Keepnet contributes voice and SMS phishing data to the 2026 Verizon DBIR
Keepnet's voice and SMS phishing simulation data is included in the 2026 Verizon DBIR for the first time, revealing a 40% higher click rate for phone-based phishing.
Keepnet, an Extended Human Risk Management (xHRM) platform, announced that its voice and SMS phishing simulation data has been incorporated into the 2026 Verizon Data Breach Investigations Report (DBIR). This marks the first time such data has been included at scale in the annual report, which is widely regarded as a benchmark for cybersecurity trends.
The DBIR reports a 40% increase in the median click rate for phone-centric phishing simulations compared to email-based ones (Verizon 2026 DBIR, p. 50). This finding underscores the growing threat of vishing (voice phishing) and smishing (SMS phishing) attack vectors, which are often overlooked in favor of email-based attacks.
According to the report, phone-centric phishing simulations achieved a median click rate of 14.2%, compared to 10.1% for email simulations. The data suggests that attackers are increasingly turning to voice and SMS channels to bypass traditional security awareness training, which often focuses on email.
Keepnet's contribution includes aggregated, anonymized data from its platform, which simulates vishing and smishing attacks to train employees. The company's xHRM approach combines phishing simulations with other human risk management tools to provide a comprehensive view of an organization's security posture.
The inclusion of this data in the DBIR highlights the importance of addressing multi-channel phishing threats. As organizations invest in email security, attackers are shifting to less-protected channels like phone and SMS. The DBIR's findings serve as a wake-up call for security teams to expand their training and detection capabilities beyond email.
Verizon's 2026 DBIR also notes that voice and SMS phishing attacks are particularly effective because they exploit trust and urgency, often impersonating legitimate organizations or individuals. The report recommends that organizations implement multi-factor authentication and conduct regular simulations across all communication channels to mitigate these risks.
Keepnet's CEO commented, 'We are proud to contribute to the DBIR and help raise awareness about the growing threat of vishing and smishing. Our data shows that attackers are adapting their tactics, and organizations must adapt their defenses accordingly.'