Social Engineering Statistics [2026]: 100+ Facts & Trends

📊 Key Social Engineering Numbers (2026)

Social engineering is the dominant attack vector in cybersecurity. 98% of cyberattacks involve some form of social engineering (Sprinto), and 68% of attacks originate from email (KnowBe4 2025). The human element is involved in 60% of all breaches (Verizon DBIR 2025), ranging from phishing clicks to credential reuse to pretexting conversations that trick employees into authorizing fraudulent transfers.

The scale is accelerating. FBI-reported US social engineering losses grew 33% year-over-year in 2024 to record highs (FBI IC3). Vishing attacks surged 442% (CrowdStrike 2025). AI now powers over 80% of social engineering activity (Abnormal Security). 91% of security professionals report encountering AI-enabled email attacks in the past 6 months. Yet security awareness training reduces phishing click rates by 86% within 12 months (KnowBe4 2025) — the gap between problem and solution is a training gap, not a technology gap.

Social engineering is not a new threat, but AI has transformed its economics. Prior to 2023, creating a convincing phishing campaign required skilled operators who understood language, psychology, and target context. Now, AI tools can generate perfect phishing emails in any language at 95% lower cost (HBR 2024), clone a voice from 3 seconds of audio (McAfee 2024), and produce deepfake video calls that fooled a finance team into transferring $25 million (CrowdStrike 2024). The barrier to entry for social engineering has collapsed. The data below charts this transformation.

The convergence of multiple social engineering channels creates compound risk. An attacker might research a target on LinkedIn (reconnaissance), send an AI-crafted phishing email (initial access), follow up with a deepfaked voice call from their "CEO" (vishing), and request an urgent wire transfer via BEC. Each layer adds credibility. Each layer is now cheaper and more convincing thanks to AI. The organizations that defend against only one channel remain exposed to the others.

🎭 Social Engineering Attack Types Breakdown

These techniques span multiple channels. Email phishing remains the largest category, but vishing (voice phishing) surged to account for 60%+ of phishing engagements in Q1 2025 (Keepnet). Pretexting now represents 50%+ of all incidents (Verizon DBIR 2025), nearly doubling from prior years. Smishing click rates of 19-36% dwarf email phishing's 2-4% (Eftsure), making SMS the most effective per-message channel.

New attack techniques are emerging rapidly. Fake CAPTCHA campaigns surged 1,450% in Q1 2025 (Secureframe). Fake road toll smishing scams spiked 2,900% from 2023 to 2024 (APWG). AI-generated BEC emails now account for 40% of all BEC messages (VIPRE 2024). The attack surface is expanding faster than defences can adapt.

Emerging Social Engineering Techniques

Beyond the established categories, several newer techniques are gaining traction. Fake CAPTCHA campaigns surged 1,450% in Q1 2025 — attackers present a fake "verify you're human" page that actually executes malicious code. QR code phishing (quishing) uses QR codes in emails or physical locations to bypass email URL scanning. Callback phishing combines email with phone follow-up: the email creates the context, the phone call extracts the credentials.

Multi-channel attacks are particularly effective. An attacker might send a LinkedIn connection request (reconnaissance), follow with a phishing email referencing a shared connection (credibility), then make a vishing call impersonating the shared connection (trust exploitation). Each channel reinforces the others. Defending against these layered approaches requires training that covers all vectors, not just email.

Supply chain social engineering targets the trust relationships between organizations. Attackers compromise a vendor's email account and use it to send invoices or requests to the vendor's clients. Because the email comes from a legitimate, trusted address, it bypasses both technical filters and human suspicion. IBM reports that third-party breaches doubled year-over-year to 30% of all incidents in 2025 — many originating from social engineering of supply chain partners.

📈 How Common Is Social Engineering?

It is the single most prevalent attack vector in cybersecurity. 98% of cyberattacks involve some form of social engineering (Sprinto), and it accounted for 90% of all threats in Q1 2024 (Avast). 3.4 billion phishing emails are sent daily. The FBI IC3 received 193,407 phishing complaints in 2024 alone. 70% of organizations were targeted by vishing attacks (Keepnet 2025), and even small organizations face a 70% weekly probability of receiving a BEC email (Abnormal Security).

The frequency continues to accelerate. 91% of security professionals reported encountering AI-enabled email attacks in the past 6 months (Secureframe). Scam phone calls reached 2.56 billion in 2025 (Truecaller). Microsoft processes 600 million+ password attacks per day, many originating from social engineering-harvested credentials. These are not occasional events — they are a continuous, industrialized assault on human trust.

The frequency data reveals a critical insight: social engineering is not a targeted, sophisticated attack — it is a numbers game. Attackers send billions of messages knowing that even a small percentage will succeed. This is why awareness training (reducing the click rate) has such outsized impact. Reducing the baseline click rate from 33.1% to 4.1% does not just reduce risk by 86% — it fundamentally changes the economics of social engineering for attackers, making your organization an unprofitable target.

📧 Business Email Compromise (BEC) Statistics

BEC is the most financially devastating form of social engineering. FBI IC3 reported $2.77 billion in BEC losses in 2024, and cumulative losses over the past decade have reached $55.5 billion (FBI IC3). The average cost per BEC breach is $4.89 million (IBM 2025), making it the second most expensive breach type after ransomware.

BEC attacks are increasing in both volume and sophistication. SpiderLabs documented a 15% increase in BEC emails in 2025 (LevelBlue). 63% of organizations experienced BEC in the past year (AFP 2025). BEC volume surged 54% in H1 2025 compared to 2023 (Abnormal Security). 40% of BEC emails are now AI-generated (VIPRE 2024), making them harder to detect by both humans and traditional email filters. Even organizations with fewer than 1,000 employees face a 70% weekly probability of a BEC attack.

BEC attack sophistication is accelerating. Traditional BEC relied on simple email spoofing — impersonating an executive to request a wire transfer. Modern BEC campaigns use AI to craft contextually perfect emails, compromise legitimate accounts to send from trusted addresses, and combine email with vishing follow-up calls to add urgency. The shift from volume-based to precision-based BEC means that individual attacks are more likely to succeed and harder to detect.

The FBI's cumulative decade-long BEC loss figure likely underrepresents the true cost. Many organizations do not report BEC losses to law enforcement. Many more absorb smaller losses without formal incident reporting. The actual global cost of BEC is almost certainly higher than FBI figures suggest.

BEC Attack Patterns

BEC attacks follow recognizable patterns that organizations can defend against. The most common BEC scenario is CEO fraud — an attacker impersonates the CEO or CFO and requests an urgent wire transfer. Invoice fraud is the second most common: attackers compromise a vendor's email account and send modified invoices with updated bank details. Payroll diversion targets HR departments: an employee's direct deposit information is changed to the attacker's account.

Each pattern has specific defensive measures. CEO fraud is defeated by dual-approval requirements and out-of-band verification (calling the CEO on a known number to confirm). Invoice fraud is defeated by verifying payment detail changes through a separate communication channel and maintaining a vendor contact database independent of email. Payroll diversion is defeated by requiring in-person or video verification for banking detail changes.

The rise of AI-generated BEC makes these procedural controls more important than ever. 40% of BEC emails are now AI-generated (VIPRE 2024), meaning they lack the linguistic tells that previously helped recipients identify fraudulent requests. The only reliable defence is process-based: verification steps that are independent of the communication channel being compromised.

BEC Recovery & Law Enforcement

Speed is critical in BEC recovery. When organizations detect a fraudulent transfer within 24 hours and contact both their bank and the FBI IC3's Recovery Asset Team (RAT), recovery rates are significantly higher. The FBI's RAT has successfully frozen and recovered hundreds of millions of dollars in fraudulent BEC transfers. However, most organizations detect BEC fraud too slowly — the median time between transfer and detection is often days or weeks, by which point the funds have been moved through multiple accounts and are unrecoverable.

