Social Engineering Statistics 2026: 16 Key Numbers
On-device OCR. Secure, built for iOS.
Social Engineering Statistics 2026: 16 Key Numbers
Social engineering caused 36% of all cyber intrusions between May 2024 and May 2025, according to Palo Alto Networks Unit 42, surpassing malware and software exploits as the single most common breach vector. The FBI's 2024 Internet Crime Report logged $16.6 billion in total cybercrime losses - a 33% jump from 2023 - with business email compromise alone accounting for $2.77 billion across 21,442 reported cases. IBM's 2025 Cost of a Data Breach Report found the average cost of a phishing-initiated breach reached $4.76 million, and Verizon's 2025 DBIR confirmed the human element featured in 60% of confirmed breaches. These 16 statistics map exactly how attackers exploit trust, impersonation, and urgency to reach the sensitive files and identity documents businesses and individuals handle every day.
Social engineering works because it targets people rather than software. Attackers impersonate colleagues, fabricate urgency, and manufacture trust to get victims to hand over credentials, transfer funds, or expose sensitive documents. The attack surface is every email inbox, phone call, and help desk - not a software patch.
This post covers breach rates, financial losses, attack methods, document exposure, and the growing role of AI in social engineering. The 16 statistics below draw on data from Verizon, FBI IC3, Proofpoint, IBM, ENISA, Palo Alto Networks Unit 42, and Javelin Strategy, giving a credible, multi-source picture of the threat in 2026.
1. Social engineering drove 36% of all cyber intrusions in 2025
Palo Alto Networks Unit 42 analyzed more than 700 incident response cases between May 2024 and May 2025 and found that 36% of all incidents began with a social engineering tactic. That figure surpasses malware-based initial access and unpatched vulnerabilities as the top entry point. The report, titled the 2025 Unit 42 Global Incident Response Report: Social Engineering Edition, also found that social engineering attacks exposed data in 60% of cases - 16 percentage points higher than breaches that started with other vectors. A financial payout drove 93% of these attacks. Phishing accounted for 65% of social engineering cases, but more than a third relied on non-phishing methods: SEO poisoning, fake system prompts, and help desk manipulation. The clear message is that human manipulation has become the dominant initial access method, not a secondary concern.
Source: Palo Alto Networks Unit 42 - 2025 Global Incident Response Report: Social Engineering Edition
2. The human element appeared in 60% of confirmed breaches
Verizon's 2025 Data Breach Investigations Report analyzed more than 22,000 incidents and found the human element featured in approximately 60% of confirmed breaches - cases where a person clicked a phishing link, responded to a social engineering request, or mishandled credentials. Phishing was the top tactic in 57% of social engineering incidents, and pretexting - the impersonation-based manipulation behind most business email compromise cases - appeared in 30%. Verizon noted that pretexting incidents have nearly doubled in frequency, now rivaling phishing as a core vector. The DBIR dataset spans thousands of organizations across dozens of industries, making its human-element figure one of the most widely cited benchmarks in security research. When 60% of breaches trace back to a human action, security technology alone cannot close the gap.
Source: Verizon - 2025 Data Breach Investigations Report
3. Business email compromise losses hit $2.77 billion in 2024
The FBI's Internet Crime Complaint Center received 21,442 business email compromise complaints in 2024, reporting $2.77 billion in total losses - more than 17% of all cybercrime financial damage logged that year. BEC is the seventh most reported crime to IC3 but consistently ranks second by dollar value. Over the three-year period from 2022 to 2024, BEC losses totaled nearly $8.5 billion, according to Nacha's analysis of IC3 data. The attack is straightforward: criminals impersonate executives, finance teams, or trusted vendors to authorize fraudulent wire transfers or redirect payroll. The median BEC loss is around $50,000 per incident, but large cases routinely exceed that many times over. Our phishing statistics breakdown covers the email-borne attack methods that feed directly into BEC fraud.
Source: FBI IC3 - 2024 Internet Crime Report
4. Total cybercrime losses reached a record $16.6 billion in 2024
The FBI IC3 2024 Internet Crime Report recorded 859,532 complaints and $16.6 billion in total losses - a 33% jump from the $12.5 billion logged in 2023. Cyber-enabled fraud drove approximately 83% of all losses. Investment fraud involving cryptocurrency topped the damage list at $6.5 billion, while BEC ranked second. People over 60 suffered the most losses as a group, at nearly $5 billion, making older adults a primary target for social engineering campaigns. The FBI's Recovery Asset Team used the Financial Fraud Kill Chain process to freeze $561 million in fraudulently obtained funds, achieving a 66% success rate on interventions. The year-over-year growth rate confirms that financial social engineering is not stabilizing. It is accelerating.
Source: FBI IC3 - 2024 Internet Crime Report
5. A phishing breach costs organizations an average of $4.76 million
IBM's 2024 Cost of a Data Breach Report found that phishing was the second most costly common attack vector at an average of $4.76 million per incident, generating 15% of all breaches studied. Social engineering breaches took an average of 257 days from breach to containment - roughly 8.5 months during which attackers could access systems, exfiltrate files, and expand their foothold. The global average breach cost across all vectors rose 10% to $4.88 million in 2024. U.S. companies faced even higher exposure, with IBM's 2025 update reporting an average breach cost of $10.22 million for American organizations. Credential theft, phishing, and BEC all ranked among the higher-than-average cost attack types. The financial stakes of a single successful social engineering attack dwarf the cost of preventive controls.
Source: IBM - Cost of a Data Breach Report 2024
6. 80% of organizations rank social engineering as their top human risk
The 2025 SANS Security Awareness Report found that 80% of organizations rate social engineering as their leading human-related security risk. Proofpoint's 2025 Human Factor Report reinforces why: the firm blocks 117 million TOAD (Telephone-Oriented Attack Delivery) attacks annually, a category that bypasses email filters entirely by directing victims to call fake support numbers. Proofpoint also found that 25% of all state-sponsored phishing campaigns now begin with benign, trust-building emails before making any malicious request - a patience-based approach designed to lower suspicion. Advanced Fee Fraud scams have shifted from fear-based threats to enticement tactics like fake job offers, rising 47% in frequency. These behavioral shifts confirm that attackers study human psychology as carefully as security professionals study malware. For our broader view of the threat landscape, see our cybersecurity statistics overview.
Source: Proofpoint - The Human Factor 2025: Vol. 1 Social Engineering
7. 94% of organizations faced phishing attacks in 2024
Proofpoint's State of the Phish research found that 94% of organizations experienced phishing attacks in 2024, and 96% of those that were successfully attacked reported negative business impacts as a result. The 2024 report also found that 71% of working adults admitted to taking at least one risky action - reusing passwords, clicking unknown links, or surrendering credentials to an untrustworthy source - and a striking 96% of those who did so were fully aware of the risk at the time. Awareness training alone clearly does not prevent risky behavior. Verizon's own research shows that phishing simulation click rates have plateaued at roughly 1.5%, suggesting that a behavioral floor exists below which training cannot push rates further. The persistently high organizational exposure rate means that social engineering is a problem companies need to engineer around, not just train around.
Source: Proofpoint - 2024 State of the Phish Report
8. Credential theft is the most common outcome of social engineering attacks
The most frequent result of a successful social engineering attack is credential theft, occurring in 29% of investigated incidents, followed by data theft at 18% and extortion at 13%, according to compiled breach analysis data. Stolen credentials then become the fuel for follow-on attacks: account takeovers, fraudulent fund transfers, and unauthorized access to cloud storage, HR systems, and document repositories. Proofpoint found that 99% of organizations are regularly targeted for account takeover attempts, and nearly 62% are actually impacted. Once attackers hold valid credentials, they can move laterally through systems without triggering malware detections, making credential-focused social engineering particularly difficult to detect. The credential pipeline explains why social engineering and identity theft are so tightly linked - compromised usernames and passwords are the commodity that converts a human mistake into a lasting intrusion.
