Verizon's 2026 Data Breach Investigations Report examined more than 22,000 confirmed breaches across 145 countries and found the human element present in 62 per cent of them, up from 60 per cent the year before. That reversal is the story. Between 2021 and 2025 the same measure fell steadily, from roughly 85 per cent down to 60, a genuine five-year improvement that security-awareness programmes can reasonably take some credit for. This is the first year in a while the number has moved the wrong way.


What the numbers actually show

The report points to where. Median click rates on simulated email phishing have held at roughly 1.4 per cent for some time now, close to a floor that further training struggles to push below. Voice and text-based social engineering tell a different story: median click rates there run around 2 per cent, a 40 per cent jump over email, and pretexting has been promoted to a primary initial access vector in this year's edition. Attackers did not get better at writing emails. They moved the conversation somewhere training was never built to follow.

A phone call is not a static artefact. It is a live exchange with another party adapting in real time, and the decision about whether to trust what is said in it happens once, under time pressure, with nothing to scan first.

Why the two are different problems

Email phishing is a static artefact. It can be scanned, filtered, simulated, and trained against, which is exactly why the click rate on it has been driven down to a floor over several editions of this report. A phone call is not. It is a live exchange with another party adapting in real time, and that trust decision happens once, under time pressure, with nothing to scan first. That is a different kind of problem, and the tools built for the first one do not obviously transfer to the second.

It is also a harder problem to sustain attention for. Separate from anything in the breach data, research on sustained attention shows performance degrading over time on task, not because attention runs out like fuel, but because the executive control needed to keep resources locked on an external signal erodes on its own schedule. The effect has been documented directly in network defence analysts monitoring live alerts: the longer the shift, the more that control drops away, and errors begin to compound rather than stay isolated. A live conversation asks more of that same control than a filtered inbox ever did.

A checklist built for scanning emails was unlikely to transfer cleanly to reading a live voice on the other end of a call.

What this means for training

None of this means the fix is a new module bolted onto the old one. A 2023 survey of deception researchers found little consensus even among specialists on which individual verbal or behavioural cues reliably signal dishonesty. If trained researchers cannot agree on which isolated signal to trust, a checklist built for scanning emails was unlikely to transfer cleanly to reading a live voice on the other end of a call. Whatever closes this gap will need to be built for the interaction itself, not adapted from the one that is already largely solved.

Security budgets will keep hardening what can be hardened, because static artefacts are easy to buy defences for. The live decision, the one made in a real conversation with no script to scan, sits outside most of those budgets entirely, which is a reasonable explanation for why the number just moved for the first time in five years.