Voice & SMS Phishing Simulations Reveal 40% Higher Click Rates – Keepnet Data Highlights Emerging Human Risk
What Happened – Keepnet, an extended Human Risk Management (xHRM) platform, supplied its voice‑ and SMS‑phishing simulation results to the 2026 Verizon Data Breach Investigations Report (DBIR). The DBIR notes a 40 % increase in median click rates for phone‑centric simulations (2 % vs. 1.4 % for email).
Why It Matters for TPRM –
- Attackers are shifting from email‑only lures to synchronous voice/SMS vectors, which traditional awareness programs often miss.
- Higher click rates indicate a larger, under‑measured attack surface that can lead to credential compromise, BEC, or ransomware initiation.
- Vendors that do not test or monitor voice/SMS phishing expose their clients to amplified human‑risk exposure.
Who Is Affected – Financial services, healthcare, technology SaaS, and any organization that relies on phone or SMS for business communications.
Recommended Actions –
- Incorporate voice and SMS phishing simulations into your third‑party risk assessment program.
- Update security awareness curricula to cover real‑time pre‑texting and AI‑generated voice cloning.
- Verify that vendors (especially MSPs, cloud hosts, and communication platforms) have measurable controls for phone‑centric social engineering.
Technical Notes – The DBIR data shows a median click rate of 2 % for voice/SMS simulations versus 1.4 % for email. The rise is driven by cheap AI voice cloning, corporate‑level voice‑phishing (e.g., MGM Resorts 2023 breach), and automated pre‑texting scripts. No specific CVEs are involved; the threat vector is social engineering via telephony and text channels. Source: Help Net Security