Verizon DBIR 2026: The Human Element in 62% of Breaches

James Thornton··4 min read
Security team reviewing breach data and charts on screens

Every spring, the security industry waits for one report more than any other. The Verizon Data Breach Investigations Report (DBIR) analyzes tens of thousands of real incidents and tells us, with data rather than vendor spin, how breaches actually happen. The 2026 edition landed in May, and its message for anyone responsible for security awareness is unambiguous: people remain at the center of the breach.

The headline figure is that the human element was involved in 62% of breaches, up from 60% the year before. That category captures social engineering, human error, privilege misuse, and the use of stolen credentials. In other words, in nearly two of every three breaches, a person — not just a piece of software — was part of the story.

Phishing and Pretexting Still Open the Door

According to the 2026 DBIR, phishing initiated 16% of incidents, and pretexting — the voice, chat, and callback scams behind most BEC — added another 6%. Social engineering as a breach pattern appeared in 16% of cases. Sector context matters too: Public Administration showed the highest human-element involvement at 69%, while in Financial Services, phishing was a top initial-access vector at 20%.

The takeaway isn't that phishing is the only threat — it's that human-targeted attacks remain a reliable, repeatable way in. Attackers don't need a zero-day when an email or a phone call will do.

The Pivot to Mobile

One of the most important shifts in this year's report is where social engineering is happening. As employees have grown more skeptical of classic email phishing, attackers are moving to mobile-centric channels — smishing texts and voice calls. The DBIR found engagement rates for mobile-based phishing simulations were 40% higher than traditional email simulations.

The small screen, the casual context, and the assumption that "my phone is personal" combine to make mobile a soft target. Your awareness program can't stop at the inbox.

If your phishing simulations only test email, you're measuring the channel attackers are actively moving away from. Programs need to include SMS and voice scenarios to reflect how social engineering looks in 2026.

Vendors, the Browser, and Shadow AI

Three structural findings round out the 2026 picture:

  • Vulnerability exploitation overtook credential theft as a top initial-access vector — a reminder that patching and the human layer have to advance together.
  • Third parties are a growing weak link. Breaches increasingly trace back to a vendor or partner whose access was inherited or abused, making supply-chain risk a board-level issue.
  • Shadow AI emerged as an insider-threat concern. Employees feeding company data into unsanctioned AI tools is now significant enough for the DBIR to call out — a brand-new category of human-driven data loss.

Analysts also noted that more of the action is "living in the browser," where credential theft, session hijacking, and consent-grant abuse increasingly play out.

What This Means for Your Security Awareness Program

The DBIR is most useful when it changes what you do. Four practical responses:

  1. Test the channels attackers actually use. Add smishing and vishing scenarios alongside email so your simulations mirror the real threat mix.
  2. Train for AI-era social engineering. Deepfake voice, ClickFix prompts, and consent-phishing are now part of the human attack surface.
  3. Set a clear AI-use policy. Tell employees what they can and can't paste into public AI tools before shadow AI becomes your breach story.
  4. Measure behavior, not attendance. Click rates, report rates, and time-to-report are the metrics that correlate with real-world resilience.

empowsec's phishing simulation and security awareness training platform is built around exactly this model — multi-channel simulations (email, SMS, voice), teachable-moment debriefs the instant someone slips, and behavior-based reporting that shows whether your human layer is actually getting stronger.

Key Takeaways

  • The 2026 DBIR puts the human element in 62% of breaches — the people layer is still the decisive battleground.
  • Phishing (16%) and pretexting (6%) remain core entry points, and mobile phishing is 40% more effective than email.
  • Vendors, the browser, and shadow AI are rising risks that traditional awareness programs don't address.
  • Modernize your program with multi-channel simulations and behavior-based metrics to match how attacks happen now.

You can explore the full report at Verizon's DBIR resource center.

Share: