Social Engineering Statistics for 2026: The Numbers Behind the Human Hack

Social engineering is now the dominant doorway into corporate networks. The 2025 Unit 42 Global Incident Response Report: Social Engineering Edition found that 36% of all incidents Palo Alto Networks responded to between May 2024 and May 2025 began with a social engineering tactic, with 86% of those incidents causing measurable business disruption. Voice phishing, also called vishing, exploded by 442% between the first and second halves of 2024 alone, according to the CrowdStrike 2025 Global Threat Report. And the human element remains involved in roughly 60% of all confirmed breaches, per the Verizon 2025 Data Breach Investigations Report. The numbers below are the ones IT, security, and compliance leaders should expect to see cited in 2026 board decks, audit prep, and incident retros.

Summary: key social engineering statistics at a glance

• 36% of all incident response cases in 2025 began with a social engineering tactic, per the Unit 42 Social Engineering Edition report.
• 442% increase in vishing (voice phishing) between H1 and H2 of 2024, according to CrowdStrike.
• 60% of confirmed breaches involve a human element such as error, manipulation, or misuse (Verizon 2025 DBIR).
• $2.77 billion was lost to business email compromise across 21,442 complaints in 2024, making BEC the second-costliest cybercrime tracked by the FBI IC3.
• $4.8 million is the average cost of a phishing-initiated breach, the costliest initial-access vector tracked by IBM.
• 1 in 6 breaches in 2025 involved attackers using AI, most commonly for phishing (37%) and deepfake impersonation (35%), per IBM Cost of a Data Breach 2025.
• 1.13 million phishing attacks were recorded in Q2 2025 alone, a 13% quarterly increase (APWG Phishing Activity Trends).
• 33% quarter-over-quarter jump in wire-transfer BEC attacks observed in Q1 2025 (APWG).
• 66% of social engineering incidents targeted privileged accounts, and 45% involved impersonating internal personnel (Unit 42, 2025).

$25 million was siphoned from engineering firm Arup in a single deepfake video call, per Fortune.

‍

How often social engineering happens in 2026

Social engineering is no longer a niche pretext step inside a wider attack. It is the attack. The Unit 42 Social Engineering Edition analyzed more than 700 incidents that Palo Alto Networks responded to between May 2024 and May 2025 and found that 36% of all cases began with a social engineering tactic. Of those, 65% started with phishing, while the remainder leaned on non-phishing techniques like SEO poisoning, fake system prompts, callback scams, and help desk manipulation.

Volume tells the same story. The Anti-Phishing Working Group recorded 1,003,924 phishing attacks in Q1 2025 and 1,130,393 in Q2 2025, a 13% quarter-over-quarter increase. APWG members observed phishing attacks against more than 700 distinct brands every quarter through 2025, with financial services and online payment platforms representing roughly 31% of all targets.

The Verizon 2025 DBIR looked at 22,000-plus security incidents and 12,195 confirmed breaches and split social engineering into three separately tracked initial-access categories: phishing (16% of breaches), credential abuse (13%), and pretexting (6%). Pretexting, the core technique behind BEC, has nearly doubled in tracked frequency over the past two reporting cycles and now overtakes phishing inside the BEC subset specifically.

Business email compromise: where the dollars go

BEC is still the costliest social engineering category by reported dollar volume, even though it makes up a small share of total complaints. The FBI Internet Crime Complaint Center 2024 Annual Report logged 21,442 BEC complaints in 2024 with reported losses of $2.77 billion. That makes BEC the second-costliest internet crime category, behind only investment fraud, and it accounts for more than 17% of the $16.6 billion in total cybercrime losses reported to the FBI last year.

The trajectory is not slowing. The APWG observed a 33% quarter-over-quarter increase in wire-transfer BEC attacks in Q1 2025, reversing a brief late-2024 decline. The average amount requested in a wire-transfer BEC attempt was $128,980 in Q4 2024, nearly double the $67,145 average from the previous quarter. In other words, attackers are sending fewer but bigger asks, calibrated against larger finance team approval thresholds.

Inside the Verizon dataset, BEC and pretexting attacks accounted for roughly a quarter of all financially motivated breaches. The Verizon 2025 DBIR also flagged prompt-bombing, in which users are flooded with multifactor authentication prompts until they approve one out of fatigue, as a factor in 14% of investigated incidents. Prompt-bombing is now common enough that Verizon treats it as a distinct social engineering subcategory rather than a one-off footnote.

Vishing, smishing, and the non-email vectors

Email is no longer where most social engineering creativity lives. The CrowdStrike 2025 Global Threat Report documented a 442% increase in vishing campaigns between H1 and H2 of 2024, fueled by generative AI voice cloning that closes the language and accent gap attackers used to struggle with. CrowdStrike tracked at least six distinct campaigns in which threat actors posed as IT support staff and called users directly to persuade them into establishing remote support sessions. In at least four of those campaigns, attackers paired the call with a "spam bombing" tactic, flooding the target with thousands of emails to make the help desk pretext more plausible.

