2026 Verizon DBIR: Voice and SMS Phishing Decoded

Key Takeaways

• The 2026 Verizon Data Breach Investigations Report covers 31,000+ security incidents and 22,000+ confirmed breaches across 145 countries (source: Verizon 2026 DBIR, p. 5).
• For the first time at scale, the DBIR measures voice and SMS phishing simulation results. Phone centric simulations show a median click rate of 2 percent, compared to 1.4 percent for email simulations, a 40 percent gap (source: Verizon 2026 DBIR, p. 50).
• Exploitation of vulnerabilities is now the leading initial access vector at 31 percent, overtaking credential abuse for the first time (source: Verizon 2026 DBIR, p. 10).
• Ransomware grew to 48 percent of all breaches, although 69 percent of victims refused to pay (source: Verizon 2026 DBIR, p. 11).
• Keepnet contributed voice and SMS phishing simulation data to the 2026 Verizon DBIR, helping inform the report's expanded coverage of mobile centric social engineering.

The 2026 Verizon DBIR landed this week. It's their 19th edition and their largest dataset ever: 31,000+ incidents, 22,000+ confirmed breaches, 145 countries (source: Verizon 2026 DBIR, p. 5).

Most years there's one finding everyone repeats on LinkedIn for a week. This year there are two. The loud one is on page 10: exploitation of vulnerabilities is now the leading initial access vector at 31 percent, up from 20 percent last year. The quiet one is harder to spot but probably more strategically important if you run an awareness programme. The 2026 DBIR finally puts voice and SMS phishing on the scoreboard, and the numbers aren't comfortable.

This post walks through what changed and what security teams should pay attention to now.

One disclosure before we go further. Keepnet contributed voice and SMS phishing simulation data to the 2026 Verizon DBIR, helping inform the report's expanded coverage of mobile centric social engineering. Our name is on the contributors list on page 118.

Verizon treats every contributor equally in their public materials and we respect that, so this post sticks to what's in the report. Findings get cited with exact statistics and page numbers. Verify anything yourself.

The headline most people missed

Page 50 has a sentence most readers will skim past. If you run a security awareness programme, it should stop you in your tracks.

The report compares the success rate of email phishing simulations against simulations run over voice and SMS. Median click rate for email simulations: 1.4 percent. Median for phone centric simulations: closer to 2 percent (source: Verizon 2026 DBIR, p. 50). That's a 40 percent gap. Verizon's own words: "the median click rate of email phishing simulation campaigns is 1.4 percent, we see the median rate of simulations on phone centric methods is closer to 2 percent... That is an increase of 40 percent in the median click rate between those vectors."

If your awareness programme only measures email click rates, you're tracking the test your people pass more easily. The harder one isn't being measured at all. Practically: the median employee is roughly 40 percent more likely to fall for a vishing attempt than an email phish, all else equal.

Verizon is candid about the sample. Voice and SMS simulation data is small, n=35 campaigns in the cited figure. The team writes that they "struggled to find companies doing simulations of voice- and text message based campaigns, which leads to this small ish sample size. We hope that, for the 2027 DBIR, we will be able to collect more data" (source: Verizon 2026 DBIR, p. 50). That admission tells you how new this measurement is. Most awareness programmes simply weren't measuring this channel.

A couple of things follow. If you're not running vishing simulations, you're missing the harder test entirely, which means you're flying blind on the channel that's catching more of your people. If you are running them, your benchmarks will read worse than your email numbers. Don't read that as programme failure. That's the actual exposure surface finally being measured.

Phishing and Pretexting are not the same thing

The DBIR team makes a methodology point on page 16 that matters for anyone designing controls. In the VERIS framework, Phishing and Pretexting are different actions. Phishing is asynchronous: the attacker sends a message and waits. Pretexting is synchronous: the attacker is on the line with you, in a Teams chat, on a phone call, in a live thread, manipulating in real time (source: Verizon 2026 DBIR, p. 16).

Pretexting reached 6 percent of all breaches as an initial access vector this year, up enough to warrant its own line on the chart for the first time (source: Verizon 2026 DBIR, p. 10). The report is explicit that the countermeasures are different. Anti phishing email training does not teach a help desk agent to refuse to help an attacker who calls in claiming to be a stranded executive. The report puts it directly: "training IT help desks and customer support agents to not be helpful and supportive in cases when a threat actor is trying to manipulate them is not as simple as 'check if the email is external'" (source: Verizon 2026 DBIR, p. 16).

In the cases we see, the help desk impersonation pattern is now the most common initial scenario in ransomware breaches that begin with social engineering. The 2026 DBIR documents this directly. Attackers create a fake IT emergency, signing employees up for spam services to flood their inbox. A "helpful" external chat request arrives via Microsoft Teams. The attacker offers to help. The employee shares their desktop. The breach begins (source: Verizon 2026 DBIR, p. 51).

A few patterns we notice in the field. The calls cluster around shift handovers, 15 to 30 minutes either side of 9am or 5pm, when temporary cover sits on the phones and procedures bend. The give away is rarely the request itself. It's usually a small mismatch in technical detail. The caller knows your ticketing system by name but not the version, or refers to a Teams permission flow your organisation hasn't used in two years. Callback verification fails when the attacker has already spoofed inbound caller ID. The defence that holds up is calling back via a number the employee finds independently in the corporate directory, not the number the caller offers.

The countermeasure stack for this looks nothing like a phishing filter. It looks like written rules for IT help desks on what they will and will not do over voice or chat, identity verification flows that don't depend on the caller knowing internal details, and simulation training that includes phone calls, not just emails. The 2026 DBIR makes the case for this category of control directly, which until now had been an opinion looking for a primary source.

Vulnerability exploitation took the throne

The most shared finding this year is on page 10. Exploitation of vulnerabilities is now the most common known initial access vector in non Error, non Misuse breaches at 31 percent, up from 20 percent last year (source: Verizon 2026 DBIR, p. 10). Credential abuse, the previous leader, dropped to 13 percent as the recorded initial vector. Some of that shift is methodological: Pretexting was added as a separate tracked initial vector and absorbed cases that previously rolled into credential abuse (source: Verizon 2026 DBIR, p. 16). Credential abuse anywhere in the attack chain is still present in 39 percent of breaches.

CISA KEV remediation also went the wrong way. Only 26 percent of CISA KEV vulnerabilities were fully remediated in 2025, down from 38 percent the year before, with the median time to patch rising from 32 to 43 days (source: Verizon 2026 DBIR, p. 11, 17). More to patch, less time to patch them, fewer getting closed. We'll cover the vulnerability management implications in a separate piece.

Ransomware is up, ransom payments are down

Ransomware appeared in 48 percent of all breaches this year, up from 44 percent in 2025 (source: Verizon 2026 DBIR, p. 11). It remains the dominant disruptive event type. Of breaches with sufficient detail about organisation size, 96 percent of ransomware victims were SMBs (source: Verizon 2026 DBIR, p. 98). If you operate a small or mid sized business and you think ransomware is a problem for hospitals and Fortune 500 enterprises, the data disagrees with you.

The optimistic part is that organisations are increasingly refusing to pay. 69 percent of ransomware victims did not pay this year (source: Verizon 2026 DBIR, p. 11). The median ransom paid, where payment did occur, fell to $139,875 from $150,000 last year. Pressure on victims is going up. Willingness to pay is going down. Both at once, which says something about where the leverage in ransomware negotiations is shifting.

Third party involvement in breaches is the other story to watch. It is now present in 48 percent of breaches, a 60 percent increase from the previous dataset (source: Verizon 2026 DBIR, p. 11). The Jaguar Land Rover ransomware event last year is the case study most readers will recognise: an estimated £1.9 billion economic loss, five weeks of business interruption, downstream impact on approximately 5,000 entities in the supply chain (source: Verizon 2026 DBIR, p. 105). Third party MFA hygiene is particularly weak. Only 23 percent of third party organisations fully remediated missing or improperly secured MFA on their cloud accounts within the measurement window (source: Verizon 2026 DBIR, p. 11).

Generative AI is real, but quieter than the headlines

The 2026 DBIR puts numbers on something most CISOs have been guessing at. Threat actors use GenAI across the attack chain, with a median actor researching or using AI assistance across 15 different ATT&CK techniques (source: Verizon 2026 DBIR, p. 12). The framing the report uses is worth pausing on. AI assisted malware mostly replicates existing techniques. The median ATT&CK technique observed in AI assisted malware has 55 known malware examples doing the same work. Less than 2.5 percent of AI assisted malware observations involved techniques with one or fewer prior examples (source: Verizon 2026 DBIR, p. 12).

The reading is that AI is a scale and speed multiplier, not yet a category inventor. The defensive playbook doesn't have to be rewritten from scratch. It has to run faster, at greater scale, and with better measurement of how people react to AI augmented attempts.

The Shadow AI numbers, separately, are worth a longer look in a follow up piece. 45 percent of employees now access AI on their corporate devices regularly, up from 15 percent the year before (source: Verizon 2026 DBIR, p. 13).

Industry breakdowns: where the patterns shift

The DBIR's industry chapters reward careful reading. A few highlights that matter for awareness programme planning.

Financial Services and Insurance (NAICS 52)

System Intrusion has held the top spot since 2022. Phishing is the second initial access vector at 20 percent. Human element is involved in 65 percent of breaches in this sector (source: Verizon 2026 DBIR, p. 84). The pattern is mature and consistent: ransomware driven intrusions powered by phishing, exploit, and stolen credentials.

Healthcare (NAICS 62)

Healthcare's pattern hasn't moved much in over a decade. Miscellaneous Errors has been in the sector's top three every year since 2014, dominated by Misdelivery and Loss (source: Verizon 2026 DBIR, p. 86). What's changed is that System Intrusion now sits above it, driven by ransomware, with phishing as the second initial access vector at 14 percent. The operational reality most healthcare CISOs describe is the same: the breach isn't the part that surprises them. The Tuesday morning patient data fax sent to the wrong number is.

