Verizon DBIR 2026: Vishing Success Rates Surpass Email by 40%

Keepnet, an Extended Human Risk Management (xHRM) platform, has announced that its simulation data for voice and SMS phishing has been integrated into the 2026 Verizon Data Breach Investigations Report (DBIR). The inclusion of this data recalibrates the modern corporate defense perimeter. For the first time, the report—on page 50—provides a large-scale quantitative comparison between phone-centric and email-based simulations.

The results are definitive: the median click rate for phone-centric tests is 2%, compared to 1.4% for those conducted via email. This 40% gap establishes the phone channel as formally more insidious than the vector that has dominated security awareness programs for over two decades. This shift is further analyzed in reports by HelpNetSecurity, which detailed Keepnet’s specific contributions to the Verizon report.

The Keepnet dataset covers a series of anonymized simulation campaigns conducted between October 2024 and October 2025. This information fills a historical void in cybersecurity reporting. On page 50, the DBIR team explicitly noted the difficulty in finding organizations that perform systematic simulations of voice and text-based attacks, highlighting a lack of standardized testing in this area.

Quantifying Risk Beyond the Inbox

The shift toward phone-centric metrics highlights a necessary operational change for security leaders. For years, the efficacy of social engineering was measured almost exclusively through email. However, the scarcity of data noted by the Verizon team suggests the industry has historically underestimated attackers' ability to exploit voice and text as primary attack surfaces.

This lack of corporate simulation has created a critical blind spot. A phishing link received via email is subject to multiple technical layers: URL filters, sandboxing, and detonation analysis. Conversely, a phone call or SMS bypasses these defenses entirely. The phone channel relies on an architecture of inherited trust, where the caller's identity is often taken at face value by the end user.

The 2% success rate is particularly concerning when considering the nature of the interaction. While an email click can be an impulsive action often blocked downstream, a phone interaction involves direct contact that frequently leads to credential compromise or the execution of fraudulent instructions. The measurement difficulties cited in the DBIR reflect the complexity of tracking these interactions compared to standardized, digital email logs.

"We've spent years measuring email click rates because email data was easy to collect. The phone channel is harder to measure, but the DBIR data shows the risk is higher there. Most awareness programmes are still grading on email alone. The next step for security leaders is building verification habits into the phone channel too." — Ozan Ucar, Founder & CEO, Keepnet

Editorial Analysis: Help Desks as Strategic Vulnerabilities

While the 2026 DBIR provides the raw numbers, the interpretation of these vectors suggests that internal help desks represent a strategic weakness. Operators trained for rapid problem-solving are naturally inclined to trust incoming requests, especially when attackers employ sophisticated pretexting techniques.

An attacker impersonating an employee locked out of an MFA system often finds a helpful interlocutor rather than a rigorous identity verifier. This risk is often amplified by outsourced support structures where personnel lack personal familiarity. The ability to bypass initial controls using publicly available data makes vishing a preferred tool for privilege escalation.

Furthermore, the emergence of AI-driven cybercrime adds a new layer of complexity. The 2025 FBI IC3 report introduced a specific category for AI-related crime, which has already accounted for $893 million in losses. It is highly probable that AI tools will facilitate the scaling of voice and text attacks, further widening the gap between traditional simulations and real-world threats.

Strategic Recommendations

Integrate vishing and smishing into awareness programs. Organizations must move beyond email-only models. It is essential to implement regular tests simulating phone-based social engineering, such as credential reset requests or vendor impersonation, to train staff to recognize red flags in real-time.

Adopt out-of-band verification for critical requests. Any request received via phone involving account changes, access privileges, or data transfers must be verified through a second secure channel. This should include a callback to a registered corporate number or confirmation via an MFA-protected internal messaging app.

Harden help desk security protocols. Technical support teams require specific training in social engineering resistance. Identity verification procedures must be standardized and non-negotiable, even in scenarios of "extreme urgency" presented by the caller.

Update human risk KPIs. CISOs should refresh reporting metrics to include phone-based click rates and detection capabilities across non-email channels. The 2026 DBIR benchmark (2% vs 1.4%) serves as a baseline to determine if a company’s security posture is aligned with emerging threats.

Aligning the Language of Risk

The significance of the 2026 DBIR lies not just in the figures, but in the normalization of an attack channel that has long eluded quantitative measurement. For years, vishing and smishing were treated as anecdotal threats. The publication of large-scale data now allows security leaders to discuss phone-based risk with the same precision applied to traditional phishing.

The 2% vs 1.4% data point provides a robust argument for the reallocation of defense budgets. It is no longer a matter of perception, but of measurable exposure. While this analysis currently depends on a limited number of specialized contributors like Keepnet, Verizon’s recognition marks a new era of transparency for telecommunications security.

The greatest risk for organizations is maintaining an asymmetric defense: fortified at the email layer but vulnerable at the human voice layer. The 2026 DBIR exposes this discrepancy. It is now up to enterprises to act on this data before global losses, already reaching hundreds of millions of dollars, continue to climb.

FAQ

Does the 2% figure refer to real attacks or simulations?

The figure refers specifically to controlled voice and SMS phishing simulations conducted by Keepnet. The 2026 DBIR compares the median click rate of these tests (2%) against email-based tests (1.4%).

Is Keepnet officially cited in the Verizon report?

Yes, Keepnet is listed as a contributing organization on page 118 of the 2026 Verizon DBIR, having provided the phone-based simulation data discussed on page 50.

What time period does the Keepnet data cover?

The data provided for the report covers anonymized simulation campaigns conducted between October 2024 and October 2025. Keepnet has been developing simulations in this field since 2022.

Information verified against cited sources and current as of publication.

Sources

• https://www.helpnetsecurity.com/2026/05/22/keepnet-verizon-dbir-2026/
• https://www.darkreading.com/cyber-risk/verizon-dbir-healthcare-fends-off-increased-social-engineering-attacks
• https://www.darkreading.com/threat-intelligence/verizon-dbir-enterprises-vulnerability-glut
• https://cyberscoop.com/verizon-data-breach-investigations-report-2026/
• https://thehackernews.com/2026/05/the-new-phishing-click-how-oauth.html