Help desk manipulation is now a recognizable attack pattern. The Unit 42 report found that 66% of social engineering attacks went after privileged accounts, 45% involved impersonation of internal personnel, and 23% used callback or other voice-based techniques. The MGM Resorts and Caesars Entertainment breaches in September 2023, both attributed to the Scattered Spider group, took roughly 10 minutes of vishing a service desk to gain initial access. MGM disclosed a $100 million hit to its 2023 third-quarter results, and Caesars reportedly paid the attackers around $15 million.

Browser-based and SEO-driven attacks round out the non-email picture. The Microsoft Digital Defense Report 2025 named "ClickFix" the most common initial access technique in late 2024 and 2025, present in 47% of identity-related intrusions Microsoft tracked. ClickFix tricks users into pasting attacker-controlled commands into their own terminals under the guise of resolving a CAPTCHA or browser error. Microsoft also flagged device-code phishing, where users enter a seemingly legitimate device code into a real Microsoft sign-in page and unknowingly hand attackers access and refresh tokens with no password theft required.

AI-powered social engineering and deepfakes

The single biggest 2026 shift is the operationalization of generative AI on the attacker side. According to IBM’s Cost of a Data Breach 2025, 1 in 6 breaches now involves attackers using AI, with 37% of those incidents using AI to draft phishing emails and 35% using AI for deepfake impersonation. Generative AI has cut the time required to write a convincing phishing message from roughly 16 hours of manual research to about 5 minutes.

Deepfakes have moved from proof-of-concept to live cash extraction. Fortune reported in May 2024 that British engineering firm Arup lost roughly $25 million when a finance employee in its Hong Kong office was invited into a video call where every other attendee, including a person presenting as the company’s UK-based CFO, was an AI-generated deepfake. The employee made 15 separate transfers to five Hong Kong bank accounts before standard post-transaction follow-up exposed the fraud. As of early 2026, the funds remain unrecovered.

Microsoft saw the same pattern in identity proofing flows. Microsoft reported that the use of AI-generated identity documents grew 195% globally year over year, with deepfakes increasingly used to bypass remote identity verification, customer support authentication, and tech support scams. More than 97% of identity-related attacks Microsoft tracked are password attacks at root, but the social engineering layer wrapped around them is now AI-augmented. The same report notes that MFA still blocks more than 99% of identity-based attacks, but only 1.5% of attempted logins with correct credentials were stopped by MFA, suggesting attackers are simply phishing or bypassing the second factor more often than overpowering it.

What social engineering actually costs

Phishing remains the costliest initial-access vector tracked by IBM, with an average breach cost of $4.8 million in 2025. The global average across all breach types fell to $4.44 million, down 9% from $4.88 million in 2024, mostly because organizations with extensive security AI and automation deployment cut their breach lifecycle by an average of 80 days and saved roughly $1.9 million per incident.

The business disruption picture matters as much as the cost figure. Unit 42 found that 86% of social engineering incidents in its 2025 caseload caused some form of business disruption, ranging from operational downtime to reputational damage to regulatory exposure. Detection lags are still the cost driver: IBM put the mean time to identify and contain a breach at 241 days globally in 2025, and breaches that ran past the 200-day mark cost on average 24% more than those caught earlier.

Cybercrime losses overall set a new record in 2024. The FBI IC3 received 859,532 complaints with reported losses of $16.6 billion, a 33% increase over 2023. Social engineering-adjacent crimes (BEC, tech support fraud, investment scams that begin with relationship-building messages, and personal data breaches) together account for the majority of that total.

Emerging trends: what is new in 2026

Three patterns are worth flagging for 2026 planning. First, traditional awareness training is hitting a ceiling. The Verizon DBIR research team observed that phishing click-through failure rates were largely unmoved by traditional training programs, and the median time for a user to fall for a phishing email is now under 60 seconds (21 seconds to click, 28 seconds to submit credentials). Training as a sole control is misallocating budget.

Second, attackers are moving outside email faster than defenders are extending their controls. Unit 42 reported that more than one-third of 2025 social engineering incidents used non-phishing methods. CrowdStrike described callback phishing, vishing, and help desk impersonation as the new primary entry points for high-value intrusions. Security teams whose detection stack still indexes heavily on email gateway telemetry are blind to a growing share of real-world attack volume.

Third, AI is starting to compound the problem on both sides. IBM found that 97% of AI-related breaches occurred at organizations without AI access controls, and 63% of organizations still lack any formal AI governance policy. Microsoft described AI-generated content as making personalized lures, voice clones, and adaptive multi-turn interactions practical at scale. Defenders without AI-assisted detection or browser-level controls are operating at a structural disadvantage.

For broader context on the trends above, see our phishing statistics and security awareness training statistics roundups.

How swif.ai helps defend against social engineering

swif.ai gives IT and security teams a single console to enforce device, identity, and compliance controls across the macOS, Windows, and Linux endpoints behind the numbers above. Explore swif.ai mobile device management to see how it works.