SMS phishing, or smishing, has become the fastest-growing attack vector in 2026. While email phishing click rates average 3 to 8 percent across industries, SMS phishing achieves click rates of 35 to 45 percent in simulated and real-world campaigns. The disparity exists because employees have been trained to scrutinize emails for years but apply almost no critical thinking to text messages. Mobile devices provide less URL visibility than desktop browsers, messages feel more personal and urgent, and corporate security controls on personal mobile devices are typically minimal. Despite these alarming statistics, fewer than 15 percent of organizations include SMS in their phishing simulation programs.
Why Is Smishing So Effective?
Several factors combine to make SMS phishing dramatically more effective than email phishing. SMS messages have a 98 percent open rate compared to roughly 20 percent for email, ensuring that nearly every phishing text is seen. Mobile interfaces display truncated URLs that hide malicious domains, making it harder to spot suspicious links. Text messages feel intimate and immediate, triggering faster, less deliberate responses. There is no equivalent of an email security gateway for personal SMS messages, so no technical control prevents delivery. Most critically, employees have not been trained to treat text messages with the same suspicion as emails. The security awareness training industry has spent a decade conditioning people to scrutinize emails while largely ignoring the mobile channel.
How Do Real Smishing Attacks Target Organizations?
The most common organizational smishing attacks include fake IT notifications such as “Your corporate account has been locked. Verify your identity at [link]”, pretexts involving urgent HR actions like benefits enrollment deadlines or payroll verification, package delivery notifications timed to coincide with corporate procurement cycles, and MFA fatigue follow-ups where the attacker triggers an MFA push and then sends a text saying “IT Support: We noticed an issue with your MFA. Please approve the prompt or verify at [link].” These attacks exploit the same psychological triggers as email phishing, namely urgency, authority, and fear, but achieve far higher success rates because of the channel's inherent trust advantage.
How Do You Build an SMS Phishing Simulation Program?
Building an SMS simulation program requires navigating several considerations that do not apply to email-based testing. First, obtain explicit consent and legal review: sending text messages to personal mobile numbers has different legal implications than sending emails to corporate addresses, particularly in jurisdictions with opt-in requirements for commercial messaging. Work with legal counsel to ensure your simulation program complies with TCPA (in the US), GDPR Article 6 (in the EU), and relevant local regulations. Second, use your phishing simulation platform's SMS capabilities if available, or partner with a platform that supports multi-channel campaigns. Third, design scenarios that mirror real smishing attacks: IT notifications, HR deadlines, and delivery alerts are the most effective pretexts. Track click rates on mobile separately from email metrics to establish a baseline and measure improvement over time.
What Results Should You Expect?
First-campaign SMS simulation click rates typically range from 35 to 50 percent for organizations that have never tested this channel, declining to 15 to 20 percent after 6 months of regular testing and targeted training. Even mature programs rarely achieve SMS click rates below 10 percent because the mobile channel's inherent trust advantage and limited URL visibility create a floor that is significantly higher than email. When presenting results to leadership, frame SMS click rates in the context of the growing smishing threat landscape rather than comparing directly to email metrics. The goal is to reduce the gap between channels while building employee awareness that phishing is a multi-channel threat. For guidance on adding other channels to your simulation program, see our guides on QR code phishing simulation and voice phishing simulation.