Social engineering is one of the biggest threats an organization faces.
Social engineering comes in many forms, such as phishing, spear phishing, BEC attacks, smishing, pretexting, baiting, vishing, and deepfakes, with each sharing a common goal of manipulating individuals into disclosing sensitive information.
One such example cost a multinational firm $25 million with a single click.
A Hong Kong-based finance worker was scammed into transferring over $25 million by a deepfake that impersonated the company’s CFO during a video conference call. The firm’s CFO had directed the employee to transfer over $25 million to multiple bank accounts. Despite initial hesitation, the employee complied and processed the request, unknowingly falling for a highly sophisticated deepfake.
Wait until you see how else employees and even IT leaders fell for social engineering tactics, and how you can take proactive security measures to safeguard your organization from attacks.
Here are 25 social engineering statistics from 2025 to learn from.
Social Engineering Statistics 2025: A Year in Rewind
- 63% of cybersecurity and IT professionals cite AI-driven social engineering as the top cyber threat to their organization in 2026. The 2026 Tech Trends & Priorities Pulse Poll
- 80% of organizations rank social engineering as the number one human-related risk. SANS Institute
- Social engineering attacks led to data exposure in 60% of cases, 16% higher than any other initial access vector. 2025 Unit 42 Global Incident Response Report: Social Engineering Edition
- 23% of social engineering attacks involved callback or voice-based techniques (“Vishing). 2025 Unit 42 Global Incident Response Report: Social Engineering Edition
- At least 55% of suspected SMS phishing (“smishing”) messages contained malicious URLs. Proofpoint
- Pretexting accounted for over 50% of all social engineering incidents. 2025 Verizon DBIR
- Lack of or insufficiently deployed MFA accounted for 10% of social engineering success. 2025 Unit 42 Global Incident Response Report: Social Engineering Edition
Deepfakes: The New Era of Social Engineering
- Over 5% of organizations have lost $1 million or more to deepfake-related incidents. IRONSCALES Fall 2025 Threat Report
- 62% of organizations reported experiencing a deepfake attack involving social engineering or automated process exploitation. KnowBe4
- 85% of IT and cybersecurity professionals report that their organizations experienced one or more incidents in the past 12 months. IRONSCALES Fall 2025 Threat Report
- Email-based deepfake attacks are tied with static image manipulation as the most common threat vector, at 59% each. IRONSCALES Fall 2025 Threat Report
Social Engineering: When Employees Become Easy Targets
- 45% of social engineering attacks impersonated internal personnel to build trust. 2025 Unit 42 Global Incident Response Report: Social Engineering Edition
- 6.5% of employees have provided sensitive information in vishing calls. Keepnet
- More than 382,000 MFA fatigue attacks occurred over a 12‑month period. SmarterMSP
The Inbox: An Attacker’s Choice for Social Engineering
- There was a 15% increase in BEC emails in 2025, Year over year (YoY). LevelBlue
- AI-driven phishing attacks soared 204% in 2025. The European
- Over 89% of BEC attacks involve CEO fraud. LastPass
- 65% of social engineering attacks involved phishing. 2025 Unit 42 Global Incident Response Report: Social Engineering Edition
- AI-generated spear phishing emails achieved a 54% click-through rate (CTR). Malwarebytes
- Organizations with fewer than 1,000 employees have a 70% weekly probability of experiencing at least one BEC attack. LastPass
- There were over 4.2 million QR code phishing threats in the first half of 2025. Proofpoint
- Spear phishing attacks achieve 53% CTR vs. 18% for traditional phishing campaigns. Email Threat Trends Report: 2025 Q2
- 39% of IT leaders worldwide have been targeted by a phishing attack in the last 12 months. Arctic Wolf
- 21% of global IT leaders have clicked on a phishing link at least once without reporting it. Arctic Wolf
- Gmail was the most preferred email service provider, comprising over 65% of all BEC addresses used. LevelBlue
Check out our other cybersecurity threat-related statistics blogs and key findings here:
Small Business Cyberattacks Rise in 2025: Guardz Mid-Year Findings
31 Ransomware Statistics MSPs Cannot Ignore in 2026
33 Phishing Statistics in 2025 Every MSP Should Know About
Prevent Social Engineering Attacks with Guardz
Whether through CFO impersonation or traditional phishing campaigns, organizations must enhance identity controls, user verification processes, and employee security awareness training to prevent social engineering from compromising financial assets and sensitive data.
And the first place to begin is with your inbox.
The Guardz unified platform provides MSPs with advanced email security protection against common inbox threats, including phishing and BEC. Guardz integrates Check Point Harmony (formerly Avanan) to deliver impersonation detection that analyzes sender behavior and performs deep inspection of suspicious embedded links and attachments that may contain malware.
Protect your organization from social engineering attacks with Guardz. Start here
