Deepfake Benchmark 2026: Click Rate Is the Wrong Metric | Breacher.ai
The State of Deepfake Social Engineering
2026
For a decade, security teams have measured social engineering exposure with one number: the click rate. Across 16 authorized deepfake engagements and 1,407 targets, we found it is the wrong number. People took a risky action more often than they clicked, and for nearly a third of engagements the click never existed. This is what the data shows, and what to measure instead.
Action Outran the Click
The headline finding of this benchmark is a single, uncomfortable comparison. Weighted across every engagement where both could be measured, 7.6 percent of targets clicked, but 12.0 percent took a risky action: entering credentials, initiating a wire, granting access. More people performed the dangerous act than the metric the industry reports would ever have flagged.
Click rate is a proxy for curiosity. Action rate measures who actually did the dangerous thing. When the two diverge, and here they diverged by roughly 58 percent, every exposure model built on click rate is understated at its foundation. The reason is structural: in a deepfake voice or agentic engagement there is frequently nothing to click. A finance employee who wires funds after a synthetic call from the "CFO" never clicked a thing. The action is the entire attack.
Click rate is a proxy for curiosity. Action rate measures who actually performed the dangerous act. Measure the click and the failure is invisible to you.
How We Measured It
This is not a survey or a lab study. Every figure comes from an authorized red-team engagement against live employees in a production environment. The dataset spans 16 engagements across 10 organizations, a total of 1,407 individual targets. Represented verticals include financial services (the majority), law, manufacturing, technology, and public sector.
Vectors deployed reflect the current deepfake threat surface: live synthetic voice calls, AI voicemail, deepfake video, agentic SMS and email follow-up, deepfake collaboration-platform messages, and calendar-invite lures, frequently orchestrated in combination.
Two outcomes were tracked for every target. Click: the target engaged with the lure. Action: the target performed the risky action requested, such as entering credentials, initiating a funds transfer, or granting access. Action marks the point at which the individual is fooled. It is not, on its own, a breach. Whether an action becomes a compromise depends on the controls that catch it downstream. That distinction is the entire subject of this report. All rates are target-weighted so that a 350-person engagement is not counted equally with a 3-person one, and all client identities are withheld and aggregated by sector.
Action and click rates in this report are drawn from the 16-engagement live dataset described above. The figure that 63 percent of users cannot reliably distinguish synthetic communications from authentic ones is drawn from Breacher.ai's broader benchmark and is cited only where noted. Rates are target-weighted approximations derived from per-engagement outcomes. Questions are welcome at support@breacher.ai.
Click, Action, Compromise: Three Different Things
Much of the confusion in this field comes from collapsing three distinct measurements into one. They are not the same, and the gap between them is where real risk lives.
| Metric | What it measures | Why it matters |
|---|---|---|
| Click rate | Curiosity: the target engaged with the lure | Null for voice, voicemail, and collaboration vectors; understates action |
| Action rate | The individual performed the risky act | The true measure of individual susceptibility, higher than click rate |
| Compromise | The organization's process failed to catch the action | The outcome that actually maps to a breach, and the one worth reducing |
Read the table top to bottom and the thesis of this report falls out of it. Click rate is the weakest signal, and it is the one the industry optimizes. Action rate is a better signal, but a fooled individual is not yet a breach. Compromise is the only row that describes real loss, and it is decided not by the person but by the process behind them.
Four Findings From the Data
Weighted across measured engagements, the action rate of 12.0 percent exceeded the 7.6 percent click rate. More people took the risky action than the click metric would ever have flagged. The click number is a floor on your exposure, and a low one.
In 5 of 16 engagements, click rate did not exist: no link, no attachment, no click event to record. Every one of those five was a voice, voicemail, or collaboration-platform attack. And these were not quiet engagements. The vectors with no measurable click produced the highest action rates in the entire dataset, peaking at 34.5 percent in a single voicemail campaign.
Eleven of sixteen engagements targeted organizations with awareness training already deployed, across a range of established and AI-native platforms. Outcomes did not cluster by platform. They ranged from high action rates to a single engagement that repelled the attack entirely, and the same awareness platform appeared among both the most and least resilient organizations. The organization that shut the engagement down cold was not better-trained. It was hyper-vigilant, with verification built into how it operated rather than only into a training module.
Voice-based attacks (live deepfake calls and AI voicemail) carried the heaviest action rates in the dataset and defeated trained and untrained organizations alike. Synthetic voice bypasses every visual tell people are trained to catch. There is no misspelled domain to notice, no suspicious sender to hover over, only a familiar voice making a plausible request under time pressure.
You Have Been Testing the Wrong Unit
Click rate measures the individual. It asks, "did this person fall for it?" That is the wrong unit of analysis. A single employee will eventually engage with a sufficiently good lure. That is not a problem you solve at the level of the human, and pretending otherwise has cost the industry a decade. The question that actually predicts real-world outcome is different: when a synthetic request enters your organization, does your process stop it?