Manufacturing (NAICS 31-33)

Ransomware turned up in 61 percent of malware breaches in this sector. Exploit vulnerabilities and stolen credentials each appear in 41 percent. Third party involvement runs unusually high at 61 percent (source: Verizon 2026 DBIR, p. 88-89). Asahi Group Holdings in late 2025 is the case study most operations leaders will recognise. Production halted, shipments suspended, supply chain knock on effects rippling for weeks.

Public Administration (NAICS 92)

The most human driven sector in the dataset. Human element shows up in 69 percent of breaches. Misdelivery accounts for 88 percent of all error related breaches, and 91 percent of those errors are categorised as plain Carelessness, not process or technology failure (source: Verizon 2026 DBIR, p. 90-93). Government also has the highest concentration of state affiliated actors at 35 percent of breaches.

Retail (NAICS 44-45)

Espionage motivated actors in retail jumped from 9 to 19 percent year over year (source: Verizon 2026 DBIR, p. 95). The pattern signals that more sophisticated actors are recognising retail's data value beyond payment cards. Phishing and Pretexting both appear as social attack varieties, with Phishing roughly twice as common.

Education (NAICS 61)

Ransomware accounts for 65 percent of all malware driven breaches. Web applications carry 71 percent of infections as the primary vector. Social attacks appear in 22 percent of breaches, with classic email phishing taking the lead at 81 percent of those (source: Verizon 2026 DBIR, p. 82-83).

EMEA and APAC: where the gaps widen

The regional chapters reveal something quietly important.

EMEA

Phishing appears in 84 percent of social related breaches, compared to 69 percent in the global dataset (source: Verizon 2026 DBIR, p. 103). State affiliated actors are involved in 23 percent of EMEA breaches, against 14 percent globally. Espionage motivation is at 27 percent, against 13 percent globally. The 2025 Jaguar Land Rover case sits in EMEA. So do the 2025 Marks & Spencer and Co op events. The region is in a sustained pattern of geopolitically influenced cybercrime that the rest of the world has been spared from at this intensity.

APAC

Hacking is involved in 83 percent of breaches, against 64 percent globally. Malware in 71 percent against 63 percent. State affiliated actors reach 36 percent, the highest in any region. Espionage motivation hits 36 percent against 13 percent globally (source: Verizon 2026 DBIR, p. 101-102). The 2025 Qantas case (more than five million customer records exfiltrated by the Scattered Lapsus$ Hunters group via a third party platform) is one of Australia's largest breaches since 2022.

If you run security across EMEA or APAC, the threat model is genuinely different from the North American baseline. The DBIR has been flagging this for two reports. This year the numbers are hard to misread.

What awareness teams should do this quarter

Here's the working list. Things worth doing in the next 90 days if the DBIR's findings affect your programme.

Add voice and SMS simulation to your programme if you haven't already. The 40 percent gap between phone centric and email click rates is the single most actionable finding in the 2026 DBIR for awareness teams. Measuring it is the entire point.

Separate your reporting between Phishing and Pretexting metrics. The countermeasures differ. The training differs. Measuring them as one number washes out where the real exposure lives.

Audit your help desk processes against the impersonation scenarios documented in the DBIR. If your support staff are rewarded primarily for resolution speed, you have built an attack surface. The harder change is cultural, not procedural. A help desk that's measured on first call resolution will not slow down for an awkward verification step. Add identity checks that work via a number the employee finds in the directory, not the number the caller offers.

Treat third party security exposure as a programme, not a procurement question. 48 percent of breaches now involve a third party. The vendor questionnaires most organisations use are not catching what matters.

Communicate the 40 percent gap finding internally. The DBIR is the most cited source in industry conversation. Use it to justify the budget conversation you are about to have with your CFO.

The teams already moving aren't waiting for the next DBIR to validate the call. They've added voice and SMS simulations to their programmes and started measuring the gap. Once the measurement is in place, the numbers begin to shift over a couple of quarters. Not dramatically at first. Enough that you can see the curve bending.

One thing to watch in 2027

The voice and SMS phishing dataset will grow. The DBIR team explicitly stated they want it to (source: Verizon 2026 DBIR, p. 50). More vendors will contribute, and the picture should sharpen enough that next year's edition can do for vishing what this one did for the 40 percent gap. Whether the 2027 finding lands as bigger gap or smaller gap, either way the measurement starts to mature.

A note on the data we contributed

The data Keepnet provided covers voice and SMS phishing simulation campaigns run by our customers between October 2024 and October 2025. It was anonymised, customer consented, and aggregated at the campaign level. The fields shared with Verizon included campaign type, industry NAICS code, customer country, employee affected rate, employee report rate, and ignored rate. No individual user data or customer identifying information left our platform.

If your organisation runs voice or SMS phishing simulations and would consider contributing anonymised data to the 2027 DBIR research, the DBIR team is actively looking to expand the dataset. We can introduce you.

If you want to talk it through

The 2026 DBIR shifts a few assumptions that have shaped awareness programmes for years. If you'd find a 30-minute conversation useful to work out what changes for your team specifically, we're happy to set one up.

Book a 30-min strategy session →

About the author

Ozan Ucar is the Co founder and CEO of Keepnet. He has spent more than 15 years in security operations, awareness programme design, and human risk research.