Organizations should pre-establish relationships with their bank's fraud team and have FBI IC3 reporting procedures ready before an incident occurs. Every hour of delay reduces recovery probability significantly. Cyber insurance policies increasingly cover BEC losses, but typically require proof that reasonable security controls were in place at the time of the incident — including awareness training and dual-approval procedures.

📞 Vishing Statistics & Voice-Based Attacks

Voice phishing has transformed from a minor annoyance into a primary attack vector. Vishing attacks surged 442% from H1 to H2 2024 (CrowdStrike). Deepfake-enabled vishing spiked 1,633% in Q1 2025 compared to Q4 2024 (Keepnet). It now accounts for over 60% of all phishing-related engagements, overtaking email as the dominant phishing channel in Q1 2025.

AI voice cloning is the catalyst. McAfee found that AI can clone a person's voice from just 3 seconds of audio (McAfee 2024). 25% of users are fooled by deepfake voices (Keepnet). The largest single deepfake vishing loss was $25 million, where a finance executive was tricked via a video call with a deepfaked CFO (CrowdStrike). Scam phone calls reached 2.56 billion in 2025 (Truecaller). Deloitte projects deepfake fraud costs will reach $40 billion by 2027.

The economics of vishing have shifted dramatically. Traditional phone scams required human operators, limiting scale. AI-generated voice calls can now be produced at negligible cost with text-to-speech systems that are indistinguishable from real humans. Combined with AI voice cloning (3 seconds of audio is sufficient per McAfee), attackers can impersonate specific individuals — a CEO calling from an "unknown number" asking the CFO to authorize an emergency transfer. The $25 million deepfake CFO scam documented by CrowdStrike in 2024 demonstrates the upper bound of what is possible.

Defending against vishing requires procedural controls that many organizations lack. Callback verification on a known number (not the number provided by the caller) is the most effective defence. Organizations should establish code words for high-value authorizations, require dual approval for financial transfers, and train employees to recognize the urgency tactics that vishing attackers use. Technical solutions such as AI-powered call analysis and caller authentication (STIR/SHAKEN) provide additional layers but cannot replace human vigilance.

🤖 AI-Powered Social Engineering

AI has fundamentally changed social engineering. Over 80% of social engineering activity is now AI-powered (Abnormal Security 2025). AI-generated phishing performance improved 55% from 2023 to 2025 (Hoxhunt), while costs dropped 95% compared to manual campaigns (HBR 2024). 91% of security professionals reported encountering AI-enabled email attacks in the past 6 months. 40% of BEC emails in mid-2024 were identified as AI-generated (VIPRE).

Deepfakes represent the next frontier. AI can clone a voice from 3 seconds of audio (McAfee 2024), and deepfake-enabled vishing surged 1,633% in Q1 2025 (Keepnet). IBM reports that deepfakes and AI-generated phishing are emerging as distinct attack methods in breach campaigns (IBM 2025). The traditional advice to "look for spelling errors" in phishing emails is obsolete — AI-generated social engineering is grammatically perfect, contextually relevant, and increasingly personalized.

The democratization of AI-powered social engineering is perhaps the most significant shift in the threat landscape. Previously, convincing social engineering required skilled operators who understood language, psychology, and context. Now, freely available AI tools can generate perfect phishing emails in any language, create deepfake audio and video, and even conduct real-time chatbot conversations that impersonate support agents. The barrier to entry for social engineering has effectively dropped to zero.

On the defensive side, AI is also being deployed. AI-powered email gateways can detect AI-generated phishing by analyzing writing patterns, sender behaviour, and contextual anomalies. AI call analysis can flag deepfake voices in real time. However, this creates an AI arms race where attacker AI and defender AI continuously evolve. The current evidence suggests that attacker AI is ahead: 80%+ of social engineering is AI-powered (Abnormal Security), but defender AI adoption lags significantly.

AI Voice Cloning & Deepfake Social Engineering

AI voice cloning has made vishing dramatically more dangerous. McAfee demonstrated in 2024 that just 3 seconds of audio — available from a voicemail greeting, conference recording, or social media post — is sufficient to create a convincing voice clone. This technology has enabled the largest-ever social engineering fraud: a finance executive tricked into transferring $25 million via a video call featuring deepfaked versions of multiple colleagues (CrowdStrike 2024).

Deepfake-enabled vishing surged 1,633% in Q1 2025 compared to Q4 2024 (Keepnet), indicating explosive adoption by criminal organizations. 25% of users are fooled by deepfake voices in controlled tests (Keepnet). The Deloitte projection of $40 billion in deepfake fraud costs by 2027 reflects the expectation that this technology will become the standard social engineering toolkit within 2-3 years.

Defending against AI voice cloning requires a fundamental shift in verification procedures. Organizations can no longer trust voice identification as an authentication factor. Code words, callback verification on pre-registered numbers, and multi-party approval for high-value transactions are the minimum required controls. AI-powered call analysis tools that can detect synthetic speech are emerging but remain early-stage. The window for proactive defence is now — before AI voice attacks become the default social engineering technique.

AI-Generated Phishing: The End of Spelling Errors

For decades, the primary advice for detecting phishing was to look for spelling errors, grammatical mistakes, and awkward phrasing. AI has eliminated these signals entirely. AI-generated phishing emails are grammatically perfect, contextually appropriate, and personalized to the target's role, industry, and recent activities. The 55% improvement in AI phishing performance from 2023 to 2025 (Hoxhunt) reflects rapid model improvement in social engineering applications.

The cost reduction is equally significant. AI phishing campaigns cost 95% less than equivalent human-crafted campaigns (HBR 2024). This means attackers can run vastly more campaigns at the same budget, or target a much wider range of organizations. The combination of lower cost and higher effectiveness explains why 80%+ of social engineering is now AI-powered (Abnormal Security 2025) and why 91% of security professionals report encountering AI-enabled email attacks.

New detection strategies are needed. Rather than looking for linguistic errors, employees should focus on behavioural red flags: unexpected requests, urgency pressure, requests for credentials or financial transfers, and communication through unusual channels. Technical defences should employ AI-powered analysis of sender behaviour patterns, email authentication (DMARC/DKIM/SPF), and anomaly detection that identifies AI-generated content signatures.

🖱️ Social Engineering Success Rates & Click Rates

Social engineering success rates vary dramatically by channel and target. Untrained employees have a baseline phishing click rate of 33.1% (KnowBe4 2025). SMS phishing achieves click rates of 19-36%, compared to just 2-4% for email phishing (Eftsure) — making smishing up to 9x more effective per message. The median time from email delivery to click is just 21 seconds (Verizon DBIR 2025), far too fast for any human review process.

AI-generated phishing achieves click rates comparable to human-crafted campaigns but at 95% lower cost (HBR 2024). Healthcare employees are the most vulnerable industry group at 41.9% baseline click rate (KnowBe4 2025). After 12 months of continuous security awareness training, click rates drop to 4.1% — an 86% reduction that demonstrates the gap is addressable. The challenge is not technology but implementation.

The click rate data reveals a critical asymmetry. Attackers need only one click to succeed. Defenders need every employee to resist. In a 1,000-person organization with a 33.1% click rate, 331 employees will click a phishing link. Even at the trained rate of 4.1%, 41 employees remain vulnerable. This is why defence-in-depth — combining training with technical controls like phishing-resistant MFA, email filtering, and endpoint detection — is essential. No single layer is sufficient.

The 21-second median click time (Verizon DBIR 2025) is faster than most people spend considering an email. This suggests that the most effective training focuses not on teaching people to analyze emails in detail, but on building an automatic "pause and verify" reflex — similar to looking both ways before crossing a street. The goal is not analysis but hesitation: just enough friction to break the 21-second impulse.

