Gitnux/Report 2026

Scam Statistics

With social engineering now appearing in 17% of breaches and phishing making up 36% of initial access incidents, the threat chain is getting more efficient even as defenses improve, including phishing resistant MFA designs meant to block phishing and replay. The page connects that with real-world harm levels, from UK Action Fraud’s 3.9 million scam reports in 2023 to research showing training and smart filtering can sharply reduce clicks and successful phishing, so you can see where prevention actually bites.
21Statistics
21Sources
8Sections
1Visuals
6mRead
17 days agoUpdated
Scam Statistics
Verified via a 4-step process
01Source

Data aggregated from peer-reviewed journals, government agencies, and professional bodies with disclosed methodology and sample sizes.

02Verify

Each statistic is independently verified via reproduction analysis and cross-referencing against independent databases.

03Grade

Figures are graded by cross-model consensus. Statistics failing independent corroboration are excluded regardless of how widely cited.

04Cite

Every figure carries a primary source. We maintain stable URLs and versioned verification dates so the report can be cited.

Read our full methodology →

Statistics that fail independent corroboration are excluded.

Next review Dec 2026
Scams operate like engineered campaigns, using phishing as a delivery method that accounted for 36% of initial access incidents in Verizon’s latest breach analysis. A U.S. survey found victims faced an average of 2.5 contact attempts before payment, showing how pressure escalates after first outreach. The pattern across recent datasets points to what defenses reduce fastest and where the same weak points keep returning.

Key Takeaways

  • In 2023, IC3 classified 33% of social engineering scams as 'imposter scams' in their fraud typology (IC3)
  • In 2024, Verizon’s Data Breach Investigations Report (DBIR) found social engineering involved in 17% of breaches (scam-related attack chain)
  • Verizon DBIR 2024 reported that phishing accounted for 36% of initial access incidents (scam delivery mechanism)
  • In a 2022 study, victims reported an average of 2.5 attempts to contact by scammers before they paid (U.S. survey)
  • The Center for Strategic and International Studies (CSIS) estimated global cybercrime costs at $8 trillion in 2019 and projected $10.5 trillion by 2025
  • A 2022 peer-reviewed paper estimates that online fraud harms consumer welfare significantly; the authors quantify average economic losses per victim at hundreds of dollars (cross-study)
  • IBM’s Cost of a Data Breach report (2024) found breaches averaged 277 days to identify and contain
  • Mandiant’s 2024 report on social engineering showed that credential theft led to compromise in 24% of observed intrusions (includes scam-related access)
  • A 2022 peer-reviewed study found that using machine-learning-based spam filtering reduced successful phishing emails by 90% in controlled experiments
  • In the U.K., 2.4 million fraud victims were recorded in 2023, reflecting a large share of reported scam-related harm.
  • In 2023, 45% of organizations reported experiencing phishing attempts targeting employees, according to a Microsoft Work Trend Index report.
  • In Cloudflare’s 2024 security report, automated attacks comprised 98% of Internet traffic observed on protected endpoints.
  • Google’s 2024 Transparency Report states that passkey adoption increased the share of sign-ins protected by phishing-resistant methods (passkeys) across supported accounts.
  • In a 2019 peer-reviewed study, security training combined with simulated phishing reduced click rates by 37% compared with control groups.
  • In a 2021 NBER working paper, simulated phishing and feedback interventions were associated with measurable reductions in reporting and risky behaviors over time.

From rising social engineering costs to stronger defenses, phishing and fraud remain widespread but protections can meaningfully cut harm.

02 · Category

Victim Impact1 stats

01
In a 2022 study, victims reported an average of 2.5 attempts to contact by scammers before they paid (U.S. survey)
Interpretation

Victim Impact Interpretation

From the victim impact perspective, a 2022 U.S. survey found that victims faced an average of 2.5 scam contact attempts before they finally paid, showing how repeated pressure can drive the payment decision.

03 · Category

Cost Analysis2 stats

01
The Center for Strategic and International Studies (CSIS) estimated global cybercrime costs at $8 trillion in 2019 and projected $10.5 trillion by 2025
02
A 2022 peer-reviewed paper estimates that online fraud harms consumer welfare significantly; the authors quantify average economic losses per victim at hundreds of dollars (cross-study)
Interpretation

Cost Analysis Interpretation

Cost analysis shows that global cybercrime is escalating from an estimated $8 trillion in 2019 to a projected $10.5 trillion, and that peer reviewed research in 2022 indicates online fraud inflicts substantial average economic losses on consumers.

