Wednesday, June 3, 2026
Latest:
Column

Mobile Phishing Has Overtaken Email, And Workers Need To Catch Up

seanhackacademy

For years, cybersecurity training has taught workers to beware the suspicious email. Do not click the strange link. Do not download the unexpected attachment. Do not trust the message with spelling mistakes, urgency and a vaguely familiar logo.

That advice still matters, but it is no longer enough.

According to Verizon’s 2026 Data Breach Investigations Report, mobile attack vectors are now outpacing traditional email threats. Based on more than 31,000 real-world security incidents in 2025, including 22,000 confirmed data breaches across 145 countries, the message is blunt: mobile is more dangerous than email.

That should worry every business, every employee and every person who conducts their life through a smartphone.

The shift makes sense. Most organisations have spent years improving email security. Spam filters are better. Staff are more suspicious of dodgy links. Businesses have invested in phishing simulations, warning banners and anti-phishing tools.

So cybercriminals have moved to where people are less guarded: their phones.

Text messages, voice calls, fake alerts, messaging apps and callback scams now offer attackers a more direct path to victims. Verizon’s research found that phone-based phishing had a click-through rate around 40 per cent higher than traditional email phishing. Simulated email phishing campaigns recorded average click-through rates of 1.4 per cent, compared to around 2 per cent for phone-based phishing.

That may sound small, but at scale it is enormous. For a large organisation, a tiny increase in success rates can mean hundreds or thousands of additional opportunities for attackers to get inside.

The real danger is not just the device. It is the psychology.

Verizon found the human element was present in 62 per cent of known and recorded data breaches. Attackers understand that people are busy, trusting, distracted and often trying to be helpful. They also understand that a phone feels more personal than an email inbox.

This is why “pretexting” is becoming such a powerful tactic. Rather than sending a generic phishing message and hoping someone bites, criminals build a story. They impersonate executives, vendors, colleagues, help desk workers or distressed loved ones. They create urgency. They build trust. Then they ask the victim to reset a password, approve a payment, change invoice details or hand over sensitive information.

It is phishing with patience.

For businesses, this presents a major problem. Many security systems are designed around email, networks and company-managed devices. But mobile attacks can happen outside those defences, especially when employees use personal phones for work. A criminal does not need to beat every technical control if they can simply convince an employee to help them.

The report also shows how quickly the broader threat landscape is changing. Nearly a third of breaches now begin with the exploitation of vulnerabilities, making it the leading initial entry point ahead of stolen credentials. Verizon suggests AI is helping criminals exploit security flaws faster, shrinking the window for defence from months to mere hours.

At the same time, patching is going backwards. Only 26 per cent of critical vulnerabilities recorded by CISA were fully patched and resolved in 2025, down from 38 per cent in 2024.

Then there is the rise of shadow AI. Verizon found 67 per cent of employees are using non-corporate AI accounts on company-issued devices, often feeding sensitive company information into tools that have not been approved. Source code, technical documents, research and confidential data are all being placed at risk, not always maliciously, but carelessly.

This is the uncomfortable truth of modern cybersecurity: the weakest point is often not the firewall. It is the gap between convenience and caution.

Cybercriminals are adapting quickly. Too many workplaces are not.

Annual phishing training is no longer enough, especially if it only teaches staff to look for suspicious emails. Employees need to understand text scams, vishing, callback attacks, fake support requests, impersonation tactics, payment redirection scams and AI-enabled manipulation. They need to know how to pause, verify and escalate when something feels wrong.

Just as importantly, individuals need to recognise that cybersecurity is now a career skill, not a niche technical specialty.

Whether you work in finance, healthcare, retail, entertainment, education or small business, your phone is now part of the threat surface. Your inbox is not the only door attackers are testing. Your habits, your trust and your response under pressure are all being targeted.

That makes cybersecurity training one of the smartest investments any worker can make.

The rise of mobile phishing should not make people feel helpless. It should make them sharper. The tools used by attackers may be changing, but the best defence still begins with informed, alert and well-trained people.

If mobile phishing is now outpacing email, then workers and businesses need to update their skills just as quickly as attackers are updating their tactics.

Now is the time to take cybersecurity seriously. Improve your digital awareness, strengthen your career prospects and learn how to identify the threats hiding in everyday messages, calls and apps by enrolling in Hack Academy’s online training programme.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *