The 2026 Verizon Data Breach Investigations Report analyzed more than 31,000 security incidents across 145 countries, drawing on data contributed by nearly 100 organizations including incident response firms, law enforcement agencies, and cyber insurance brokers.
The data makes one thing clear: mobile is quickly becoming the most targeted and least defended attack surface in the enterprise today. It spans employee devices, internally built applications, third-party work apps and personal apps on employee devices. Mobile is where social engineering succeeds most, where phishing lands most effectively, and where employee behavior is least visible to security teams. Yet most security programs still treat it as an afterthought.
Here are the key findings that matter most for security leaders right now.
The Attack Surface Has Shifted
- Mobile-centric phishing succeeds at a rate 40% higher than email.
When attackers use SMS text messages (smishing) or voice calls (vishing) instead of email, they get results. There is a 40% increase in the success rate on the channel most organizations have the least visibility into.
- Large enterprises face a median of 48 Smishing campaigns per year.
That's almost one mobile phishing campaign every week. And that number only counts attacks detected on managed devices. Unmanaged and personal devices are invisible to most security teams.
- 41% of Social Engineering breaches use non-email vectors.
Email is no longer the primary channel for successful social engineering attacks. Nearly half the time, attackers reach employees through voice, text, social media, or direct contact. Your email gateway isn't defending the attack surface where you're actually getting breached.
AI Is Both a Weapon and Insider Risk
-
Threat actors use generative AI across a median of 15 attack techniques (some leveraging 40 to 50).
Attackers are AI-native. They're using it for targeting, initial access, vulnerability research, and malware development. The sophistication, speed and scale of attacks continue to accelerate because of it.
- 67% of employees access AI through personal accounts on corporate devices.
Shadow AI isn't a fringe behavior anymore. Two-thirds of your workforce is sending data into unauthorized AI apps using personal accounts, including via mobile devices. Traditional DLP and MDM controls have limited visibility into this activity, making enforcement and monitoring more difficult.
- The most sensitive data being sent to unauthorized AI is source code, followed by images and structured data.
The most sensitive data being submitted to unauthorized GenAI apps is source code, followed by images and structured data including technical documentation and proprietary information. Organizations have no visibility into what is being shared or where it is going. Intellectual property exposure has become the defining insider risk of 2026.
Third-Party Risk Is Exploding
- Third-party breaches are up 60% year over year, and now represent 48% of all breaches.
Nearly 50% of all breaches now involve a vendor, partner, or supplier. As organizations increase their reliance on external services, systems, and software, their attack surface expands. But most third-party risk programs still don't account for the full scope of that exposure.
Mobile makes this a two-sided problem. On one side, employees use third-party work apps that access enterprise data and systems every day. Most organizations have no visibility into what those apps are doing on the device, what data they are touching or where those apps may be sending it. On the other side, organizations ship customer-facing mobile apps where 60% of the underlying third-party code is closed source. That code cannot be inspected for malicious runtime behaviours. Third-party risk in mobile is not a single exposure. It is baked into every app on every device
Vulnerabilities Are the New Entry Point
- Exploitation of vulnerabilities is now the #1 initial access vector at 31% (up 55% year over year).
Attackers aren't hunting for zero-days. They're using known vulnerabilities. Exploitation jumped from 20% to 31% as the primary way attackers break in. Mobile is uniquely exposed to this threat. 70% of the code inside mobile apps comes from third-party libraries that developers may never fully audit. At the device level, both Android and iOS carry their own OS and hardware CVEs every year. Patches in both cases take weeks to become available but end users take months to apply them. Zimperium's 2025 Global Mobile Threat Report found that 50% of enterprise mobile devices run outdated OS versions and 1 in 4 can't be upgraded at all.
Ransomware Remains the Disruptor
- Ransomware accounts for 48% of all breaches.
Ransomware is now the dominant breach type. It's disruptive, costly, and shows no signs of slowing. However, 69% of ransomware victims didn't pay the ransom, and median payment amounts are declining. Organizations are learning to refuse. But the disruption cost to the enterprise is very real.
The real question that often goes unanswered is: how did attackers gain access to well-protected enterprise networks in order to deploy ransomware? Verizon's 2025 DBIR is clear, credential abuse remains the dominant initial access vector for ransomware. We believe the lack of mobile protection and the rise in ransomware is not a coincidence. Mobile attacks have continued to concentrate on credential theft. The extraction of credentials from a mobile device is highly effective because the large majority of multifactor authentication takes place on mobile. Attackers are rewarded with the user ID, password, and MFA token all from the compromise of a single device. This enables enterprise network access utilizing valid stolen credentials in order to deploy ransomware in complete stealth.
What This Means for Security Leaders in 2026
The threat landscape has fundamentally shifted. Attackers are increasingly adopting a mobile-first attack strategy. They are faster, using known exploits at scale, targeting the mobile channel where defenses are thinnest, and leveraging AI across their entire attack chain.
AI has changed the economics of attacking at scale. What once required a sophisticated, well-resourced threat actor can now be executed at scale by almost anyone with access to a large language model. AI is accelerating targeting, automating reconnaissance, generating more convincing phishing, and producing malware faster than human teams can analyze it.
Security teams cannot keep up with that volume manually. Analysts are already overwhelmed. Adding more alerts to a human-dependent process is not a solution. The only viable response to AI-driven attacks at scale is AI-powered defense. You cannot out-analyst a machine. You need a machine to beat a machine.
The 2026 DBIR is a clear signal that the rules have changed. Attacks are faster, more automated, and increasingly mobile-first. The organizations that will weather this are the ones that stop treating mobile as an afterthought, stop assuming human analysts can out-pace machine-driven attacks, and start building AI-powered defenses that match the speed and scale of the threat.