Verizon Says Mobile Phishing Clicks Run 40% Above Email in 2026 Breach Report
Updated
Updated · ZDNet · May 20
Verizon Says Mobile Phishing Clicks Run 40% Above Email in 2026 Breach Report
5 articles · Updated · ZDNet · May 20
31,000 security incidents analyzed in Verizon’s 2026 DBIR showed mobile-centric phishing—texts, calls and vishing—now outperforms email lures, with simulated phone-based attacks drawing about 2% click-through versus 1.4% for email.
62% of recorded breaches still involved the human element, up 2% year over year, as attackers increasingly use “pretexting” to build trust before redirecting payments, stealing data or setting up ransomware and extortion.
31% of breaches began with exploited vulnerabilities, overtaking stolen credentials at 13% for the first time; Verizon said AI is helping criminals compress exploitation windows from months to hours.
26% of CISA-listed critical vulnerabilities were fully patched in 2025, down from 38% in 2024, while 67% of employees used non-corporate AI accounts on work devices, adding a growing shadow-AI risk.
Verizon said many companies still lack mobile-focused phishing drills, leaving bring-your-own-device access and traditional email-only training increasingly mismatched to how attacks now reach employees.
Mobile scams now beat email phishing. Is your company's BYOD policy an open back door?
Employees are feeding secrets to public AI. Is this a bigger threat than outside hackers?
AI now finds security flaws in hours. Is human-led cybersecurity defense already obsolete?
2026 Verizon DBIR: AI-Driven Vulnerability Exploitation Surges as Median Patch Time Hits 43 Days
Overview
The cyber threat landscape is rapidly transforming, driven by advancements in artificial intelligence and the swift exploitation of vulnerabilities. AI is playing an increasing role in generating and automating threats, as seen in the sharp rise of AI bot traffic and the ability of AI-powered tools to quickly identify and weaponize known vulnerabilities. This surge in automated attacks is creating a significant capacity crisis for security teams, making it harder for organizations to keep up with patching and remediation. As a result, the window for defending against threats is shrinking, highlighting the urgent need for strong foundational security and risk management practices.