Deepfake Benchmark 2026: Click Rate Is the Wrong Metric | Breacher.ai

Categories: Deepfake,Published On: July 8th, 2026,
The State of Deepfake Social Engineering 2026: Why Click Rate Is the Wrong Metric | Breacher.ai
Breacher.ai Benchmark · 2026

The State of Deepfake Social Engineering
2026

For a decade, security teams have measured social engineering exposure with one number: the click rate. Across 16 authorized deepfake engagements and 1,407 targets, we found it is the wrong number. People took a risky action more often than they clicked, and for nearly a third of engagements the click never existed. This is what the data shows, and what to measure instead.

Action Outran the Click

The headline finding of this benchmark is a single, uncomfortable comparison. Weighted across every engagement where both could be measured, 7.6 percent of targets clicked, but 12.0 percent took a risky action: entering credentials, initiating a wire, granting access. More people performed the dangerous act than the metric the industry reports would ever have flagged.

12.0%weighted action rate: the share of targets who performed the risky act
7.6%weighted click rate: the metric most programs report
5 of 16engagements had no measurable click rate at all

Click rate is a proxy for curiosity. Action rate measures who actually did the dangerous thing. When the two diverge, and here they diverged by roughly 58 percent, every exposure model built on click rate is understated at its foundation. The reason is structural: in a deepfake voice or agentic engagement there is frequently nothing to click. A finance employee who wires funds after a synthetic call from the "CFO" never clicked a thing. The action is the entire attack.

Click rate is a proxy for curiosity. Action rate measures who actually performed the dangerous act. Measure the click and the failure is invisible to you.

How We Measured It

This is not a survey or a lab study. Every figure comes from an authorized red-team engagement against live employees in a production environment. The dataset spans 16 engagements across 10 organizations, a total of 1,407 individual targets. Represented verticals include financial services (the majority), law, manufacturing, technology, and public sector.

Vectors deployed reflect the current deepfake threat surface: live synthetic voice calls, AI voicemail, deepfake video, agentic SMS and email follow-up, deepfake collaboration-platform messages, and calendar-invite lures, frequently orchestrated in combination.

Two outcomes were tracked for every target. Click: the target engaged with the lure. Action: the target performed the risky action requested, such as entering credentials, initiating a funds transfer, or granting access. Action marks the point at which the individual is fooled. It is not, on its own, a breach. Whether an action becomes a compromise depends on the controls that catch it downstream. That distinction is the entire subject of this report. All rates are target-weighted so that a 350-person engagement is not counted equally with a 3-person one, and all client identities are withheld and aggregated by sector.

Action and click rates in this report are drawn from the 16-engagement live dataset described above. The figure that 63 percent of users cannot reliably distinguish synthetic communications from authentic ones is drawn from Breacher.ai's broader benchmark and is cited only where noted. Rates are target-weighted approximations derived from per-engagement outcomes. Questions are welcome at support@breacher.ai.

Click, Action, Compromise: Three Different Things

Much of the confusion in this field comes from collapsing three distinct measurements into one. They are not the same, and the gap between them is where real risk lives.

Metric What it measures Why it matters
Click rate Curiosity: the target engaged with the lure
Action rate The individual performed the risky act
Compromise The organization's process failed to catch the action

Read the table top to bottom and the thesis of this report falls out of it. Click rate is the weakest signal, and it is the one the industry optimizes. Action rate is a better signal, but a fooled individual is not yet a breach. Compromise is the only row that describes real loss, and it is decided not by the person but by the process behind them.

Four Findings From the Data

F1
Action Outran the Click

Weighted across measured engagements, the action rate of 12.0 percent exceeded the 7.6 percent click rate. More people took the risky action than the click metric would ever have flagged. The click number is a floor on your exposure, and a low one.

If your risk model is anchored to click rate, it is understated at the foundation. The behavior that leads to loss is happening more often than the metric admits.
F2
The Metric Is Null Where Risk Is Highest

In 5 of 16 engagements, click rate did not exist: no link, no attachment, no click event to record. Every one of those five was a voice, voicemail, or collaboration-platform attack. And these were not quiet engagements. The vectors with no measurable click produced the highest action rates in the entire dataset, peaking at 34.5 percent in a single voicemail campaign.

The industry's primary exposure metric goes dark exactly where the modern attacker operates. A click rate report measured the least dangerous vector and stayed silent on the most dangerous ones.
F3
The Platform Isn't the Variable. The Organization Is.

Eleven of sixteen engagements targeted organizations with awareness training already deployed, across a range of established and AI-native platforms. Outcomes did not cluster by platform. They ranged from high action rates to a single engagement that repelled the attack entirely, and the same awareness platform appeared among both the most and least resilient organizations. The organization that shut the engagement down cold was not better-trained. It was hyper-vigilant, with verification built into how it operated rather than only into a training module.

Awareness training is a tool. What determines the outcome is how an organization wields it. Verification as an operating discipline beats verification as a compliance checkbox, whatever logo is on the dashboard.
F4
Voice Is the Vector

Voice-based attacks (live deepfake calls and AI voicemail) carried the heaviest action rates in the dataset and defeated trained and untrained organizations alike. Synthetic voice bypasses every visual tell people are trained to catch. There is no misspelled domain to notice, no suspicious sender to hover over, only a familiar voice making a plausible request under time pressure.

Detection training assumes the target gets to inspect an artifact. A voice call gives them no artifact to inspect, only a decision to make, quickly, while someone who sounds like their boss waits on the line.

You Have Been Testing the Wrong Unit

Click rate measures the individual. It asks, "did this person fall for it?" That is the wrong unit of analysis. A single employee will eventually engage with a sufficiently good lure. That is not a problem you solve at the level of the human, and pretending otherwise has cost the industry a decade. The question that actually predicts real-world outcome is different: when a synthetic request enters your organization, does your process stop it?

Deepfake social engineering does not test whether your people are smart. It tests whether your controls are real.

Does a wire request survive a callback to a known number? Does a credential reset survive out-of-band confirmation? Does a "CEO" asking for urgent payment survive a second set of eyes? Those are process questions, and they are the only questions that separate an organization that gets fooled from one that gets breached. This is the core of Breacher.ai's OSES methodology: post-click process failure is where compromise actually happens, so it is the only thing worth measuring.

Two Ways to Measure, One Tells the Truth

The same exposure can be measured two ways. One produces a number for a slide. The other produces a map of exactly where an adversary would get through.

Click Rate Testing

Fire a lure, count clicks, assign training. Voice and agentic vectors are never measured, so the highest-risk paths stay invisible. Nothing tests whether your verification process holds after a person is fooled. You learn a click rate and almost nothing about your actual exposure, and since detection training barely moves that number, you run the same test again next quarter.

Action and Process Testing on OSES

Run the real vectors, including voice, and measure who performed the risky act. When a person is fooled, find out whether the process caught it: callback verification, out-of-band confirmation, dual authorization. You leave with a resilience number and a ranked list of which layer failed, process gap, control gap, or correlation gap, not a click-rate scoreboard.

The difference is not delivery polish. It is whether the test reaches the layers where resilience is actually built. Click rate testing optimizes the one control the data says you cannot meaningfully improve. Action and process testing finds the controls you can.

What To Do About It

Four changes follow directly from the data. None of them require a bigger budget. They require measuring the right thing.

01
Retire click rate as your headline metric

Track outcome: credentials entered, funds moved, access granted. If a report cannot tell you what your people actually did, it cannot tell you your exposure. Action rate is the floor, resilience is the goal.

02
Test voice

If your last assessment was an email phishing simulation, you have not tested the vector most likely to compromise you. Voice and agentic attacks carried this dataset's highest action rates, and they leave no click to count.

03
Red-team the process, not the person

Measure whether verification controls (callback protocols, out-of-band confirmation, dual authorization) actually fire under pressure. Assume the human will be fooled and check what catches the request after they are.

04
Benchmark against reality

Self-reported awareness scores do not predict outcomes. Live engagement data does. In Breacher.ai's broader benchmark, 63 percent of tested users could not reliably distinguish synthetic communications from authentic ones. Detection is not a control you can depend on.

What a Real Assessment Leaves You With

A deepfake social engineering assessment should leave you with a clear, prioritized picture of where an adversary would actually get through, and what to fix first.

  • Action rate, not just click rate, measured across every vector including voice
  • A finding on each process control: did it engage, did it stop the action, did staff adhere under pressure
  • Technology validation, including whether alerting fired on the anomalous behavior
  • The headline resilience number: how often the system held despite a person being deceived
  • A ranked remediation list separating process gaps, control gaps, and correlation gaps
  • A retest path to prove a fix once it is in place

Anything short of that is a click-rate report wearing a threat actor's name. Anything at or above it is an operational picture of how your people, process, and technology behave when a synthetic request is moving through all three at once.

Frequently Asked Questions

Direct answers to the questions security leaders ask about the 2026 benchmark.

Q
What did the 2026 deepfake benchmark find?

Across 16 authorized engagements and 1,407 targets, the weighted action rate of 12.0 percent exceeded the 7.6 percent click rate. In 5 of 16 engagements there was no measurable click rate at all, because the attack used voice, voicemail, or a collaboration platform. Action, not clicks, predicts real exposure.

Q
Why is click rate the wrong metric?

Click rate is a proxy for curiosity. It understates exposure because people took a risky action more often than they clicked, and because voice-based attacks frequently have nothing to click. A metric that goes dark where risk is highest cannot describe your exposure.

Q
Is action rate the same as a breach?

No. Action rate marks the point at which an individual is fooled and performs the risky act. It is not, on its own, a breach. Whether an action becomes a compromise depends on the controls that catch it downstream. Action measures individual susceptibility. Compromise measures whether the organization's process held.

Q
Does security awareness training stop deepfake attacks?

Outcomes did not cluster by training platform. Results ranged from high action rates to a single organization that repelled the attack entirely, with the same platform appearing among both the most and least resilient organizations. The determining factor was posture, not the tool. Training is a tool; how an organization wields it decides the outcome.

Q
Which vectors are most effective?

Voice-based vectors, live deepfake calls and AI voicemail, carried the highest action rates, peaking at 34.5 percent in a single voicemail campaign. Synthetic voice bypasses the visual tells people are trained to catch.

Q
What is OSES (Orchestrated Social Engineering Simulations)?

OSES™ is a trademarked methodology developed by Breacher.ai for running conditional, multi-stage adversary emulation campaigns built on a persistent contextual layer. It chains techniques into one coherent campaign that reaches the real decision point, where an employee is asked to act, a procedure is asked to intervene, and technology is asked to detect. That is what lets a single engagement test people, process, and technology at once, and measure action rather than clicks.

Author
JT

Jason Thatcher

Founder & CEO, Breacher.ai

Jason Thatcher is the Founder and CEO of Breacher.ai and creator of OSES™ (Orchestrated Social Engineering Simulations™). He has 15+ years in cybersecurity spanning security operations, threat intelligence, and executive leadership, with prior roles at ZeroFox, Deepwatch, and GuidePoint Security. He built Breacher.ai on a simple practitioner conviction: the defense that matters is not whether users spot fakes, but whether process and technology hold when they do not. Connect on LinkedIn.

Deepfake Social Engineering Benchmark Report 2026 Action Rate Click Rate Deepfake Phishing Statistics Deepfake Voice Vishing Agentic Phishing OSES™ Orchestrated Social Engineering Deepfake Red Team Deepfake Phishing Simulations Best Deepfake Phishing Simulations Process Resilience Security Awareness Training

See Where Your Organization Lands

Breacher.ai's DEEPFAKE RED TEAM™ runs the exact engagements behind this benchmark against your environment: voice, video, and agentic vectors, measured on action, not clicks. You get the number that actually predicts a breach.

Voice and agentic vectors tested
Action and resilience, not click rate
Ranked remediation list
Free 30 minute consultation
Book Your Assessment

Latest Posts

  • Deepfake Benchmark 2026: Click Rate Is the Wrong Metric | Breacher.ai

  • IT Remote Support Simulation | Breacher.ai

  • Deepfake Phishing Simulations | Breacher.ai

Table Of Contents

About the Author: Jason Thatcher

Jason Thatcher is the Founder of Breacher.ai and comes from a long career of working in the Cybersecurity Industry. His past accomplishments include winning Splunk Solution of the Year in 2022 for Security Operations.

Share this post