Findings from the 2026 Verizon DBIR that should shape your defenses 

The 2026 Verizon Data Breach Investigations Report analyzed more than 22,000 confirmed breaches, the largest dataset in the report's history. The findings are a useful gut check for security leaders who suspect the attack surface is expanding faster than their controls. It is. Here is what stands out, and what it actually means for the humans, data, and AI your organization depends on.

The human element is still the dominant variable

The DBIR found the human element present in 62% of breaches, a slight increase from 60% the previous year. That number is stubborn precisely because it is not a single issue or failure. It is a combination of threats including credential reuse, susceptibility to phishing, compliance gaps, and now AI-assisted deception, all rolling into one metric.

Source: Verizon DBIR 2026, p.12

Social engineering was the third most common incident pattern overall, accounting for 16% of all breaches. Of those, email remained the primary attack vector, a finding that has held for years. But the details underneath that headline are changing in ways that matter.

Phishing is being turbocharged, not replaced, by AI

Threat actors used GenAI assistance across a median of 15 distinct techniques in documented attack campaigns. Some used it across as many as 40 to 50. Of the AI-assisted initial access vectors the DBIR identified, phishing accounted for 44%, the single largest category.

Source: Verizon DBIR 2026, p.26

The volume of AI-assisted text appearing in malicious emails has doubled compared to previous years, according to data shared with Verizon by Anthropic. The DBIR is careful to note that this increase in AI assistance has not yet translated into a measurable increase in the success rate of phishing attempts against organizations in its incident dataset. But that is not a reassurance, it is a lag indicator. The uplift is real: AI lowers the barrier for less experienced actors to craft convincing, grammatically accurate, contextually plausible lures. Security teams are in a race between detection capability and volume.

Email security data shows a consistent breakdown of what is being blocked: 80% plain phishing, 10% malware-bearing emails, 5% callback/telephone-oriented attack (TOAD) attempts, and 3% Business Email Compromise (BEC)-style attacks targeting wire transfer or payment redirection. These findings greatly align with what we reported in the Mimecast Global Threat Intelligence Report.

Pretexting is becoming an entry point to ransomware

Most security teams are not yet treating pretexting with appropriate seriousness: pretexting, the construction of a fabricated scenario to mianipulate a target into taking a harmful action, has become a more frequent initial access vector into ransomware and extortion campaigns. Across all investigated incidents, pretexting reached 6% as an initial vector, and it shows up as both a standalone technique and as a follow-on to a phishing email.

What makes pretexting harder to defend against than conventional phishing is its synchronous nature. The attacker is present in the conversation, over voice, in a chat thread, or in a back-and-forth email exchange, adjusting their story in real time. Defenses need to extend to include user behavior signals, anomalous communication patterns, and the kind of contextual threat detection that goes beyond link and attachment scanning.

Shadow AI is now a mainstream insider data risk

This is a data point that should prompt an urgent conversation between security, IT, and the business. 45% of employees are now regular users of AI on corporate devices, up from 15% the year before. Of those, 67% are accessing AI platforms through non-corporate accounts, placing corporate data in systems outside any IT or security control boundary.

The consequence is showing up in DLP telemetry: Shadow AI is now the third most common non-malicious insider action detected in DLP datasets, representing a fourfold increase from the prior year. The most commonly submitted data type to external AI models is source code — by a significant margin. Structured data, images, and in 3.2% of DLP events, research and technical documentation are also being uploaded to unauthorized systems.

Source: Verizon DBIR 2026, p.13

This is not a speculative risk. It is a measurable, growing exposure that most organizations are currently blind to.

What good defense looks like in 2026

The DBIR's message is not that the threat landscape has changed beyond recognition, it is that well-known problems are scaling faster, and the humans at the center of the attack chain are being targeted through more channels with more convincing techniques.

The practical response is layered. It means email threat detection that keeps pace with AI-assisted lure construction. It means extending phishing and social engineering awareness beyond the inbox. It means behavioral signals that can detect account compromise or anomalous access before credentials are the only indicators. And it means visibility into what data is moving to AI platforms, whether that movement is sanctioned or not.

Mimecast’s integrated platform has concrete answers to many of these persistent problems. Email & Collaboration Threat Protection uses the Mihra AI platform, processing more than 18 billion security events per day, to detect phishing, BEC, and malware-bearing messages as the tactics behind them evolve. Account Takeover Protection surfaces the behavioral indicators of compromised accounts that credential-only controls miss. Security Behavior Management addresses the human element the DBIR consistently identifies as the dominant variable, building measurable changes in employee behavior rather than checkbox completion. And Incydr’s Insider Risk Management and Data Protection, together with governance and control over AI agents, provide the data visibility the DBIR's shadow AI findings make increasingly urgent.

The 2026 DBIR is a reminder that the fundamentals are not broken, they are just being tested at scale, with AI assistance, across a broader attack surface. The organizations best positioned to respond are the ones treating humans, data, and AI as a single, connected risk surface rather than three separate problems.

Explore how Mimecast secures humans, data, and AI — book a demo or read the full 2026 Verizon DBIR at verizon.com.

Sources:

• Verizon 2026 Data Breach Investigations Report (May 2026): verizon.com/business/resources/reports/dbir/