Vishing Statistics 2026: Unmasking the Voice Phishing Trends
2026 vishing statistics grounded in Verizon DBIR pretexting and phone-centric simulation metrics. Separate from our smishing statistics guide on SMS/text channels.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-06-03
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Vishing (voice phishing) uses live calls, callbacks, and help-desk manipulation to bypass email filters. The Verizon 2026 DBIR tracks pretexting , synchronous voice or chat , at 6% of initial access (p. 10-12). Phone-centric phishing simulations median near ~2% click versus ~1.4% for email (~40% higher, p. 50).
Keepnet's Extended Human Risk Management Platform (xHRM) pairs multi-channel simulations with Secure Behavior Management (SBM) outcomes: reporting speed and repeat-failure cohorts, not completion exports alone.
Source: Gartner, "6 Ways to Transform Your Cybersecurity Awareness Program" (G00840741, March 2026), based on the 2025 Secure Behavior Strategies Survey (n=65).
Executive summary: vishing statistics 2026
- Pretexting (voice/chat): 6% of initial access (DBIR 2026)
- Phone sim median click: ~2% vs email ~1.4% (DBIR 2026, p. 50)
- Only 10% of leaders prioritize deepfake recognition vs 73% prioritizing phishing reporting (Gartner 2025, n=65)
- 35% of organizations affected by deepfake incidents (Gartner 2025, n=302)
Vishing statistics at a glance
| Metric | Value | Source |
|---|---|---|
| Pretexting as initial access | 6% | Verizon DBIR 2026 |
| Phishing (async) initial access | 16% | Verizon DBIR 2026 |
| Phone sim median click | ~2% | Verizon DBIR 2026, p. 50 |
| Email sim median click | ~1.4% | Verizon DBIR 2026, p. 50 |
| Phone vs email sim gap | ~40% higher on phone | Verizon DBIR 2026 |
| Deepfake incidents (orgs) | 35% | Gartner G00840678, n=302 |
Vishing statistics at a glance (2026)
Why this matters
Legacy vishing pages cite consumer scam-call surveys without breach context. DBIR separates pretexting from inbox phishing for a reason.
What security leaders should do
Use DBIR pretexting % in board decks, not undated robocall stats. baseline vishing simulations against the ~2% median.
Vishing vs email phishing statistics
Asynchronous phishing (email, SMS links) accounts for 16% of initial access; pretexting adds 6%. Combined identity manipulation (phishing + credentials + pretexting) totals 35% , comparable to vulnerability exploitation at 31% (DBIR 2026). Email-only security awareness grades the easier test.
Why this matters
Gartner reports 73% of leaders prioritize phishing reporting (n=65) while phone channels show higher sim failure rates.
What security leaders should do
Run voice and callback scenarios alongside email. See phishing statistics 2026 for the full multi-channel matrix.
Deepfake and AI voice phishing statistics
Gartner's 2025 AI Risk Management Survey (n=302) found 35% of organizations experienced a deepfake incident. Only 10% of security leaders prioritize deepfake recognition training (G00840741, n=65). The Arup deepfake CFO case (Hong Kong, 2024) cost approximately $25.6M USD (HK Police briefing).
Why this matters
Synthetic voice closes the loop after an email lure. Programs without executive verification workflows remain exposed.
What security leaders should do
Require second-channel approval for wires and credential resets triggered by voice or video.
Real-world vishing cases
MGM Resorts (September 2023): ~$100M impact estimate (SEC Form 8-K). Industry reporting describes vishing to IT help desk for MFA reset.
DBIR 2026 contributor data: Keepnet contributed anonymized voice and SMS simulation data (p. 118). Enterprise phone sim medians validate help-desk and callback playbooks.
What security leaders should measure
| Weak metric | Better metric |
|---|---|
| Email click rate only | Phone sim click rate vs ~2% DBIR median |
| Training completion | Reporting rate on callback scenarios |
| Generic awareness score | Repeat failures on help-desk vishing templates |
Vishing program metrics
eCrime breakout time trend (CrowdStrike 2026)
CrowdStrike average eCrime breakout time by year (Figure 3): 98 min (2021), 84 min (2022), 62 min (2023), 48 min (2024), 29 min (2025), roughly a 70% reduction from 2021 to 2025 (CrowdStrike 2026 Global Threat Report, p. 11).
Deepfake voice on live calls (Gartner G00847786)
Voice phishing now overlaps with real-time deepfake audio. Gartner's 2026 CISO role-based survey (n=297) found 41% of organizations experienced a deepfake combined with social engineering on an audio call, and 35% on a video call (Gartner G00847786). Pair those rates with DBIR phone-centric simulation medians (~2% click vs ~1.4% email) when you justify vishing program budget.
Contact center controls Gartner recommends
Beyond voice biometrics, G00847786 lists caller metadata checks, phone number intelligence, and SIM-swap detection. Programs that only simulate inbox links miss the channel where deepfake audio is scaling fastest.
Sources
- Verizon 2026 DBIR summary
- Gartner G00840741, G00840678 (2025 surveys; n labeled in body).
- CrowdStrike, 2026 Global Threat Report (Year of the Evasive Adversary), p. cited in body.
- Gartner G00847786: Cybersecurity Threat: Deepfake Identity Impersonation (Akif Khan, 28 May 2026).
Related reading
What teams should do next
Pair these statistics with operational controls: help-desk callback verification, executive corroboration rules, and voice phishing simulations baselined against DBIR medians. For the full cross-channel stat pack, read phishing statistics 2026.
Related reading
SHARE ON