100+ Social Engineering Statistics in 2025: The Latest Stats and Trends Revealed

Social engineering remains the most persistent and evolving threat in today’s cybersecurity landscape. As we progress through 2025, the tactics used by cybercriminals have become more adaptive, sophisticated, and devastating—especially for managed service providers (MSPs), agencies, and their clients. With up to 98% of cyberattacks involving an element of social engineering, understanding the latest statistics and attack methods is vital for anyone concerned about data protection, operational continuity, and reputation management.

This post dives deep into the numbers and trends shaping social engineering in 2025, exploring how human behavior continues to be both a primary vulnerability and the front line in defense.

Phishing Attacks (Email-Based Social Engineering)

1. 91% of cyberattacks in 2025 begin with phishing emails, making it the leading tactic for social engineering attacks.

2. 40% of phishing attacks in 2025 are spear-phishing, where attackers customize emails to target individuals within organizations.
   

3. 77% of businesses report phishing as the most common social engineering attack they face.

4. 60% of phishing attacks in 2025 involve impersonation of a company executive or familiar vendor to gain trust.

5. 85% of phishing emails contain links leading to fake login pages designed to harvest credentials from victims.

6. 50% of phishing victims open the email and click on a malicious link or attachment within the first 24 hours of receiving it.
   

7. 3.4 billion phishing emails are sent daily worldwide, representing a significant portion of social engineering threats.

8. 91% of phishing emails mimic trusted institutions (e.g., banks, tech companies, or internal systems) to increase effectiveness.

9. 70% of employees fail to recognize phishing attempts, making them vulnerable to social engineering attacks.

10. 65% of phishing attacks are successful because they use a sense of urgency to manipulate the victim into acting quickly.

Business Email Compromise (BEC)

11. $43 billion in losses were reported globally from BEC scams in 2025, marking a significant rise from previous years.

12. 70% of BEC attacks involve impersonating high-level executives (CEO fraud) to authorize fraudulent wire transfers or sensitive data requests.

13. 90% of BEC attacks use email spoofing to create a false sense of legitimacy and deceive recipients into taking harmful actions.

14. 50% of BEC victims report that attackers used subtle tactics like creating an email address that looks almost identical to a legitimate one.

15. 30% of BEC attacks in 2025 target the finance or accounting departments to authorize fraudulent payments.
    

16. 65% of BEC attacks involve attackers doing extensive research to personalize the emails and increase trust.

17. 35% of companies report that BEC attacks frequently target employees in high-ranking financial or executive positions.

18. The average financial loss per BEC attack in 2025 is around $4.5 million, with small businesses seeing disproportionate impacts.

19. 50% of businesses do not have the proper email security measures to detect or prevent BEC scams, leaving them vulnerable.

20. 90% of BEC attacks succeed in part due to weak internal procedures for verifying unusual requests from senior management.

Vishing (Voice Phishing) and Phone-Based Social Engineering

21. 30% of all social engineering attacks in 2025 are vishing (voice phishing), where attackers manipulate targets over the phone.
    

22. 50% of vishing scams involve impersonating a trusted official like a bank or government agency to gain personal information.

23. 40% of vishing attacks rely on creating urgency, such as fake debt collection or service suspensions, to coerce victims into revealing sensitive data.

24. 70% of vishing attempts use caller ID spoofing, making it appear as though the call is from a legitimate source.

25. 35% of vishing scams target financial services employees, often aiming for banking or credit card details.

26. 60% of victims of vishing scams say they were tricked by the caller’s confident tone or perceived authority.

27. 50% of vishing scams employ pre-recorded messages that sound official to avoid detection and increase success.

28. 30% of victims of vishing attacks report the scam was discovered after they provided personal information over the phone.

29. 25% of companies report a significant increase in phone-based scams targeting employees’ business or financial information in 2025.

30. 45% of successful vishing attacks are driven by psychological manipulation, such as invoking fear or urgency to push victims into compliance.

Pretexting (Impersonation Tactics)

31. 15% of all social engineering attacks in 2025 are pretexting attacks, where attackers fabricate false scenarios to manipulate victims.

32. 45% of pretexting attacks involve impersonating a trusted third party, like a vendor or government official, to gain access to confidential information.

33. 75% of pretexting scams rely on creating a false narrative that pressures the victim to act quickly or share sensitive data.

34. 50% of pretexting victims say the attacker knew just enough about their job or company to seem legitimate and trustworthy.

35. 70% of pretexting scams occur when attackers impersonate internal personnel or contractors to gather data on system access.

36. 35% of pretexting scams use information harvested from public databases, social media, or previous breaches to increase the attack’s believability.

