PhishPlease
All posts
ThreatsFebruary 3, 2026

Why Text Message Phishing (Smishing) Is Exploding — and How to Test Your Team

SMS phishing bypasses email filters entirely. Delivery notifications, bank alerts, MFA bypass — here's what your employees are seeing on their phones.

Your email security gateway catches most phishing emails before they reach employee inboxes. That's great — but it's created a problem. Attackers have shifted to SMS, where there are no spam filters, no link previews, and no IT department scanning incoming messages.

Why SMS phishing works

Text messages have a 98% open rate. People read every text they receive, usually within minutes. There's no "mark as spam" button that learns over time. And on a phone screen, it's harder to inspect a link before tapping it.

Attackers know this. SMS phishing (smishing) attacks increased over 300% in the past two years, and the attacks are getting more sophisticated.

What these attacks look like

The most common smishing templates mirror everyday notifications:

  • Package delivery. "Your UPS package couldn't be delivered. Reschedule: [link]"
  • Bank alerts. "Unusual activity on your account. Verify now: [link]"
  • MFA bypass. "Your verification code is 847291. If you didn't request this, secure your account: [link]"
  • HR/Payroll. "Your direct deposit info needs updating before next pay period: [link]"
  • IT support. "Your company email password expires today. Reset here: [link]"

These work because they create urgency and mimic messages people actually receive. The attacker doesn't need to get past any security tools — the message goes straight to the employee's phone.

Why most training programs miss this

Most phishing training platforms only simulate email attacks. That leaves a massive blind spot. Your employees might be great at spotting a fake Microsoft login page in their email, but completely unprepared for a convincing text message.

How to test your team against SMS phishing

PhishPlease includes 16 SMS phishing templates at no extra cost. The process works the same as email simulations:

  1. Pick a template (delivery notification, bank alert, IT support, etc.).
  2. Select recipients (you'll need employee phone numbers).
  3. Set a schedule and send.
  4. Track who taps the link and who ignores it.

Employees who click get the same educational experience as email simulations — a training page explaining what they missed, with the option to enroll in deeper training.

Start with email, add SMS when ready

We recommend running 2-3 email campaigns first to establish a baseline and get your team used to the concept. Then introduce an SMS campaign. The click rates on first SMS campaigns are typically 15-25% higher than email, even for teams that have been through email training. That gap tells you exactly why you need to test across channels.

Related

See how SMS simulations workCompare phishing training platformsRead: Insurance requirements
PreviousCyber Insurance Now Asks About Phishing Training —...

Ready to test your team?

Send your first phishing simulation in under 2 hours.

Start free trial

14-day free trial · No credit card required