💰 Cost of Social Engineering Attacks

The financial damage is staggering. FBI-reported US losses grew 33% in 2024 to record levels (FBI IC3). BEC alone accounted for $2.77 billion in FBI-reported losses. The average attack costs $130,000 (Eftsure), while individual BEC breaches routinely run into the millions (IBM 2025).

Cumulative BEC losses over the past decade run into tens of billions (FBI IC3). Stolen credentials — often harvested through social engineering — cost $4.81 million per breach (IBM 2025). The median vishing victim loses $1,400 per incident (FTC/Keepnet). Deloitte projects deepfake fraud costs will reach $40 billion by 2027. The economics overwhelmingly favor attackers: a single BEC email costs nothing to send but can yield millions.

The cost structure of social engineering explains its dominance. Unlike ransomware (which requires malware development, infrastructure, and negotiation), or exploit-based attacks (which require zero-day research), social engineering requires only a message and a target. AI has reduced even the message-crafting cost to near zero. The only effective counterweight is making targets harder to deceive — which is exactly what awareness training achieves.

Cost Breakdown by Attack Type

The financial impact varies dramatically by social engineering technique. BEC leads as the costliest breach type (IBM 2025), followed closely by stolen credentials at $4.81 million per breach. These vector-specific costs reflect the depth of compromise: BEC often results in direct financial transfers that are difficult to recover, while credential theft enables persistent access that can escalate to full data exfiltration.

At the individual level, vishing victims lose a median of $1,400 per incident (FTC/Keepnet), but high-value targets can lose millions. The $25 million deepfake CFO scam (CrowdStrike 2024) and the staggering decade of cumulative FBI-reported BEC losses demonstrate the extreme variance in social engineering outcomes. The average attack costs six figures (Eftsure) — but this average masks a distribution where most attacks cost relatively little while a small number of BEC and deepfake attacks cost millions.

Projected costs continue to escalate. Deloitte projects deepfake fraud costs will reach $40 billion by 2027. FBI IC3 losses grew 33% year-over-year in 2024. AI is reducing attack costs while increasing effectiveness. Without intervention, these trends will continue compounding.

🏢 Social Engineering by Industry

Every industry is a target, but some are more vulnerable than others. Healthcare has the highest baseline phishing click rate at 41.9% (KnowBe4 2025), driven by high-pressure clinical environments where staff prioritize patient care over email scrutiny. Financial services face 300x more attacks than other industries (KnowBe4 2025), and BEC accounts for 27% of all investigated incidents (Arctic Wolf 2025).

Small businesses are disproportionately targeted: employees at small firms receive 350% more attacks than large enterprise employees (StrongDM/Verizon DBIR). SMBs also have higher malicious email rates and fewer resources for awareness training. Phishing and social engineering are cited as the top cyber risk by organizations worldwide (WEF 2025).

Healthcare

Healthcare employees have the highest baseline phishing vulnerability at 41.9% (KnowBe4 2025). This is not because healthcare workers are less intelligent — it is because clinical environments create perfect conditions for social engineering: high urgency, frequent interruptions, multiple unfamiliar system logins, and a culture that prioritizes patient care over cybersecurity protocols. Social engineering attacks targeting healthcare often impersonate medical supply vendors, insurance companies, or internal IT support.

Financial Services

Financial services face 300x more attacks than other industries (KnowBe4 2025), driven by the direct financial payoff of successful BEC and wire transfer fraud. Banks and financial institutions are the primary targets for sophisticated pretexting, where attackers build detailed scenarios to manipulate employees into authorizing transactions. BEC targeting finance departments accounts for the majority of cumulative FBI-reported losses.

Small & Medium Businesses

Small business employees receive 350% more attacks than large enterprise employees (StrongDM/Verizon DBIR). This concentration reflects attackers' awareness that SMBs typically have fewer security controls, less frequent training, and smaller IT teams. SMBs also have higher malicious email rates and are less likely to have BEC-specific detection in place. The 70% weekly BEC probability for organizations with fewer than 1,000 employees (Abnormal Security) means that for most small businesses, it is not a question of "if" but "when."

Education & Government

Education institutions face elevated social engineering risk due to open communication cultures, high staff turnover, and large student populations who may lack security awareness. Insurance has the second-highest baseline phishing click rate at 39.2% (KnowBe4 2025), followed by Retail/Wholesale at 36.5%. Government agencies are frequently targeted by both criminal and nation-state social engineering campaigns, with BEC targeting government procurement and finance departments.

The industry-specific data underscores that social engineering risk is universal but varies in intensity and attack pattern. Organizations in every sector need awareness training, but the specific content should reflect industry-specific threats: healthcare staff need training on medical supply vendor impersonation, financial services need training on regulatory-themed pretexting, SMBs need training on CEO fraud and invoice fraud, and government employees need training on nation-state social engineering techniques.

🧠 Social Engineering and the Human Factor

People remain the weakest link. 60% of breaches involve the human element — social engineering, errors, and misuse (Verizon DBIR 2025). 88% of breaches are caused by human error (Stanford). 68% of cyberattacks originate from email (KnowBe4). The median time to click a phishing link is 21 seconds, while the median time to report it is 20 hours (Verizon DBIR 2025) — attackers have a massive head start.

76% of organizations still lack phishing-resistant MFA such as FIDO2 or passkeys (Arctic Wolf 2025). Pretexting — using fabricated scenarios to manipulate targets — now accounts for 50%+ of social engineering incidents (Verizon DBIR 2025). Identity-based phishing incidents continue to rise (Cisco 2025). The data is clear: investing in training, MFA, and verification procedures delivers measurable returns, yet most organizations remain under-invested.

The human factor in cybersecurity is not a failing to be eliminated — it is a reality to be managed. Every employee is both a potential target and a potential sensor. Organizations that frame security awareness as a "compliance checkbox" see minimal improvement. Organizations that treat every employee as a human firewall — providing continuous training, easy reporting tools, and positive reinforcement for catching threats — see dramatic reductions in social engineering success rates.

The 76% of organizations without phishing-resistant MFA (Arctic Wolf 2025) represents the single largest addressable gap. FIDO2 and passkey deployments eliminate credential phishing entirely — no matter how convincing the social engineering, there is no credential to steal. Combined with awareness training, phishing-resistant MFA creates a layered defence that addresses both the human and technical dimensions of social engineering.

The Psychology Behind Social Engineering Success

Social engineering exploits six fundamental psychological principles: authority (impersonating executives or IT support), urgency (creating time pressure to prevent careful analysis), scarcity (limited-time offers or threats of account closure), social proof (referencing colleagues or shared connections), reciprocity (offering something of value before making a request), and commitment (getting small agreements before escalating to larger requests). AI has not changed these principles — it has simply made their application faster, cheaper, and more personalized.

Understanding these principles is the foundation of effective awareness training. When employees recognize the psychological levers being pulled — "why is this email creating urgency?", "why is this person invoking authority?", "why am I being asked to bypass normal procedures?" — they develop the critical thinking reflexes that reduce click rates by 86%. The most effective training programs explicitly teach these principles and provide examples of how each is used in real social engineering attacks.

The Reporting Gap

The gap between clicking and reporting is a critical human factor challenge. The median time to click a phishing link is 21 seconds (Verizon DBIR 2025). The median time to report a suspected phishing email is 20 hours. This 3,400x differential means that by the time a social engineering attempt is reported, the attacker has had nearly a full business day to exploit the compromised credentials, initiate fraudulent transfers, or move laterally within the network.

Closing this reporting gap requires making reporting frictionless (one-click phishing report buttons), removing fear of punishment for employees who clicked and then reported, and creating a culture where reporting is celebrated rather than stigmatized. Organizations that actively reward phishing reports — even when the employee initially clicked — see dramatically faster reporting times and higher report volumes.

🎓 Security Awareness Training Effectiveness

Security awareness training is the most effective countermeasure against social engineering. KnowBe4's 2025 study of 14.5 million users across 62,400 organizations found that untrained employees have a 33.1% baseline phishing click rate. After just 3 months of training, click rates drop by 40%. After 12 months of continuous training, they drop by 86% to just 4.1%.

Healthcare and Pharmaceuticals have the highest baseline vulnerability at 41.9% (KnowBe4 2025), followed by Insurance at 39.2% and Retail/Wholesale at 36.5%. The global baseline has improved 3.5% year-over-year, indicating a positive shift in overall security awareness. Training works — the data is unambiguous.

The data from KnowBe4's benchmark study of 14.5 million users across 62,400 organizations is unambiguous. Training works. The trajectory from 33.1% to 19.9% (after 3 months) to 4.1% (after 12 months) shows that sustained, continuous training delivers compounding returns. Organizations that run quarterly phishing simulations combined with immediate remedial training for those who click achieve the fastest improvement.

Industry-specific baselines vary significantly. Healthcare employees start at 41.9% vulnerability (KnowBe4 2025), followed by Insurance at 39.2% and Retail/Wholesale at 36.5%. These industries require more intensive initial training. The global baseline has improved 3.5% year-over-year, indicating that organizations worldwide are investing in awareness programs — but at 33.1% overall, the majority of the world's employees remain vulnerable to social engineering.

The ROI calculation is straightforward. A 500-person organization with a 33.1% click rate has approximately 166 employees who would click a phishing link. At the average six-figure cost per social engineering incident (Eftsure), even one successful attack costs more than years of awareness training. After training reduces click rates to 4.1%, only 21 employees remain vulnerable — an 87% reduction in attack surface for a fraction of the cost of a single breach.

What Makes Training Effective

Not all security awareness training is equal. KnowBe4's data shows that the 86% reduction requires continuous, multi-format training — not a one-time annual presentation. The most effective programmes combine: monthly phishing simulations (email, SMS, and voice), immediate remedial training for employees who click, quarterly classroom or video training on emerging threats, real-world examples from recent incidents, and positive reinforcement for reporting suspicious messages.

The 3-month checkpoint is critical. KnowBe4 found that click rates drop 40% in just 3 months — meaning organizations see rapid improvement from the initial training investment. However, stopping at 3 months leaves click rates at approximately 20%, still dangerously high. The full 86% reduction requires 12 months of continuous reinforcement. Training is not a project — it is an ongoing programme.

Training content must evolve with threats. Programmes designed around 2020-era email phishing are inadequate for the current threat landscape. Modern training must include AI-generated phishing recognition, vishing scenario exercises, smishing awareness, pretexting identification, BEC response procedures, and deepfake detection. The threat has evolved — training must evolve with it.

Measuring Training Effectiveness

The primary metric for training effectiveness is the Phish-Prone Percentage (PPP) — the percentage of employees who click simulated phishing links. Organizations should track this monthly and benchmark against industry baselines: 33.1% global average, 41.9% healthcare, 39.2% insurance, 36.5% retail (KnowBe4 2025). A well-run programme should achieve sub-10% PPP within 6 months and sub-5% within 12 months.

Secondary metrics include: report rate (percentage of employees who report simulated phishing), time-to-report (how quickly employees flag suspicious messages), and repeat clicker rate (percentage of employees who click multiple simulations). Organizations with high report rates and low repeat clicker rates have the strongest human firewall. Target: >70% report rate, <5% repeat clicker rate, <1 hour median time-to-report.

Use the calculator below to estimate the impact of training on your organization's social engineering risk and the potential cost savings from reducing employee vulnerability.

🌍 Social Engineering Statistics by Country

🇺🇸 United States

The United States is the largest financial victim worldwide. FBI IC3 reported record social engineering losses in 2024, up 33% year-over-year from $12.5 billion in 2023. BEC losses alone reached $2.77 billion. The FBI received 193,407 phishing complaints in 2024. Over the past decade, cumulative BEC losses reported to the FBI have reached tens of billions.

🇬🇧 United Kingdom

UK businesses face significant social engineering threats. Large UK businesses have the highest breach rates, with social engineering a primary vector (Gov.uk 2025). Small businesses are increasingly targeted, reflecting the global pattern of attackers shifting to less-defended organizations. The UK's National Cyber Strategy continues to emphasize human-focused security measures and mandatory employee training for organizations handling sensitive data.

The UK's Action Fraud service and National Cyber Security Centre (NCSC) report rising volumes of social engineering complaints, with phishing and BEC as the dominant vectors. UK regulatory frameworks including GDPR create additional financial exposure when social engineering leads to data breaches — organizations face potential fines of up to 4% of global annual turnover on top of breach remediation costs.

🌐 Global Trends

Social engineering is a global phenomenon, but regional patterns differ. The Asia-Pacific region has overtaken North America as the most-attacked region (Secureframe). Phishing/social engineering is cited as the top cyber risk by organizations worldwide (WEF 2025). Scam phone calls reached 2.56 billion globally in 2025 (Truecaller). The average per-attack cost remains six figures regardless of geography (Eftsure).

Regional differences in social engineering tactics reflect cultural and technological factors. In APAC, smishing is disproportionately effective due to higher mobile-first internet usage. In Europe, GDPR-themed pretexting (fake data subject access requests) has emerged as a region-specific social engineering technique. In North America, BEC remains the dominant financial threat. In Africa and Latin America, mobile money and SIM swap fraud are the fastest-growing social engineering vectors.

Language barriers that once limited social engineering to English-speaking targets have been eliminated by AI translation. Attackers can now craft grammatically perfect, culturally appropriate social engineering messages in any language, opening global attack surfaces that were previously inaccessible. This expansion is reflected in the APAC region's rise as the most-attacked region worldwide.

🇦🇺 Australia & Asia-Pacific

The Asia-Pacific region has overtaken North America as the most-attacked region for social engineering (Secureframe). This shift reflects APAC's rapid digital transformation, high mobile-first internet usage (which increases smishing effectiveness), and growing economic targets. India faces particularly intense social engineering activity, with rapidly increasing ransomware and phishing volumes. Australia's cybersecurity strategy includes mandatory incident reporting that provides better visibility into social engineering losses.

🇪🇺 European Union

EU organizations face social engineering threats compounded by regulatory exposure. A successful social engineering attack that leads to a data breach triggers GDPR notification requirements within 72 hours, with potential fines of up to 4% of global annual turnover. GDPR-themed pretexting — fake data subject access requests designed to exfiltrate personal data — has emerged as an EU-specific social engineering technique. The EU's NIS2 Directive now mandates security awareness training for critical infrastructure organizations.

📋 Key Takeaways

These ten takeaways distill the core message. Social engineering is not a secondary threat — it is the primary attack vector, the most cost-effective criminal enterprise, and the fastest-growing threat category. The good news: training works (86% reduction in click rates), phishing-resistant MFA eliminates credential harvesting, and procedural controls for financial transfers neutralize BEC. The gap between current vulnerability and achievable defence is a resource allocation problem, not a technology problem.

For security leaders building a business case, the numbers are clear: a single prevented BEC incident pays for years of awareness training, phishing-resistant MFA deployment, and procedural controls combined. The cost of inaction — a 33.1% click rate, 442% vishing growth, 80%+ AI-powered attacks — far exceeds the cost of action. Use the interactive risk assessment below to evaluate your organization's current posture.

❓ Social Engineering FAQ