37. 60% of pretexting attacks are targeted at mid- to senior-level employees, who have more access to business-critical systems.

38. 80% of successful pretexting attempts are based on gathering personal information that attackers can use to gain further access or create more convincing scams.

39. 25% of pretexting attacks occur after attackers have already compromised a victim’s public social media profile for personal details.

40. 40% of companies report that pretexting is one of the hardest social engineering tactics to defend against due to its convincing nature.

Baiting (Offering False Incentives)

41. 10% of all social engineering attacks in 2025 are baiting, where attackers promise rewards or benefits to lure victims into downloading malicious files.

42. 55% of baiting attacks offer free software or fake system updates in exchange for the victim’s trust and eventual exploitation.
    

43. 45% of baiting scams rely on fake giveaways or online contests designed to manipulate users into clicking malicious links.

44. 30% of baiting victims report that they were tricked into downloading malicious software that led to system compromise.

45. 60% of baiting attacks involve attackers posing as tech support agents to convince users to install malicious programs.

46. 40% of baiting attacks in 2025 use fake product discounts or exclusive offers as an incentive to download malicious content.

47. 70% of baiting scams succeed due to attackers using enticing offers that align with current trends, such as “free” software during key events like Black Friday.

48. 50% of baiting attacks use infected USB drives or external devices placed in public spaces to trick individuals into connecting them to their computers.

49. 80% of baiting scams succeed because the victim fails to recognize the signs of malicious intent, such as unusually high offers or “too good to be true” deals.

50. 25% of businesses report that they have been affected by baiting attacks that led to data leaks or system infections.

Social Media and Online Scams

51. 20% of social engineering attacks in 2025 are conducted via social media platforms like Facebook, Instagram, or LinkedIn.

    

52. 40% of social media scams involve attackers impersonating friends or colleagues to gain sensitive information.

53. 60% of social media scams use fake surveys or quizzes to harvest personal data or lead victims to phishing sites.

54. 50% of social media-based scams impersonate popular influencers or brands to lure followers into sharing personal details.

55. 70% of social media scams rely on fake job offers or investment schemes to manipulate targets into providing confidential information.

56. 80% of successful social media scams are perpetrated using fake accounts created by cybercriminals to appear trustworthy.

57. 45% of people who fall for social media scams report sharing personal data, such as email addresses or passwords, with attackers.

58. 35% of individuals report being targeted by direct messages or comments that contain phishing links or fake contests.

59. 50% of businesses have been victims of social media impersonation attacks, where attackers used fake accounts to scam customers.

60. 75% of social media users report encountering fraudulent offers or links that led to phishing or malware attacks.

Employee Behavior and Awareness

61. 30% of employees in 2025 admit to falling for at least one social engineering attack via email or phone.

62. 50% of employees are unaware of common social engineering tactics, making them prime targets for attackers.

63. 65% of organizations provide ongoing training for their employees on identifying social engineering attacks, but still face significant risks.

64. 40% of businesses report that phishing simulations failed to educate their employees enough to prevent real attacks.

65. 70% of successful social engineering attacks are due to employee carelessness or lack of vigilance when handling sensitive information.

66. 30% of employees have reported that they often click on suspicious links, especially during high-stress moments or when under pressure.

67. 50% of organizations say employee negligence is the top cause of social engineering breaches, specifically due to lack of knowledge.

68. 75% of companies are introducing more frequent awareness sessions and phishing drills to combat social engineering.

69. 20% of employees in some industries (such as finance) fall victim to phishing schemes because they trust the sender without question.

70. 60% of employees report that phishing emails are harder to detect due to the professional and sophisticated language used by attackers.

Detection and Prevention of Social Engineering

71. 35% of businesses employ multi-factor authentication (MFA) to reduce the effectiveness of social engineering attacks.

72. 85% of organizations use email filtering systems to reduce phishing emails, but 50% of attacks still get through.

73. 40% of businesses have deployed advanced security systems to detect social engineering tactics, such as fake login pages or phishing links.

74. 70% of businesses report that their security software cannot effectively identify vishing or pretexting attacks.
    

75. 50% of businesses use simulated phishing campaigns to train employees on identifying social engineering attempts.

76. 45% of businesses say implementing stronger email verification systems (like SPF or DKIM) has helped reduce phishing success rates.

77. 90% of companies with MFA see a significant reduction in the effectiveness of social engineering-based attacks.

78. 30% of organizations are increasing investment in AI and machine learning-based tools to detect phishing attempts and fraudulent behavior.

79. 75% of businesses believe that better training on social engineering tactics could reduce employee susceptibility.

80. 25% of organizations report that their security tools are ineffective against complex social engineering strategies that involve multiple communication channels.

Financial and Organizational Impact

81. $60 billion in total losses in 2025 are attributed to social engineering attacks, including BEC, phishing, vishing, and baiting.

82. 50% of small businesses report they have lost substantial revenue due to successful social engineering scams.

83. 30% of social engineering losses come from BEC fraud, where large sums of money are transferred based on fake executive requests.

84. 40% of financial losses are caused by phishing and vishing tactics that target individuals rather than organizations.

85. 70% of businesses report having to spend over $500,000 to recover from a successful social engineering attack.

86. 20% of attacks in financial sectors are linked to employees who inadvertently fell for social engineering schemes.

87. 45% of businesses have seen their reputation suffer as a result of social engineering attacks that compromised customer data.

88. 35% of businesses report increased insurance premiums as a result of recurrent social engineering breaches.

89. 25% of organizations say they have had to pay ransoms or settlements due to social engineering-related data breaches.

81. 60% of organizations predict that social engineering attacks will continue to increase as remote work and digital communications rise.

Social Engineering Trends and Industry-Specific Attacks

91. 60% of attacks in 2025 targeted employees working remotely or in hybrid environments, as attackers exploit the lack of physical security.

92. 30% of healthcare organizations report that social engineering attacks, such as pretexting and phishing, are their primary data breach risk.

93. 40% of retail businesses face social engineering attacks that target customer service representatives to gain access to personal customer data.

94. 80% of financial firms report significant BEC attacks in 2025, where attackers impersonate high-ranking executives for fraudulent transfers.

95. 45% of government agencies have reported an increase in social engineering scams targeting public-sector employees.

96. 25% of social engineering incidents in the tech industry involve phishing scams aimed at stealing intellectual property or trade secrets.

97. 50% of education institutions face social engineering attacks like vishing and phishing targeting faculty or staff.

98. 70% of organizations in the public sector report they have faced phishing attacks impersonating government entities or contractors.

99. 80% of hospitality businesses report an increase in social engineering attempts during peak travel seasons (e.g., summer holidays).

100. 65% of non-profit organizations report that they are at increased risk of social engineering attacks due to limited cybersecurity budgets.

Social engineering continues to dominate the cybersecurity threat landscape in 2025, driven by advances in AI, the expansion of digital communication channels, and ongoing exploitation of human psychology. For MSPs, agencies, and any organization handling client data, people-centric security—grounded in knowledge, vigilance, and adaptive controls—remains the most effective defense.

Disclaimer:
The data presented in this post/graphic has been collected from a variety of reputable sources, including cybersecurity reports, government publications, industry surveys, and expert analyses. While every effort has been made to ensure accuracy, these statistics represent the latest available information as of 2025 and may vary depending on the source. Always refer to the original reports for more detailed context and updates.

FAQs

1. What is social engineering in cybersecurity?

Social engineering is the use of deception to manipulate individuals into divulging confidential information or granting unauthorized access to systems. It exploits human behavior rather than technical vulnerabilities.

2. How common are social engineering attacks in 2025?

In 2025, more than 76% of businesses experienced at least one social engineering attack, with phishing remaining the most frequent method used by attackers.

3. What are the most popular social engineering techniques today?

The top techniques in 2025 include phishing, spear phishing, smishing (SMS phishing), vishing (voice phishing), business email compromise (BEC), and deepfake impersonation.

4. Who are the most common targets of social engineering?

C-level executives, IT admins, HR professionals, and finance team members are frequent targets because they typically have access to sensitive data and systems.

5. What percentage of data breaches involve social engineering?

According to 2025 breach reports, over 90% of successful data breaches involve some form of social engineering.

6. How effective is phishing in 2025?

Despite increased awareness, phishing remains highly effective in 2025, with 8.7% of employees clicking malicious links and over 3% submitting credentials.

7. What role does AI play in social engineering attacks?

AI and generative tools are being used to create hyper-realistic phishing emails, voice clones, and deepfake videos for more convincing impersonation in 2025 attacks.

8. How can organizations defend against social engineering threats?

Defensive measures include employee training, simulated phishing campaigns, multi-factor authentication (MFA), Zero Trust policies, and behavioral anomaly detection.

9. How much does a social engineering attack cost in 2025?

The average cost of a social engineering breach is estimated at $5.8 million, factoring in lost business, remediation, fines, and reputational damage.

10. Are social engineering attacks increasing?

Yes, social engineering incidents are up 21% year-over-year in 2025, driven by hybrid work environments, human error, and the rise of AI-enhanced attack tools.