Source: Proofpoint - The Human Factor 2025: Vol. 1 Social Engineering
9. AI-powered deepfake fraud losses surged to $1.1 billion in 2025
Deepfake-related fraud losses from scams and impersonation reached $1.1 billion in 2025, tripling from $360 million in 2024, according to research by Surfshark. Fraud attempts involving deepfakes increased more than 2,000% over three years in Europe, and generative AI tools that once required technical expertise can now produce convincing synthetic audio and video at near-zero cost. Businesses experienced an average loss of nearly $500,000 per deepfake fraud incident in 2024, with large enterprises reporting losses up to $680,000. Attackers use voice cloning to impersonate executives in authorizing wire transfers, and synthetic video to pass live identity verification checks. The Entrust 2025 Identity Fraud Report documented AI-assisted document forgery rising from 0% to 2% of all fake documents in a single year. As tools improve, the cost of a convincing impersonation continues to fall.
Source: Surfshark Research - AI Deepfake Losses
10. Impersonation scams rose 148% and became the top reported scam type
The Identity Theft Resource Center's 2025 Trends in Identity Report found that impersonation scams rose 148% and became the single most frequently reported scam type. Impersonators pose as government officials, bank representatives, tech support agents, and employers to extract sensitive personal information or payments. These attacks often begin with an urgent pretext - a suspended account, a pending legal action, a job offer that requires identity verification documents upfront. Social engineering attacks targeting privileged accounts featured in 66% of Unit 42 incident response cases, and 45% involved impersonation of internal personnel. The scale of impersonation growth reflects how accessible the attack has become: a phone call, a spoofed email address, or a cloned SMS sender ID is sufficient infrastructure. No malware or technical skill is required to run an impersonation campaign.
Source: Identity Theft Resource Center - 2025 Trends in Identity Report
11. Identity fraud caused $27.3 billion in losses affecting 18 million victims in 2025
Javelin Strategy and Research estimated that identity fraud caused $27.3 billion in losses across 18 million victims in 2025. The FTC received 1,135,270 identity theft reports in 2024 alone, a 9.5% increase from 2023, and filings in the first three quarters of 2025 already exceeded the full-year 2024 total. Synthetic identity fraud - where attackers combine real and fabricated data to create new identities - surged 311% in North America in Q1 2025. Stolen or falsified identity documents feed synthetic fraud directly: an attacker who obtains a scan of a passport or driving license has the core document layer needed to open accounts, apply for credit, and impersonate victims in identity verification flows. The data underscores why how sensitive documents are stored and shared matters as much as how they are scanned. See our data privacy statistics for the storage side of this risk picture.
Source: Javelin Strategy and Research - 2025 Identity Fraud Study
12. Third-party and partner breaches doubled to 30% of all breaches
Verizon's 2025 DBIR found that breaches involving an external partner or third party doubled year-over-year, now representing 30% of all confirmed breaches compared with 15% in 2024. Social engineering frequently targets the weakest link in a vendor or supply chain relationship: a contractor with broad system access, a supplier whose email is hijacked, or a managed service provider whose credentials are phished. Once attackers compromise a trusted third party, they inherit that party's access and credibility within the victim organization. Pretexting and impersonation attacks are especially effective in this context because internal teams expect external contacts to make unusual requests. The doubling of third-party breaches in a single year signals that attackers have shifted focus from fortified perimeters to the more permeable edges where partnerships create trust.
