Home / Topics / Smishing Simulation
Channel Brief
Smishing simulation.
Smishing — SMS phishing — moved from consumer scam to enterprise attack vector: fake IT alerts, executive “quick favor” texts, delivery notifications, MFA fatigue prompts. Most corporate security programs have never sent a single test text.
The Problem
The undefended inbox.
01
No security layer
Corporate email passes through gateways, banners, and filters. SMS arrives raw on a personal device, with URL previews and nothing else.
02
Trust by default
People treat texts as personal and urgent. The “new CEO number” pretext works because switching numbers is normal and checking is awkward.
03
No reporting path
Employees know where the phishing-report button is in Outlook. Almost nobody knows what to do with a suspicious text — so it never reaches the SOC.
Why Legacy Training Struggles
A mention in a module is not a measurement.
Legacy programs cover smishing in a training slide while the channel itself goes untested. Without delivery infrastructure for SMS, consent handling for personal devices, and scoring that joins text behavior to the rest of the risk model, the channel stays theoretical — until an incident makes it concrete.
What Modern Looks Like
Test the channel people actually answer.
Consented delivery
Simulations go to enrolled numbers under a policy employees have seen. BYOD concerns are handled with enrollment and scope controls.
Realistic pretexts
IT MFA alerts, exec quick-favor texts, payroll updates, delivery holds — rotated and role-adapted so each result reflects the employee’s judgment under a plausible pretext.
A reporting habit
Every simulation teaches the escape hatch: forward to the security number, verify on a known channel. Reporting rate on SMS becomes a tracked resilience metric.
Cimento's Approach
SMS in the same risk model.
Cimento runs smishing scenarios alongside email and voice, scores them into one role-based risk index, and coaches in the moment. Cross-channel sequences — a text that sets up an email — are simulated too, because that’s how real attacks work.
Policy-scoped SMS delivery to enrolled devices
Cross-channel sequences (text → call → email)
SMS reporting workflow wired to your SOC
Unified role-based scoring across all channels
FAQ
Can we simulate SMS on personal (BYOD) phones?
What should employees do with a suspicious text?
Is smishing really an enterprise problem?
Your program has never sent a text.
Change that in 14 days. The Human Risk Baseline includes consented SMS scenarios and shows how your org responds to the channel with no filter.