Keepnet Contributes Voice and SMS Phishing Data to the 2026 Verizon DBIR

The 2026 Verizon Data Breach Investigations Report (DBIR) has finally quantified the threat posed by voice and SMS phishing, or vishing and smishing, by publishing median click rates for the first time. Keepnet’s contribution supplies anonymized campaign data that shows a 2% click‑through rate on phone‑centric simulations—significantly higher than the 1.4% seen in email‑only tests. This 40% uplift signals that attackers are successfully shifting to synchronous channels where victims have seconds, not minutes, to react, exposing a blind spot in most corporate awareness programs that remain email‑centric.

Several technology trends are accelerating this shift. Affordable voice‑cloning tools now produce realistic executive impersonations in dozens of languages, while AI‑generated scripts adapt in real time, turning what was once a niche tactic into a mainstream attack vector. High‑profile breaches such as MGM Resorts’ $100 million loss and Hong Kong’s $25 million deep‑fake call illustrate the tangible financial impact. The FBI’s 2025 IC3 report attributes $798 million of losses to government‑impersonation smishing and vishing alone, underscoring the urgency for organizations to broaden their defensive focus beyond email.

For security teams, the takeaway is clear: measurement must evolve. Integrating voice and SMS simulations into regular training, tightening help‑desk verification protocols, and leveraging AI‑driven detection can close the gap between exposure and mitigation. Gartner predicts AI agents will cut exploitation time by half by 2027, further amplifying the speed and scale of attacks. Vendors like Keepnet provide the benchmarking data and realistic assessment capabilities needed to adapt budgets and policies for a multi‑channel phishing landscape, ensuring that verification habits become as ingrained as click‑avoidance in email training.