04 · Category

Mitigation & Defenses3 stats

01
IBM’s Cost of a Data Breach report (2024) found breaches averaged 277 days to identify and contain
02
Mandiant’s 2024 report on social engineering showed that credential theft led to compromise in 24% of observed intrusions (includes scam-related access)
03
A 2022 peer-reviewed study found that using machine-learning-based spam filtering reduced successful phishing emails by 90% in controlled experiments
Interpretation

Mitigation & Defenses Interpretation

For Mitigation & Defenses, the data suggests that speeding up breach identification to under 277 days, preventing credential theft that drives 24% of intrusions, and using machine learning spam filtering that cuts successful phishing by 90% can dramatically reduce real-world scam impact.

05 · Category

Consumer Impact1 stats

01
In the U.K., 2.4 million fraud victims were recorded in 2023, reflecting a large share of reported scam-related harm.
Interpretation

Consumer Impact Interpretation

In the U.K., 2.4 million fraud victims were recorded in 2023, underscoring how consumer impact scams represent a massive, real-world source of reported harm.

06 · Category

Attack Patterns2 stats

01
In 2023, 45% of organizations reported experiencing phishing attempts targeting employees, according to a Microsoft Work Trend Index report.
02
In Cloudflare’s 2024 security report, automated attacks comprised 98% of Internet traffic observed on protected endpoints.
Interpretation

Attack Patterns Interpretation

For the Attack Patterns angle, phishing remains a dominant human-targeting threat with 45% of organizations reporting employee-targeting attempts in 2023, while at the same time automated attacks make up 98% of Internet traffic seen on protected endpoints.

07 · Category

Mitigation Effectiveness4 stats

01
Google’s 2024 Transparency Report states that passkey adoption increased the share of sign-ins protected by phishing-resistant methods (passkeys) across supported accounts.
02
In a 2019 peer-reviewed study, security training combined with simulated phishing reduced click rates by 37% compared with control groups.
03
In a 2021 NBER working paper, simulated phishing and feedback interventions were associated with measurable reductions in reporting and risky behaviors over time.
04
In a 2016 peer-reviewed study, multi-factor authentication reduced successful phishing and credential theft outcomes by about 50% compared with single-factor authentication.
Interpretation

Mitigation Effectiveness Interpretation

Across mitigation tactics, the evidence shows phishing risk can drop substantially with the right controls, including about a 50% reduction from multi factor authentication and a 37% lower click rate when combining security training with simulated phishing, reinforcing that mitigation effectiveness is strongly tied to phishing resistant protection and behavioral interventions.

08 · Category

Regulation & Reporting5 stats

01
In NIST SP 800-63-3, the publication specifies that phishing-resistant MFA (e.g., FIDO2/WebAuthn) is intended to resist phishing and replay attacks.
02
In the UK, Action Fraud’s fraud reporting service received 3.9 million reports in 2023.
03
In 2024, the UK’s Online Safety Act introduced statutory duties for platforms to mitigate fraudulent content including scams.
04
In the EU, the Digital Services Act (DSA) entered into force in 2022, establishing risk assessments and mitigation obligations for illegal content such as scams.
05
In 2024, the EU’s Anti-Money Laundering package included new rules targeting scams by strengthening customer due diligence and beneficial ownership checks.
Interpretation

Regulation & Reporting Interpretation

As 2023 saw Action Fraud receive 3.9 million scam reports and 2024 brought the UK Online Safety Act’s new statutory platform duties, regulators are clearly tightening Regulation & Reporting frameworks while the EU strengthens DSA and anti money laundering obligations to assess and mitigate scam risk.
report visual · Key figures

What scam methods look like in the data

Across major reports, phishing and social-engineering tactics appear frequently in common breach and intrusion pathways.

17%
In 2024, Verizon’s Data Breach Investigations Report (DBIR) found social engineering involved in 17% of breaches (scam-r
36%
Verizon DBIR 2024 reported that phishing accounted for 36% of initial access incidents (scam delivery mechanism)
24%
Mandiant’s 2024 report on social engineering showed that credential theft led to compromise in 24% of observed intrusion
45%
In 2023, 45% of organizations reported experiencing phishing attempts targeting employees, according to a Microsoft Work
33%
In 2023, IC3 classified 33% of social engineering scams as 'imposter scams' in their fraud typology (IC3)
90%
A 2022 peer-reviewed study found that using machine-learning-based spam filtering reduced successful phishing emails by
source-verifiedverizon.com · cloud.google.com · microsoft.com · ic3.gov · ieeexplore.ieee.org2024
Reference

Cite This Report

This report is designed to be cited. We maintain stable URLs and versioned verification dates. Copy the format appropriate for your publication below.

APA
James Okoro. (2026, February 13). Scam Statistics. Gitnux. https://gitnux.org/scam-statistics
MLA
James Okoro. "Scam Statistics." Gitnux, 13 Feb 2026, https://gitnux.org/scam-statistics.
Chicago
James Okoro. 2026. "Scam Statistics." Gitnux. https://gitnux.org/scam-statistics.