phis3dSign up
← All posts
·6 min read

Email vs SMS Phishing (Smishing): Why You Have to Test Both

Smishing now drives a large share of attacks and slips past email filters entirely. Here is how SMS phishing differs from email, and why testing email only leaves a blind spot.

Most security awareness programs test one channel: email. Attackers stopped limiting themselves years ago. If you are only simulating email phishing, you are measuring half of your real exposure.

What is smishing?

Smishing is phishing delivered by SMS text message instead of email. The playbook is the same (create urgency, impersonate someone trusted, get the target to click or reply), but the channel changes everything about how it lands.

The numbers are not small

SMS phishing has gone from a niche tactic to a primary one:

  • Smishing accounts for roughly a third of all phishing activity, and the large majority of mobile phishing arrives by text.
  • Volume has been growing 30 to 40 percent quarter over quarter in recent reporting.
  • Click rates on SMS lures frequently land in the 20 to 36 percent range, meaningfully higher than typical email simulations.

That last point is the kicker: the channel most teams never test is often the one people fall for most.

Why smishing works so well

  • It skips your email filters. Your secure email gateway never sees a text message. The control you rely on most simply is not in the path.
  • Small screens hide the tells. Truncated URLs, no hover preview, and a stripped-down interface make a malicious link far harder to spot.
  • Texts carry more implicit trust. People treat their phone as personal. A text feels more direct and more urgent than yet another email.
  • Work and personal blur on mobile. A lure sent to a personal phone still reaches an employee with access to company systems.

Why email-only testing gives you a false sense of security

If your simulated click rate is a tidy 4 percent but you have never sent a single test text, that number is flattering you. It describes the channel your filters already defend and your people already expect scrutiny on. It says nothing about the channel that bypasses your filters and rides on personal trust.

A complete picture means testing both, then comparing. Many teams are shocked to find their SMS click rate is several times their email rate. For how those rates compare across sectors, see our click-rate benchmarks.

What a smishing lure looks like

Common, effective text pretexts include:

  • A delivery notice: "Your package is held, confirm your address here."
  • A fake MFA or login alert: "Was this you? Tap to verify."
  • A boss impersonation: "Quick favor, are you free? Need you to handle something."
  • A bank or payroll alert.

Notice how short and ordinary these are. There is no room for a long, suspicious story. That brevity is exactly what makes them effective.

How to test SMS safely

Running an SMS simulation responsibly takes a few guardrails:

  • Verify ownership and get consent for the numbers you test, just as you would for a domain.
  • Track the same funnel (delivered, clicked, submitted) with a unique link per recipient.
  • Always show the reveal so a caught employee immediately learns what happened.
  • Respect messaging rules. Legitimate SMS sending in the US runs through registered channels, which is part of why most awareness tools quietly skip it.

Test the channel attackers actually use

phis3d runs realistic simulations across both email and SMS, so you test how your team actually gets targeted, not just the half that is easy. Sign up and see your real exposure on both channels.

See who on your team would click.

phis3d runs email and SMS phishing simulations in minutes, no security team required. Sign up and we'll get you started with a free baseline test.

Sign up now

Keep reading