Verizon 2026 DBIR: Human Risk Has Moved Beyond the Inbox

The 2026 DBIR message for security awareness teams

The Verizon 2026 Data Breach Investigations Report analyzed more than 31,000 real-world security incidents, including more than 22,000 confirmed data breaches across 145 countries, making it the largest breach dataset Verizon has examined in a single report.

For teams responsible for phishing prevention, security awareness training, employee risk reduction, and incident reporting, the 2026 DBIR is especially relevant. Attackers are still targeting people, but they are expanding how they do it. Email phishing remains a core problem, but voice calls, text messages, social media, pretexting, callback scams, fake help desk interactions, and AI-assisted lures are now part of the same human-risk conversation.

That shift matters because the PhishingBox platform is built around the same operating model security teams now need: realistic phishing simulations, continuous security awareness training, Human Risk Management, KillPhish reporting, Security Inbox triage, and LMS delivery in one connected workflow.

1. The human element is still central to breaches

Verizon reports that the human element was present in 62% of breaches, up slightly from the prior year. Social Engineering was the third most common breach pattern, representing 16% of all breaches. Phishing remained at 16% of breaches, while Pretexting reached 6% and became a more common initial access vector for ransomware and extortion attacks.

That should change how organizations think about awareness. A once-a-year training module is not enough when attackers are continuously testing employees across inboxes, phones, collaboration tools, browsers, and personal workflows.

PhishingBox security awareness training supports continuous learning through scheduled courses, phishing-driven training moments, new-hire assignments, SecurityTips reinforcement, training emails, and reporting that shows progress over time.

The DBIR takeaway: human risk is not a checkbox. It is an operational security metric.

2. Email phishing is still the starting point

The DBIR makes clear that traditional phishing has not gone away. In the Social Engineering pattern, Verizon found 5,302 incidents and 3,814 confirmed data breaches. The report notes that Phishing and Email remain the primary methods used in Social Engineering breaches, and email security gateway data showed that 80% of blocked email attacks were plain phishing, followed by malware emails, callback attempts, and Business Email Compromise-style activity.

That reinforces the value of realistic, recurring email phishing simulations. Employees need practice spotting credential-harvesting pages, malicious attachments, business-process scams, invoice fraud, HR lures, cloud-sharing prompts, and urgent executive requests before those scenarios arrive from a real attacker.

The PhishingBox Phishing Simulator helps teams run realistic employee phishing simulations, automate follow-up training, identify risky employees and departments, and connect campaign results to broader Human Risk Management.

3. But social engineering is no longer just email

One of the most important awareness-related findings in the 2026 DBIR is that 41% of Social Engineering breaches involved social vectors other than email. Verizon also found that roughly a quarter of social action vectors came from Social media or Phones, showing how attackers are widening the net beyond the inbox. The report also notes that large organizations saw a median of 48 SMS-based phishing campaigns targeting mobile devices per year, while smaller organizations saw a median of 12.

That finding should push security teams to ask a harder question: are we training employees for the attacks they actually experience, or only the attacks that are easiest to simulate?

Email simulations are still essential, but awareness programs should also teach employees how to respond to suspicious text messages, callback scams, QR-code lures, collaboration-platform impersonation, fake IT support requests, and social media outreach. PhishingBox callback phishing simulations can help security teams test callback-style lures and connect those behaviors to training.

4. Phone-centric attacks are getting better results

The DBIR found that phone-centric social attacks, including text messages, voice calls, and callback-focused emails, were more successful than traditional email in the dataset. Verizon reports a median click rate of 1.4% for email phishing simulation campaigns compared with about 2% for phone-centric methods, a 40% increase in the median click rate.

That difference may look small on paper, but it matters in practice. A two-percent failure rate inside a large organization can still represent dozens or hundreds of employees taking risky actions. And unlike email, phone-based pretexting often happens in real time, when the employee is under pressure and the attacker can adapt.

Awareness training should become more role-specific. Help desk teams should be trained to verify identity before resetting credentials or approving MFA changes. Finance teams should practice callback verification for payment changes. HR teams should recognize fake applicant, payroll, and benefits scenarios. Executives and assistants should be prepared for urgent travel, wire transfer, and document-sharing pretexts.

5. Pretexting requires a different defensive playbook

Verizon distinguishes Phishing from Pretexting in an important way. Phishing is generally asynchronous: an attacker sends a message and waits for the victim to act. Pretexting is more interactive: the attacker builds a trusted scenario and persuades the target to take an action that compromises the organization, often through voice, email, or text.

That means the controls are different, too. “Check the sender” is helpful for email phishing, but it is not enough when someone is impersonating IT support, a vendor, a manager, a recruiter, or a customer in an active conversation.

Security awareness programs should include simple verification rules employees can actually use:

• Never approve an MFA prompt you did not initiate.
• Verify help desk requests through an internal channel.
• Confirm payment changes using a known phone number, not the number in the request.
• Report suspicious messages even when you are unsure.
• Slow down any request that creates urgency, secrecy, or fear.

