The Human Element Keeps Growing

Verizon's 19th annual Data Breach Investigations Report analyzed more than 31,000 real-world security incidents and over 22,000 confirmed data breaches across 145 countries. It is the largest dataset in the report's history — and the most consequential single finding for any security leader is sitting right in the topline numbers.

The human element was present in 62% of breaches, up from 60% the year before. Social engineering remained the third most common attack pattern, accounting for 16% of confirmed breaches and over 5,300 incidents. Despite a decade of awareness training budgets, simulated phishing programs, and security culture initiatives, the line continues to bend in the wrong direction.

That on its own is not new. What changed in 2026 is where those attacks are happening, and which channels are working.

Phone-Centric Social Engineering Is Now Winning

For most of the last decade, "social engineering" and "phishing email" have been used almost interchangeably in defender playbooks. The new DBIR breaks that frame open with hard numbers.

In simulated campaigns, the median click rate on email phishing held steady at roughly 1.4%. In voice and text-based simulations, the median climbed to about 2% — a 40% increase in click rate when attackers switch from inbox to phone. Not a doubling, not an order of magnitude, but a clear, measurable lift on what is functionally the same attack with a different delivery vector.

The DBIR team was direct about why that data was so hard to assemble: phishing simulation is a mature industry with dozens of vendors contributing data, while voice and text simulation is so rare that they had to flag the small sample size and openly ask for more contributors next year. That gap is the point. Defenders are not measuring the channels where attackers are increasingly winning.

Pretexting Was Promoted to a Primary Initial Access Vector

For the first time, the DBIR formally added Pretexting as a tracked initial access vector alongside credential abuse, vulnerability exploitation, and phishing. It did not get there casually. The report explicitly notes that the addition was driven by a significant number of high-profile ransomware breaches in this year's dataset where pretexting was the first action against the victim.

The distinction between phishing and pretexting matters more than it sounds. Phishing is asynchronous — an email or text arrives, the target clicks, the attacker moves on. Pretexting is synchronous. There is a live human (or convincing impersonation of one) on the other side of the conversation, adapting in real time, building rapport, applying pressure when needed.

That difference changes everything about defense. As the report puts it, training help desks and support agents to refuse to be helpful under manipulation is not the same as teaching users to check for typos in an email. The countermeasures look fundamentally different — and most awareness programs have not made that pivot yet.

This is the focus that drives our work at Breacher.ai. We don't run simulations to score individuals — we run them to test the process itself. Can a help desk be talked into a password reset under pressure? Will an AP team approve a wire after a voicemail from a familiar-sounding executive? Will an IT agent grant a remote session when the request looks routine and the caller sounds right? The user click is one data point. The process failure is the breach.

The Four Findings That Should Change Your 2026 Plan

Pull the report apart and four findings rise above the rest. Each one tells security leaders something different about where to put time, budget, and program attention before the next breach cycle hits.

The Help-Desk Impersonation Playbook Gets Named

The 2026 DBIR walks through, in unusual detail, a specific attack chain the report calls out as increasingly common. The structure is worth reading carefully because it maps almost beat-for-beat to incidents showing up in breach disclosures every few weeks.

First, the attacker creates a manufactured IT emergency — for example, signing the target up for spam services so their inbox is suddenly flooded with suspicious mail. Then a "helpful" message arrives through a chat tool from someone claiming to be IT support, offering to assist. The user accepts a remote desktop session. From inside that trusted session, using legitimate built-in operating system tools, the attacker carries out the breach while appearing to troubleshoot.

No malicious code is executed. No malware signature fires. The chat platform allows external connection requests by default. The remote access tool is approved by the organization. Every component of the attack is legitimate — only the social engineering is malicious, and most security stacks have no way to detect that.

The defense is identical in both columns. Process resilience does not care which attack lane the request arrived on. A help desk that requires out-of-band verification before resetting credentials stops the knowledge-based caller, and stops the deepfaked one.

From the Field: What Happens When Synthetic Media Enters the Picture

The DBIR's data on voice and text simulations is honest about its sample size — the report flags that very few organizations are running these kinds of campaigns at scale. To put a sharper edge on what the gap actually looks like, we pulled aggregate data from our own engagement tracker across recent simulations covering more than 1,000 targeted individuals in finance, manufacturing, legal, technology, and public sector organizations.

Every engagement used multi-vector scenarios that included synthetic media — deepfake voicemails, agentic AI phone calls, deepfake video, calendar-invite-based pretexts, and chat-platform impersonation, often layered together within a single campaign. Three findings stood out.

Put alongside the DBIR's benchmarks, the implication is hard to miss. Email phishing simulations across the broader industry converge near a 1.4% median click rate. Phone-centric simulations sit near 2%. When synthetic media is added to the attack chain, median click rates jumped roughly an order of magnitude.

The second number matters even more, because click rates are not the same as compromise. The DBIR measures the opening move; what determines breach risk is whether the target completes the action — surrenders a credential, approves a payment, opens a remote session. In our sample, the median completed-action rate was 11.7%, with a mean closer to 15%. That is roughly one in nine targeted users going all the way through a synthetic-media-driven scenario.

The third finding is the one that should reframe how security leaders think about their existing programs. Nearly three out of four engaged organizations had already deployed established security awareness training platforms before the simulation. Their workforces still clicked at a mean rate above 13% and completed compromising actions at nearly 12%. Prior training did not meaningfully transfer to the deepfake-augmented attack surface. The skills that defeat a typo-laden phishing email do not defeat a convincing voicemail from a familiar-sounding executive.

What This Means for Security Awareness Programs

Read together, the 2026 DBIR's findings on social engineering — combined with what we see in the field — form a coherent argument: the threat has moved, defenders mostly have not, and the gap is widening.

Email-only phishing simulation is a solved problem. The industry has compressed median click rates to about 1.4% through years of training. That number is genuinely impressive — and almost irrelevant to the attacks that are currently breaking through. Attackers are not waiting for defenses to catch up; they are moving to channels where measurement is rare, training is thin, and detection tooling barely exists.

The implications are concrete. Voice, text, and chat-based pretexting need their own simulation programs, with scenarios tailored to the roles being targeted — help desk, finance, executive assistants, anyone with privileged access or wire authority. Generic "spot the suspicious link" training does not transfer to a live voice on a phone call asking for a password reset.

Synthetic media — cloned voices, AI-generated video — needs to be part of the scenario library, because it is already part of the threat library. Training people to detect deepfake-augmented impersonation requires actually exposing them to it under controlled conditions, with feedback and coaching.

And measurement has to extend beyond click rates. The DBIR's own data shows that the most damaging attacks no longer end at a click. They begin at one and continue through a synchronous conversation, a remote desktop session, a wire transfer approval. Programs need to measure response across the full kill chain, not just the opening move.

The Bottom Line

The 2026 DBIR is the clearest signal yet that the social engineering threat surface has shifted faster than most awareness programs. The human element is in 62% of breaches. Phone-based attacks succeed 40% more often than email. Pretexting earned its own line in the report because it now drives high-profile ransomware breaches. And generative AI has moved from speculative threat to documented capability.

Our own field data sharpens the point. When synthetic media is layered into the attack chain, median engagement rates climb roughly an order of magnitude above the industry email baseline — and they do not drop meaningfully for workforces that have already been through traditional awareness training. The skills that defeat a phishing email are not the skills that defeat a cloned voice.

Frequently Asked Questions

Direct answers to the questions security leaders, CISOs, and risk owners ask most often about the 2026 Verizon DBIR, what it changed, and how to translate it into program decisions.