.

AI-powered email security solutions are great for businesses that are looking to automate their email security. AI systems are programmed to identify emails that may seem suspicious and track phishing activities using algorithms. There are existing solutions that combat phishing attacks that could prevent you from falling victim.

18. Data reveals that more than 80% of baiting emails were sent to the executive management team, followed by CEOs.

Techniques like baiting and business email compromise are often targeted at senior executives like the CEO, CFO or CTO. Social engineering statistics highlight that senior executives are attacked by phishing scams twice as often as lower-tier employees.

Krishna Simha senior security strategist at Barracuda states that “we can speculate that executives have better disposable incomes and are therefore a higher priority target.”

Pretexting Statistics

19. In the DBI report, pretexting is 27% of social engineering breaches, almost all of which are BECs.

Pretexting is a type of social engineering attack that involves a situation or pretext created by the attacker such as a fictional scenario. Common pretexting attacks include romance frauds, cryptocurrency scams, whaling attacks, and impersonations. Attackers manipulate the victim’s emotions like anger, fear, lust, guidance, and greed to lure them into a trap.

20. Social attacks, roughly split between phishing (53%) and pretexting (47%), have been on the rise over the last few years in the retail industry.

The difference between phishing and pretexting is phishing is the attack medium while pretexting is the attack method. Phishing and pretexting are typically used in combination to conduct a scam or to defraud an organisation.

21. 59% of phishing and pretexting attacks are motivated by financial gain.

Emails remain the top attack medium used to launch social engineering attacks. Along with financial gain as the main driver for phishing and pretexting attacks, this was divided into corporate espionage (41%).

22. 27% of social engineering breaches that resulted in the confirmed disclosure of data to an unauthorised party were due to pretexting attacks.

A general pretexting attack works when a cyber-criminal has planned their next target. Through an investigation process, they gain as much public information as they can such as their name, business, email, social networks, suppliers, and access to systems and applications. Then they create spoofed email accounts to spark a conversation and then execute the pretext.

23. 77% of Australians reported having received a fraudulent text or phone call in the last year, equating to almost 15 million people.

More than two-thirds of the Australian population has been contacted by a scammer in the last 12 months through spoofed text messages. According to Nine News, a common scam going around is the Flubot scam where scammers impersonate a legitimate business and message the recipient that they have missed a call. In the body text, it contains a malicious link or fake voicemail.

24. 70% of information can be lost when it comes to social engineering training, the only type of social engineering attack that was taught was phishing.

Not enough senior executives and managers are educating their staff on the importance of social engineering tactics and prevention methods. According to research, the type of attack that was taught was phishing. Businesses must keep up with the increasing threat landscape to combat cyber threats, involving all types of social engineering like baiting, pretexting, and more.

Spear Phishing Statistics

25. In 2022, 12.4% of Australian businesses reported financial losses. There are currently 166,047 numbers of reports and $425 million lost to whaling and spear phishing.

According to the Australian Competition & Consumer Commission (ACCC), whaling or spear phishing is defrauding businesses specifically senior management through personalised spoofed emails. Scamwatch statistics highlight the significant monetary loss businesses incur when they are faced with spear phishing attacks.

26. 30.9% which represented the number one form of the delivery method used in spear phishing attacks were mobile phones.

Scammers love to target their victims through mobile devices because of the behaviour that comes with using a mobile phone. Oftentimes, executives have tight schedules daily. With the daily consumption use of mobile devices, individuals can pre-emptively click on malicious links without realizing the intent of the message.

27. 66% of organisations dealt with spear phishing attacks.

The volume of bulk phishing attacks rose 12% year over a year involving spear phishing, whaling, and BEC. Large enterprises are the most targeted when it comes to cybercriminals using the three combinations of attacks.

28. 90% or more of Australian respondents said their organisation faced spear phishing, BEC, and email-based ransomware attacks in 2021.

According to the 2022 state of the phish report, attackers were more successful in 2021 than in 2020. Millions of malicious emails are blocked every day from email gateways yet the attacks that do become successful do a lot of damage.

29. 65% of cyber attackers have leveraged spear phishing emails as a primary attack vector.

Organisations that are looking to combat targeted spear phishing threats should consider implementing an email-security solution that can detect and block email attacks. Some solutions offer better technology than others like AI algorithms that can detect malicious messaging or spam.

30. 65% of targeted attacks by hacker groups involve spear phishing.

According to Symantec, the motivation behind the attack of hacker groups conducting spear phishing was intelligence gathering. This could mean several situations such as playing a bigger attack, gaining information for another competitor, or monitoring any signs of internal fraud.

31. 87% of all spear-phishing attacks worldwide were conducted during the work week. 13% of attacks happened on Saturdays and Sundays.

It is no surprise that these types of attacks occur on the weekends. Attackers have more time to plot a cybercrime against organisations and follow through. Leaving senior management unaware of the attack.

32. 84% of organisations said a spear phishing attack successfully penetrated their business in 2015. The average impact of this type of attack totalled $1.6 million.

Fireeye reports state that a spear phishing attack can display one or more characteristics like blended or multi-vector threats, use of zero-day vulnerabilities, multi-stage attacks, or well-crafted email forgeries.


Instead of using technological tools to conduct a cyber-attack, cyber criminals use a psychological attack against a targeted individual or organisation. Victims are normally targeted in two ways, on mobile devices like text or phone impersonations or online through email phishing attacks.

The objective of this attack is to lure into a false sense of security to reveal sensitive data or access to perform fraudulent activities.

According to Proofpoint, there are six social engineering types such as phishing, vishing and smishing, CEO fraud, baiting, tailgating or piggybacking, and quid pro quo. Usually, these techniques involve using email or text messages.

With the increased use of technology, social engineering is recognised to be one of the most effective methods to steal information and breakthrough cybersecurity defences. They are effective because it is often easier to exploit lower-tier employees who are not aware of these attacks or how to respond.

Employees should be suspicious of every unsolicited phone call, email, or message from unknown senders. Individuals should read the contents of the message before clicking on any suspicious links or email attachments as well as verify by using another form of contact like phone calls. You can look out for links, emails that look off, logos or images that look off, suspicious requests, or messages that include a sense of urgency.

The Essential Cyber Security Guide for CFOs
Understand the full range of cyber threats facing the modern CFO.

It's the critical information you need to stay one step ahead of cyber criminals and prevent your organisation becoming a victim.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.