PhishingBox supports this kind of continuous training and measurement by connecting phishing simulation data with training moments, LMS workflows, reporting, and Human Risk Management.

6. AI is raising the quality and speed of attacker content

The 2026 DBIR reports that threat actors are demonstrably using GenAI across different stages of attack, including targeting, initial access, malware development, and tool development. Verizon found that the median threat actor researched or used AI assistance in 15 documented techniques, with some using AI across 40 or 50.

For awareness teams, the immediate implication is not that every phishing email will be perfect. The bigger issue is scale and variation. Attackers can create more convincing lures faster, localize messages, adapt tone by role or department, and remove the obvious grammar mistakes employees were once trained to spot.

Security awareness content should evolve accordingly. Training should focus less on superficial red flags and more on intent, context, verification, and behavior. Employees should learn to ask: Was I expecting this? Is this asking me to sign in, approve, pay, download, share, or bypass a process? Is there a safer way to verify it?

The PhishingBox Phishing Template Editor helps teams build phishing emails, landing pages, and training pages that align with campaign goals and the training experience that follows. Teams can pair that with PhishingBox cybersecurity courses covering phishing, social engineering, AI security, privacy, malware, remote work, and more.

7. Reporting is part of the defense, not an afterthought

The DBIR’s Social Engineering recommendations point to more than awareness alone. Verizon maps relevant CIS Controls to account protection, MFA, security awareness and skills training, and incident response management, including maintaining contact information for reporting security incidents and establishing an enterprise process for reporting incidents.

This is a critical point. Employees should not only be trained to avoid phishing; they should be trained to report it quickly. A fast report can give security teams the time they need to remove a message, block a domain, warn other users, investigate payloads, and contain an incident before it spreads.

KillPhish gives users a way to report suspicious emails, while Security Inbox helps security teams centralize user-reported email threats, manage phishing investigation workflows, and streamline response from one focused workspace.

8. Shadow AI creates a new awareness training need

The DBIR also highlights a fast-growing insider-risk issue: unauthorized GenAI use. Verizon reports that 45% of employees are now considered regular users of AI on corporate devices, up from 15% the prior year, and 67% of users accessing AI services on corporate devices are using non-corporate accounts. Shadow AI became the third most common non-malicious insider action in Verizon’s DLP dataset, with source code the most common data type submitted to external GenAI models.

This is not just a technical policy issue. It is a training issue. Employees need practical guidance on what they can and cannot paste into AI tools, how approved AI tools should be used, what data types are sensitive, and why “just trying to be productive” can still create exposure.

PhishingBox cybersecurity courses and the PhishingBox LMS content store help teams support training across phishing, social engineering, AI security, privacy, malware, and other employee risk topics. The PhishingBox LMS gives administrators a built-in way to assign, deliver, and track cybersecurity training.

What security teams should do next

The Verizon 2026 DBIR points to a clear direction: security awareness needs to become continuous, measurable, and behavior-based. Start with email phishing, but do not stop there. Add scenarios that reflect how attackers actually operate in 2026: mobile messages, phone calls, callback scams, help desk impersonation, collaboration-platform abuse, AI-generated lures, credential prompts, and risky data-sharing behavior.

A practical 2026 awareness roadmap should include:

1. Run recurring phishing simulations tied to real business workflows.
2. Use department-specific scenarios for HR, finance, IT, executives, and customer-facing teams.
3. Trigger immediate follow-up training with phishing training automation when employees click, submit data, or need reinforcement.
4. Measure reporting behavior with KillPhish, not just click rates.
5. Use Security Inbox to centralize user-reported threats and support faster phishing response.
6. Train employees on pretexting, verification, MFA fatigue, callback scams, and unsafe AI data-sharing.
7. Add AI data-handling modules through cybersecurity courses to reduce Shadow AI risk.
8. Use Human Risk Management to identify risky users, departments, and behaviors.
9. Pair training with technical controls like MFA, access management, and incident response workflows.

PhishingBox brings these pieces together through phishing simulation, cybersecurity training, LMS delivery, inbox coaching, human risk scoring, integrations, reporting, and automation.

Final takeaway

The 2026 DBIR does not say that people are the problem. It says people are part of the attack path, and that attackers are getting better at reaching them across more channels.

That means security teams need more than annual awareness training. They need continuous testing, timely coaching, fast reporting, and measurable human risk reduction.

The inbox still matters. But in 2026, the strongest awareness programs will prepare employees for the message, the phone call, the text, the chat request, the fake help desk interaction, and the AI-polished lure.

Source note: Statistics attributed to the Verizon DBIR are from the Verizon 2026 Data Breach Investigations Report. When using DBIR statistics, cite the source as “Verizon 2026 Data Breach Investigations Report.”