Cimento is headed to Black Hat USA — catch us in Vegas, Aug 1–6

Black Hat USA 2026 · Aug 1–6

Book a Meeting →

Book a Meeting →

Home / Topics / Smishing Simulation

Channel Brief

Smishing simulation.

Email has spam filters, banners, and a report button. A text message has none of those — and people answer texts within seconds.

Email has spam filters, banners, and a report button. A text message has none of those — and people answer texts within seconds.

Email has spam filters, banners, and a report button. A text message has none of those — and people answer texts within seconds.

Smishing — SMS phishing — moved from consumer scam to enterprise attack vector: fake IT alerts, executive “quick favor” texts, delivery notifications, MFA fatigue prompts. Most corporate security programs have never sent a single test text.

The Problem

The undefended inbox.

01

No security layer

Corporate email passes through gateways, banners, and filters. SMS arrives raw on a personal device, with URL previews and nothing else.

02

Trust by default

People treat texts as personal and urgent. The “new CEO number” pretext works because switching numbers is normal and checking is awkward.

03

No reporting path

Employees know where the phishing-report button is in Outlook. Almost nobody knows what to do with a suspicious text — so it never reaches the SOC.

Why Legacy Training Struggles

A mention in a module is not a measurement.

Legacy programs cover smishing in a training slide while the channel itself goes untested. Without delivery infrastructure for SMS, consent handling for personal devices, and scoring that joins text behavior to the rest of the risk model, the channel stays theoretical — until an incident makes it concrete.

What Modern Looks Like

Test the channel people actually answer.

Consented delivery

Simulations go to enrolled numbers under a policy employees have seen. BYOD concerns are handled with enrollment and scope controls.

Realistic pretexts

IT MFA alerts, exec quick-favor texts, payroll updates, delivery holds — rotated and role-adapted so each result reflects the employee’s judgment under a plausible pretext.

A reporting habit

Every simulation teaches the escape hatch: forward to the security number, verify on a known channel. Reporting rate on SMS becomes a tracked resilience metric.

Cimento's Approach

SMS in the same risk model.

Cimento runs smishing scenarios alongside email and voice, scores them into one role-based risk index, and coaches in the moment. Cross-channel sequences — a text that sets up an email — are simulated too, because that’s how real attacks work.

Policy-scoped SMS delivery to enrolled devices

Cross-channel sequences (text → call → email)

SMS reporting workflow wired to your SOC

Unified role-based scoring across all channels

FAQ

Can we simulate SMS on personal (BYOD) phones?

What should employees do with a suspicious text?

Is smishing really an enterprise problem?

Your program has never sent a text.

Change that in 14 days. The Human Risk Baseline includes consented SMS scenarios and shows how your org responds to the channel with no filter.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.