
Social Engineering Statistics For 2021
It’s no secret that in recent years, cybercriminals have improved their methods of data theft, and with their help gigabytes of confidential information are leaked daily. To do this, they use social engineering methods.
We’ve already written about social engineering here.
Statistics of such crimes clearly show that deceiving people through phishing, tailgating, surveillance, vishing, smishing, and so on is a very effective way for hackers to get credentials, access data, and launch large-scale attacks.
However, what exactly are the social engineering statistics for 2021, and how can you protect yourself from them? We will tell you in this article.
Know more about frequently used social engineering tactics here.
Short summary of social engineering statistics in 2021

- Social engineering is used in 98% of cyberattacks.
- On the internet, the share of phishing sites exceeds the percentage of malicious sites by 75 times.
- More than 70% of companies worldwide have been victims of phishing at least once in 2021.
- In 2021, phishing became the most common attack in the U.S., with more than 240K successful cases.
- Every 11 seconds there is a successful ransomware attack somewhere in the world.
- $150 — this amount is a ransom for a compromised record.
- In 2021, the US government allocated about $20 billion for cybersecurity.
What is social engineering?
Social engineering is a set of techniques and technologies for creating a space, along with the conditions and circumstances that most effectively lead a person to a specific desired behavior.
In simple words, with the knowledge and techniques of social engineering, you can easily get a person to do exactly what you need. However, the person will not guess until a certain time that they were “stabbed” somewhere. So, attackers may learn usernames and passwords from social networks or even confidential information of an entire organization. The techniques may include impersonating another person, forcing the situation, or distracting attention.
Social engineering is like hacking, only not of a computer but the human brain. The only difficulty is to find the right approach for each person, although professional “social engineering people” almost always act impromptu, relying only on their feelings.
Let’s take a look at some of the latest social engineering statistics.
- 1. Social engineering is used in 98% of cyberattacks.
Unfortunately, many employees of companies, and even ordinary internet users, cannot independently detect social engineering. Therefore, they unknowingly open access to data for fraudsters.
Interestingly, about 20% of employees still intentionally contribute to such attacks, in a thirst for revenge against strict superiors, for example.
- 2. About 70% of data leaks are due to social engineering.
Let’s agree that hacking a database is much more difficult than just deceiving a person who has access to all the necessary data. Therefore, it is not surprising that about 70% of all data leaks relate to types of social engineering attacks.

The most common targets of cybercriminals are state institutions, polyclinics, hospitals, universities, etc. It is such institutions that store a large layer of data for almost all residents of states.
- 3. There are more than two million phishing sites.
In 2021, Google recorded more than 2 million phishing sites. Thanks to them, the databases on the internet’s dark side are replenished at a rapid pace every year.
For example, in 2020, the databases of the dark internet were replenished with 20 million pieces of unique personal data.
Learn more about phishing attacks here.
- 4. More than 90% of phishing attacks use email.
Even though the total number of phishing sites on the internet increases every day, only 3% of phishing attacks are carried out through websites. About 1% are phone attacks.
All other cases are phishing by email. The most common words that cybercriminals use in emails are: urgent, request, important, payment, and attention.
Read about a famous email scam and be ready to protect yourself.
- 5. More than 40% of phishing attackers present themselves as Microsoft.
If a cybercriminal introduces himself as a representative of a well-known company, then his credibility with an ordinary person increases several times.
Microsoft, whose services are used by more than one billion people all over the world, is most often used as a trick to lull the vigilance of internet users.
After Microsoft is DHL, with about 18% of cybercrimes, as well as companies such as PayPal, LinkedIn, Google, and Chase.
- 6. The most common attachment in phishing emails are Windows files.
In more than 70% of cases, all files sent by malicious hackers to emails include Windows file attachments. Most often, it is disguised as a PDF, Excel, or Word file.
They can also use script files (11%) or compressed files (4%), but executable files are preferable because the program starts the moment you open it.
- 7. 18% of phishing victims lose money.
Unfortunately, social engineering is one of the most dangerous forms of cybercrime. And oddly enough, it is information that is the main engine of cybercriminals, not money as many think.
After a successful phishing attack, 60% of companies report data loss, 52% report compromised credentials, and 29% complain of malware infection, which ultimately damages the entire company’s computer network.
How to protect yourself from social engineering
The main way to protect against attacks using social engineering techniques is to increase user awareness. Only personal vigilance and a critical approach will allow you to recognize the threat of social engineering and signs of manipulation of your actions.

If we are talking about a company, then all employees should be warned about the danger of disclosing personal information and confidential information of the company and ways to prevent data leakage. It is best to implement this by developing clear instructions that specify what information can be provided to other persons (visitors, colleagues, technical support).
There are several simple rules that all users should strictly observe.
- Never tell anyone the usernames and passwords of your accounts. Even if they try to convince you that fulfilling an urgent and essential task depends on it, remember that bank employees do not have the right to request your bank card number, CVV/CVC code, and other information that allows you to debit funds.
- Do not download attachments and do not follow suspicious links in emails received even from people you know. Always check with the help of other available communication channels (phone calls, messages) that the letter’s sender is exactly who they claim to be.
- Before clicking on a link from a letter or message, hover the mouse cursor over it to see the real URL of the page.
- Lock your computer when you leave your workplace.
- Use strong and unique passwords for various services. Use password managers.
How can you come up with strong passwords? Read more here.
- Remember, only personal vigilance and a critical approach will protect you from attacks by social engineers.
Follow security tips to always stay protected from online threats.