Deepfake social engineering does not test whether your people are smart. It tests whether your controls are real.
Does a wire request survive a callback to a known number? Does a credential reset survive out-of-band confirmation? Does a "CEO" asking for urgent payment survive a second set of eyes? Those are process questions, and they are the only questions that separate an organization that gets fooled from one that gets breached. This is the core of Breacher.ai's OSES methodology: post-click process failure is where compromise actually happens, so it is the only thing worth measuring.
Two Ways to Measure, One Tells the Truth
The same exposure can be measured two ways. One produces a number for a slide. The other produces a map of exactly where an adversary would get through.
Fire a lure, count clicks, assign training. Voice and agentic vectors are never measured, so the highest-risk paths stay invisible. Nothing tests whether your verification process holds after a person is fooled. You learn a click rate and almost nothing about your actual exposure, and since detection training barely moves that number, you run the same test again next quarter.
Run the real vectors, including voice, and measure who performed the risky act. When a person is fooled, find out whether the process caught it: callback verification, out-of-band confirmation, dual authorization. You leave with a resilience number and a ranked list of which layer failed, process gap, control gap, or correlation gap, not a click-rate scoreboard.
The difference is not delivery polish. It is whether the test reaches the layers where resilience is actually built. Click rate testing optimizes the one control the data says you cannot meaningfully improve. Action and process testing finds the controls you can.
What To Do About It
Four changes follow directly from the data. None of them require a bigger budget. They require measuring the right thing.
Track outcome: credentials entered, funds moved, access granted. If a report cannot tell you what your people actually did, it cannot tell you your exposure. Action rate is the floor, resilience is the goal.
If your last assessment was an email phishing simulation, you have not tested the vector most likely to compromise you. Voice and agentic attacks carried this dataset's highest action rates, and they leave no click to count.
Measure whether verification controls (callback protocols, out-of-band confirmation, dual authorization) actually fire under pressure. Assume the human will be fooled and check what catches the request after they are.
Self-reported awareness scores do not predict outcomes. Live engagement data does. In Breacher.ai's broader benchmark, 63 percent of tested users could not reliably distinguish synthetic communications from authentic ones. Detection is not a control you can depend on.
What a Real Assessment Leaves You With
A deepfake social engineering assessment should leave you with a clear, prioritized picture of where an adversary would actually get through, and what to fix first.
- Action rate, not just click rate, measured across every vector including voice
- A finding on each process control: did it engage, did it stop the action, did staff adhere under pressure
- Technology validation, including whether alerting fired on the anomalous behavior
- The headline resilience number: how often the system held despite a person being deceived
- A ranked remediation list separating process gaps, control gaps, and correlation gaps
- A retest path to prove a fix once it is in place
Anything short of that is a click-rate report wearing a threat actor's name. Anything at or above it is an operational picture of how your people, process, and technology behave when a synthetic request is moving through all three at once.
Frequently Asked Questions
Direct answers to the questions security leaders ask about the 2026 benchmark.
Across 16 authorized engagements and 1,407 targets, the weighted action rate of 12.0 percent exceeded the 7.6 percent click rate. In 5 of 16 engagements there was no measurable click rate at all, because the attack used voice, voicemail, or a collaboration platform. Action, not clicks, predicts real exposure.
Click rate is a proxy for curiosity. It understates exposure because people took a risky action more often than they clicked, and because voice-based attacks frequently have nothing to click. A metric that goes dark where risk is highest cannot describe your exposure.
No. Action rate marks the point at which an individual is fooled and performs the risky act. It is not, on its own, a breach. Whether an action becomes a compromise depends on the controls that catch it downstream. Action measures individual susceptibility. Compromise measures whether the organization's process held.
Outcomes did not cluster by training platform. Results ranged from high action rates to a single organization that repelled the attack entirely, with the same platform appearing among both the most and least resilient organizations. The determining factor was posture, not the tool. Training is a tool; how an organization wields it decides the outcome.
Voice-based vectors, live deepfake calls and AI voicemail, carried the highest action rates, peaking at 34.5 percent in a single voicemail campaign. Synthetic voice bypasses the visual tells people are trained to catch.
OSES™ is a trademarked methodology developed by Breacher.ai for running conditional, multi-stage adversary emulation campaigns built on a persistent contextual layer. It chains techniques into one coherent campaign that reaches the real decision point, where an employee is asked to act, a procedure is asked to intervene, and technology is asked to detect. That is what lets a single engagement test people, process, and technology at once, and measure action rather than clicks.
See Where Your Organization Lands
Breacher.ai's DEEPFAKE RED TEAM™ runs the exact engagements behind this benchmark against your environment: voice, video, and agentic vectors, measured on action, not clicks. You get the number that actually predicts a breach.

