Smishing Simulations
Test how your employees respond to SMS phishing, the channel with no email gateway in front of it. Send realistic but harmless text lures, measure who taps and who reports, and route the rest into targeted training.
How smishing simulations work
Four steps from setup to measured behavior, on the same platform as your email program.
Configure
Pick the SMS channel, choose an approved smishing template, set a send time, and select recipients. Only employees with a phone number on file can be targeted.
Deliver
Messages send from a platform origination number, gated to each recipient business hours in their own timezone, and spread across a window to avoid burst patterns and carrier rate limits.
Track
Every link tap and REPORT reply is recorded against a signed, time-limited token, so each interaction is tied back to the specific recipient and dispatch.
Remediate
Recipients who tap the lure are auto-enrolled in a learning path that drills the exact pattern they fell for, with deadlines and manager visibility.
SMS templates with built-in red flags
A library of approved smishing templates modeled on the lures attackers actually send, each annotated with the cues employees should learn to spot.
Real-world lure patterns
Package-delivery, account-suspended, password-expiry, and unsolicited-MFA-code templates mirror the highest-volume smishing campaigns, including the toll and delivery lures behind 2024 FBI complaints.
Liquid personalization
Templates merge recipient and company details so the text reads like a targeted message rather than a generic blast, matching how modern smishing kits operate.
Tagged red flags
Each template marks the teaching cues (suspicious sender, pressure in the content, masked link) so the post-tap lesson points to exactly what gave the attack away.
Opt-out and compliance built in
SMS carries rules that email does not. The platform handles them so your program stays defensible.
STOP and REPORT handling
Recipients who reply STOP are added to a per-tenant and a platform-wide opt-out registry and never texted again. A REPORT reply is recorded as the correct, secure response.
Business-hours delivery
Texts are held until working hours in each recipient timezone, so a simulation never lands at 3 a.m. or reads as harassment.
Phone-number gating
Only employees with a phone number on file are eligible, and the audience picker shows exactly who is in and who is excluded before launch.
GDPR and works councils
Jurisdiction settings and aggregate-only reporting support GDPR Article 88 and works-council requirements for monitoring employee behavior.
SMS funnel analytics
See the whole journey of a text campaign and turn it into a baseline you can track campaign over campaign.
One funnel for every campaign
Track dispatched, clicked, and reported alongside email metrics in a single behavior funnel, broken down by team so you can see which groups need attention.
Report rate as the headline
Report rate sits alongside click rate and fail rate, because the share of recipients who flag a text is the metric that tracks with real resilience.
Export for evidence
Pull CSV and PDF reports for audit evidence and board reporting, with the same shape as your email simulation results.
Frequently Asked Questions
What is a smishing simulation?
A smishing simulation is a controlled test where an organization sends realistic but harmless SMS phishing messages to its own employees, then measures who taps the link and who reports it.
It is the SMS counterpart to a phishing simulation. Because texts reach a channel with no secure email gateway, smishing often catches people who would spot the same trick in their inbox, which is why testing the channel directly matters. The US FTC recorded $470 million in text-scam losses in 2024.
How are the text messages delivered?
Messages are sent from a platform-owned origination number and delivered through a transactional SMS provider. Delivery is gated to each recipient business hours in their own timezone and spread across a send window to avoid burst patterns and carrier rate limits.
Only employees with a phone number on file can be selected as recipients, and the audience picker shows who is eligible before you launch.
How does opt-out work?
Standard SMS opt-out is built in. A recipient who replies STOP is added to a per-tenant and a platform-wide opt-out registry and is never messaged again, on any campaign. A recipient who replies REPORT is recorded as having taken the correct, secure action.
This keeps your program compliant with carrier rules and respectful of employees who do not want simulated texts.
What is the difference between a phishing and a smishing simulation?
A phishing simulation tests email; a smishing simulation tests SMS. Both run on the same platform with the same scheduling, targeting, and automated remediation.
The channels differ in ways that matter: SMS has no gateway to scan links, delivery is gated to business hours, opt-out follows carrier STOP rules, and only employees with a phone number can be targeted. To see how the underlying attack works, read the smishing threat guide.
Do you support voice (vishing) simulations?
Voice-call (vishing) simulations are in development. Email and SMS (smishing) campaigns are available today.
In the meantime, see how voice phishing works and train the call-back-and-verify reflex with the immersive vishing exercise. Voice delivery will join the simulation platform when the channel ships.
Is smishing simulation legal in the EU?
Yes, when run correctly. Testing your own employees with simulated messages is lawful, but GDPR Article 88 and works-council agreements govern how you monitor staff. The platform supports this with jurisdiction settings, aggregate-only reporting, and standard opt-out handling.
As with any monitoring program, confirm your works-council and privacy obligations before launch in regulated jurisdictions.
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.