Source: Verizon - 2025 Data Breach Investigations Report
13. Phishing remains the primary intrusion method in 60% of observed cases
ENISA's Threat Landscape 2025 report, covering 4,875 incidents from July 2024 to June 2025, identified phishing as the primary initial intrusion method in 60% of observed cases. The report also noted that AI-supported phishing campaigns represented more than 80% of observed social engineering activity worldwide, as adversaries used jailbroken AI models, synthetic media, and automated personalization to scale attacks. ENISA found that social engineering attacks have grown significantly in sophistication, with new techniques making the traditional warning signs - misspellings, odd sender addresses, implausible requests - less reliable as detection cues. In the financial sector, ENISA's Finance Threat Landscape 2024 documented social engineering attacks resulting in financial loss in 50% of cases. The 60% phishing figure, consistent with Verizon and Unit 42 findings, confirms this is not an organizational anomaly but a sector-wide reality.
Source: ENISA - Threat Landscape 2025
14. More than 1.7 billion individuals had personal data compromised in 2024
The HIPAA Journal's analysis of breach data found more than 1.7 billion individuals had personal data compromised in 2024, a 312% increase in victim notifications from the 419 million recorded in 2023. The Identity Theft Resource Center's 2024 Data Breach Report documented 3,158 data compromises affecting organizations across every major sector. Digital document forgeries rose 244% in 2024 compared to the prior year, according to breach analysis compiled from identity verification providers. SpyCloud's 2025 research found more than 53 billion unique identity records circulating on criminal markets, with 7.6 billion recaptured in 2024 alone. These records combine email addresses, passwords, physical addresses, and in many cases document scans or identity numbers - exactly the data attackers use to fuel impersonation campaigns and synthetic identity fraud. The volume of compromised records has grown faster than the organizations generating them.
Source: HIPAA Journal - 2024 Data Breach Statistics
15. 90% of organizations experienced at least one identity-related security incident
Research compiled from multiple security surveys found that 90% of organizations experienced at least one identity-related security incident in the past year, and 37% reported that stolen credentials directly caused a breach, making poorly managed credentials the second leading cause of breaches in 2024. An attacker impersonating a locked-out employee can pass identity checks and access hundreds of gigabytes of sensitive data without deploying a single piece of malware - a case documented in CISA's advisory on Scattered Spider, which used social engineering to compromise major enterprises. The attack sequence typically runs: phish for credentials, use credentials to impersonate a legitimate user, move laterally to document repositories and financial systems, and exfiltrate or extort. The 90% exposure rate across organizations reflects how central identity manipulation has become to modern intrusion methodology.
Source: CISA - Scattered Spider Advisory
16. AI-generated fraud losses are projected to reach $40 billion in the US by 2027
Deloitte's analysis projects that fraud losses facilitated by generative AI technologies will escalate to $40 billion in the United States by 2027, representing a compound annual growth rate of 32% from $12.3 billion in 2023. The growth curve reflects AI's impact across the full social engineering chain: personalized spear-phishing at scale, voice-cloned executive impersonation, synthetic documents that pass automated verification checks, and deepfake video calls that defeat live identity confirmation. Proofpoint found that AI allows threat actors to produce custom, contextually relevant communications within seconds at a price accessible to low-sophistication attackers - removing the technical skill barrier that previously limited highly targeted attacks. As the cost of a convincing social engineering attack approaches zero, the volume of attempts rises in proportion. The $40 billion figure represents a compounding problem, not a plateau.
Source: Deloitte - Fraud AI Report via BIIA
What These Numbers Reveal About Social Engineering in 2026
The statistics tell a single unified story: social engineering has displaced technical exploits as the primary breach vector because it costs less to execute, works against the most hardened environments, and scales with AI. The 36% of intrusions starting with human manipulation (Unit 42), the 60% of breaches involving a human action (Verizon), and the 80% of organizations rating it their top risk (SANS) all describe the same structural reality. Technology defenses have matured enough that the human layer is now the most accessible entry point. Attackers have followed the path of least resistance.
The document and identity angle running through these numbers is specific and important. Credential theft at 29% of outcomes, identity fraud losses at $27.3 billion, synthetic identity fraud up 311%, document forgeries up 244% - these are not abstract risks. They center on the physical and digital documents people handle every day: passports, driving licenses, contracts, tax returns, and financial statements. Once an attacker holds a convincing copy of those documents, the downstream fraud becomes straightforward. How sensitive files are stored and who can access them is as important as how they are secured in transit.
The trajectory points toward AI-accelerated volume and personalization. Deepfake losses tripling in one year and a $40 billion AI-fraud projection for 2027 reflect the compounding effect of falling production costs. A spear-phishing email that once required research and careful writing can now be generated in seconds. Voice cloning that once required audio engineers is now a consumer app. The organizations and individuals who treat document security and identity hygiene as a priority investment now are building a posture that resists attacks that will be far more convincing by the time they arrive.
The core problem is simple: sensitive files and identity documents in the wrong hands are the raw material for every social engineering attack that follows.
How Filewise Reduces the Risk Surface Around Your Documents
Social engineering attacks rely on access. Attackers who can intercept scanned documents, access cloud-synced files, or exploit credentials tied to a document service can turn your paperwork into a liability. Reducing that attack surface starts with keeping sensitive documents - passports, contracts, financial statements, ID cards - off platforms that require accounts, store data on remote servers, or monetize access through ads or subscriptions.
Filewise scans and processes documents entirely on your iPhone using on-device OCR, with no account required and no files sent to a third-party server. There are no credentials to steal, no cloud repository to compromise, and no company database of your scanned documents to breach. Face ID locking keeps sensitive scans inaccessible even if a device is lost. For individuals and small businesses handling the kind of identity documents that feed social engineering and impersonation fraud, keeping that data private by design is the simplest risk reduction available.
Join the Filewise waitlist and keep your scanned identity documents, contracts, and financial files private and on-device.
Filewise is launching soon - the private, on-device PDF scanner for iPhone with no ads and no subscription traps.
Join the Filewise Waitlist
Private, on-device scanning · No account required · Launching soon on iOS
Frequently Asked Questions
What percentage of cyber breaches involve social engineering?
According to Palo Alto Networks Unit 42's 2025 Global Incident Response Report, 36% of all cyber incidents between May 2024 and May 2025 began with a social engineering tactic, making it the single most common initial access vector. Verizon's 2025 DBIR separately found the human element - people responding to social engineering or mishandling credentials - featured in 60% of confirmed breaches.
How much money does social engineering and BEC cost organizations each year?
The FBI IC3 2024 report logged $16.6 billion in total cybercrime losses, with business email compromise accounting for $2.77 billion across 21,442 reported cases. IBM's 2024 Cost of a Data Breach Report found that phishing-initiated breaches cost an average of $4.76 million each. Identity fraud driven partly by social engineering caused $27.3 billion in losses to 18 million victims in 2025, according to Javelin Strategy and Research.
What are the most common outcomes of a successful social engineering attack?
Breach analysis finds credential theft is the most common outcome at 29% of incidents, followed by data theft at 18% and extortion at 13%. Stolen credentials enable follow-on attacks including account takeover, fraudulent fund transfers, and unauthorized access to document repositories and HR systems. Unit 42 found that social engineering attacks exposed data in 60% of incident response cases, 16 percentage points higher than other breach vectors.
Why are identity documents and sensitive files a target in social engineering attacks?
Attackers need convincing documentation to execute impersonation fraud, open fraudulent accounts, and pass identity verification checks. Synthetic identity fraud surged 311% in North America in Q1 2025, and digital document forgeries rose 244% in 2024. A scan of a passport, driving license, or financial statement provides the building blocks for synthetic identity creation. Keeping sensitive scanned documents off cloud platforms, behind strong access controls, and tied to as few accounts as possible reduces the materials available to an attacker who has already compromised credentials through phishing.
🔒 Secure & on-device | 📱 Built for iOS