Unmasking 2022's US social engineering scam toll

Social engineering, a tactic employed by hackers to manipulate individuals into divulging sensitive information or taking actions that compromise security, affects millions of people annually. These tactics often result in significant losses, such as the $8B reported in the US in 2022.

Key insights

• In 2022, social engineering scams in the US resulted in nearly $8.3B in financial losses. Approximately 234K Americans fell victim to these scams, each losing an average of $35K.
• Investment fraud was the most financially devastating scam, resulting in losses of nearly $3B, which represents more than a third of all social engineering losses in the US in 2022. Over 23k people were deceived by false promises of significant profits and low risk. Next up are Business Email Compromise scams, which resulted in over $2.5B in losses in the US, and Tech Support fraud, which accounted for nearly $800M in losses.
• The most common social engineering scams among Americans involved situations where goods or services were sent but payment was not received (non-payment) or where payment was made but goods or services were not received or were of subpar quality (non-delivery). These scams affected over 47k victims, accounting for more than a fifth of all social engineering cases. Another prevalent method of deceiving Americans in 2022 was through fake technical or customer support schemes, which victimized almost 32k people.
• California took the lead in losses, totaling $1.8B, which accounted for more than 20% of the total losses in the US. On average, Californians experienced the highest individual losses, nearly $53k. Following closely behind, Florida claimed the second position with losses exceeding $740M, representing 9% of the total losses nationwide. Texas followed with $700M, New York with $600M, and Georgia with $280M.

Methodology and sources

This study utilized open-source information from the Federal Bureau of Investigation; it includes the 2022 Internet Crime Report’s data on internet crimes across 50 US states and the District of Columbia¹. Our analysis involved the aggregation of financial losses and victim counts related to social engineering crimes, from which we derived a novel metric: average financial losses per victim. To be classified as a social engineering fraud, a crime had to meet the following criteria: the object of the crime or attack was a material benefit, the subject of the attack was a person who incurred direct losses, the victim was deceived through psychological manipulation, and there was an active interaction between the scammer and the victim. Disclaimer: Some IC3 crimes, such as credit card fraud, may, in specific circumstances, employ social engineering techniques; this study does not exclude such crimes to maintain data integrity.

Data was collected from:

References: