Verizon’s Data Breach Investigations Report (DBIR) has long been considered one of the cybersecurity sector’s most essential status reports. The recent 2026 edition analyzes more than 31,000 security incidents and over 22,000 confirmed data breaches around the globe – unprecedented numbers.
The report’s headline finding is that vulnerability exploitation has risen to become the most common initial access vector for successful attacks. Nevertheless, enterprises will find another conclusion especially relevant: The human factor continues to gain in importance – largely due to sophisticated forms of social engineering.
Attackers are increasingly relying on AI-enhanced deception, mobile communication channels, and credible identity spoofing rather than ordinary spam emails alone.
Humans remain the primary attack vector
According to Verizon, the human factor plays a key role in 62 percent of all data breaches. Social engineering remains one of the most prevalent attack vectors, accounting for 16 percent of all security breaches.
While phishing attacks are typically carried out asynchronously by way of email, modern adversaries increasingly rely on direct means of interaction, such as phone, text messages, instant messaging, or ongoing email conversations. In this way, attackers aim to build trust and manipulate employees in real time.
Mobile social engineering is emerging as a blueprint for successful attacks
The figures for mobile attack vectors are particularly alarming. According to the Verizon report, the median success rate achieved through mobile social engineering attacks – such as those carried out via voice calls or text messages – is about 40 percent higher than that of conventional phishing campaigns carried out exclusively by email.
This is because mobile communication creates more time pressure, provides less context, and significantly reduces the attention victims pay to security indicators. Users are much less likely to check senders and URLs, or notice unusual phrasing, on their smartphones.
What’s more, modern attacks often employ multiple channels in parallel. A typical scenario may include:
- initial contact via SMS or Teams chat,
- subsequent phone call using a false identity,
- concluding with an email request for login credentials or MFA approval.
As a result, the lines between traditional email phishing, vishing, and account takeover are increasingly blurred.
AI allows social engineering to scale
The report also clearly indicates that generative AI has now been operationalized. According to Verizon, attackers are currently using GenAI in virtually every phase – from selecting targets to creating credible phishing messages, developing malware, and automating attack steps, not to mention translations and linguistic localization.
What’s especially concerning for businesses is that AI doesn’t necessarily make attacks more technically sophisticated, but rather increases their scale and professionalism. Poorly formulated phishing emails with obvious spelling errors are a vanishing breed. Instead, we are faced with large volumes of high-quality, linguistically convincing, expertly tailored, context-specific messages.
Email remains a major launchpad for attacks
Despite the emergence of new communication channels, email remains a key starting point for attacks. In the DBIR, phishing still consistently features as one of the leading initial access vectors. At the same time, the report reveals that stolen credentials continue to play a role in 39 percent of all breaches.
This underscores a core reality of modern cyber defense: Nowadays, companies are not only tasked with blocking malware, but above all with securing identities, communications, and access processes. This is precisely where modern email security plays a crucial role.
What companies now need to do
The DBIR once again confirms that technical and organizational security measures need to work together effectively. Companies are consequently advised to:
1. Establish advanced email security
Conventional spam filters are no longer sufficient. Companies need more comprehensive protection:
- AI-based phishing detection
- sandboxing for URLs and attachments
- business email compromise (BEC) protection
- account takeover safeguards
- DMARC, SPF and DKIM
2. Consistently safeguard digital identities
Credential abuse remains one of the most significant attack vectors. MFA, conditional access, and robust authentication procedures are essential for companies.
3. Prepare staff for modern attack strategies
Awareness training now needs to go well beyond traditional phishing emails and also cover voice phishing, SMS attacks, MFA fatigue, and social engineering within collaboration tools.
4. Condsider the full range of communication channels
The days when malicious attacks were limited to email are long gone. Companies require security strategies for hybrid communication environments consisting of:
- collaboration platforms
- mobile messaging
- voice communication
Social engineering more sophisticated, but not fundamentally different
Verizon DBIR 2026 clearly shows that while the threat situation continues to evolve, the basic principles behind successful attacks remain surprisingly consistent.
Attackers still seek to exploit human weaknesses, trust, and identities to gain unauthorized access – only now their campaigns are much more professional, AI-enhanced, and conducted across multiple channels.
For companies, this means that far from becoming a legacy issue, email security is rapidly establishing itself as a core component of modern identity and communication security.
In other words, while technologies may change, attackers continue to follow a tried and tested approach – manipulating people into carrying out the wrong action.
