Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

• Verizon's DBIR reveals top business security trends.
• Mobile phishing is outpacing email-based attacks.
• Companies need mobile-focused phishing training.

Mobile attack vectors are outstripping email threats as we become more able to detect traditional phishing attempts, Verizon said in a new report exploring the data breach landscape and the impact on businesses worldwide.

Also: Worried about the nationwide Canvas data breach? Take these 6 steps now

In Verizon's 2026 Data Breach Investigations Report (DBIR), the company said that mobile-centric cyberattacks are increasing in popularity and have a higher click rate than the same phishing attempts sent via email, which raises questions about whether our existing phishing protections are adequate.

Mobile social engineering takes center stage

Based on data collected from more than 31,000 real-world security incidents in 2025, with 22,000 confirmed data breaches impacting organizations in 145 countries, Verizon says that "mobile is more dangerous than email."

Also: The best mobile antivirus software of 2026: Expert tested and reviewed

A set of phishing simulation assessments backs up this claim, in which mobile-centric attack vectors -- including voice-based phishing (vishing) and text scams -- were successful lures, achieving a 40% higher click-through rate than traditional email phishing scams.

The human element

People are often the weakest link in security systems, and threat actors know it. However, that doesn't mean we aren't improving our general cybersecurity awareness; it just means cybercriminals are switching up their tactics.

According to Verizon's report, the "human element" was present in 62% of known and recorded data breaches, a marginal increase of 2% year over year.

Also:The shadowy SIM farms behind those incessant scam texts - and how to stay safe

Unfortunately, the data reveals that many cybercriminals are abusing our trust to steal data, commit payment fraud, or act as a precursor to severe security incidents, including ransomware deployment and extortion.

When sending a phishing email isn't enough, they have begun what Verizon calls "pretexting," a concerning development that highlights how psychology now more often plays a part in modern cyberattacks.

Pretexting vs. phishing

Social engineering, which accounts for 16% of all breaches, refers to psychological exploitation to persuade us to take actions that risk our personal security and privacy, or that of a business, such as our employer.

These tactics can range from a member of staff allowing a criminal posing as a delivery driver to enter a secure building to someone posing as one of your loved ones in a financial emergency.

When applied to mobile technology, phishing often takes the form of fake texts, voice notes, and calls for nefarious purposes. It's not just a cybercriminal pretending to be you and calling your telecoms provider to swap your SIM; if "pretexting" is used as a tactic, a foundation of trust is laid between the criminal and the victim before a trap is sprung.

Also: How to check if a text message is spam on Android - and the free tool I rely on

Consider it an upgrade over generic phishing attempts used in targeted, more sophisticated attacks. For example, an employee in finance could be targeted, with a friendly rapport built through mobile messaging and calls, and with an attacker pretending to be an executive, team member, or vendor. When enough trust has been established, the victim is then tricked into changing an invoice's payment details, sending cash unwittingly to a criminal instead of a supplier.

Average click-through rates for simulated email phishing campaigns in Verizon's dataset were 1.4%, compared to phone-based phishing rates of around 2%, a 40% increase.

"Regardless of the terminology, various attackers have been leveraging these means by impersonating help desk agents or users needing a password reset, with moderate levels of success," the report says. "The bottom line here is that social attacks using phone-centric vectors -- text messages, voice, or callback-focused emails -- are more successful in our dataset than using the traditional email vector defenders are used to."

More key security trends

Verizon's research also revealed that nearly a third (31%) of breaches now start with the exploitation of vulnerabilities, marking the first time that exploiting security flaws has surpassed the use of stolen credentials as an initial entry point into a target system, now recorded as the reason for 13% of incidents.

This shift is believed to be due to AI. According to the report, AI is being leveraged by cybercriminals to reduce the time required to exploit vulnerabilities, "shrinking the window for defense from months to mere hours."

Also: This simple ChatGPT trick helps you spot scams before you click or respond

Furthermore, only 26% of critical vulnerabilities recorded by CISA were fully patched and resolved in 2025, a drop from 38% in 2024.

Another interesting trend that organizations should be aware of is shadow AI. Businesses have long been aware of shadow IT, the use of devices and online services by employees without explicit approval, but now shadow AI is also a potential security risk.

In total, 67% of employees are using non-corporate AI accounts on their company-issued devices. Shadow AI was the third most common non-malicious insider threat recorded last year, with users frequently submitting sensitive, confidential company data to these models, including source code, research, and technical documents.

How to stay protected

As the sample sizes are small, the common threads of Verizon's research on mobile-centric phishing do have some caveats. However, this is because few data points were available, as there don't appear to be many companies conducting mobile-focused phishing simulations or training -- which, in turn, has revealed a potential problem.

Phishing training is nothing new, although its benefits are debatable, especially when it is considered just an annual exercise to tick a box. But with few organizations considering the mobile aspect of modern phishing tactics, they may be exposing themselves to greater risks, especially when employees are using their own devices to access corporate networks and systems.

If cybercriminals are allowed to bypass security systems by contacting unwitting employees directly, investments in anti-phishing defenses could be rendered worthless.

For organizations, the answer is developing new strategies to combat traditional and evolving phishing threats across email and mobile. With "pretexting" also on the rise, training should teach staff that phishing is no longer just spray-and-pray emails -- these criminals will tug at your heartstrings and exploit your trust to achieve their goals.

Also: Cloud attacks are getting faster and deadlier - 4 ways to secure your business

Furthermore, these attacks can occur through employee-owned devices, which are outside your control and could pose invisible threats to corporate security, so organizations should reconsider permitting access or revoking bring-your-own-device schemes. It might save companies cash in the short term to allow members of staff to use their own smartphones, but a data breach isn't cheap.