Security awareness programs have historically been built around email. It is the dominant channel for phishing attacks, the one most amenable to technical controls, and the one that produces the cleanest behavioral data through simulation. That concentration made sense when email was the overwhelming majority of the social engineering threat landscape.
In 2026, that landscape has changed materially. Voice phishing—vishing—and SMS-based phishing—smishing—have grown from niche attack vectors into mainstream criminal tools, deployed at scale against organizations in every industry. The same AI capabilities that have made email phishing more sophisticated have lowered the barrier to convincing voice and SMS attacks. And the employees who face these attacks have received virtually no preparation for them, because the programs designed to protect them have not kept pace with how attackers have diversified.
This is not a minor gap. It is a systematic blind spot in most organizational security awareness programs, and attackers are exploiting it deliberately.
Understanding Vishing: How Voice Phishing Works
Vishing—voice phishing—is a social engineering attack conducted through phone calls or voice messages. The attacker either calls the target directly or leaves a voicemail designed to prompt a callback to an attacker-controlled number. In either case, the goal is to use voice communication to obtain credentials, personal information, financial authorizations, or access to systems and accounts.
Vishing attacks are effective for several reasons that are specific to voice communication as a channel.
Voice activates trust mechanisms that text does not. The human voice conveys authenticity, urgency, and social context in ways that written text cannot fully replicate. A caller who sounds authoritative, knowledgeable about the organization, and appropriately urgent triggers the same deference and compliance instincts that attackers exploit in other social engineering contexts—but more powerfully, because voice communication is more cognitively engaging than reading.
Caller ID can be easily spoofed. Technology that allows outbound calls to display any caller ID is readily available and inexpensive. An attacker can make a call appear to come from your organization's IT helpdesk, a known vendor, a bank, a government agency, or any other number the target would recognize and trust. In many cases, the attacker has already gathered target details from dark web credential exposure or public data breaches. The visual cue of a familiar number overcomes the initial skepticism that an unknown caller would trigger.
Verification is harder in real time on a call. When an employee receives an email that seems unusual, they have time to think, research, and consult. A voice call creates real-time social pressure that reduces deliberate, careful evaluation. The caller controls the pace of the interaction and can use urgency, authority, and rapport to prevent the target from taking the time to verify the call's legitimacy through an independent channel.
Common vishing attack scenarios include IT support impersonation (a caller claiming to be from the helpdesk asking to verify credentials or install remote access software), executive impersonation for financial fraud (a caller claiming to be the CFO or CEO requesting an urgent wire transfer or credential access—see CEO fraud and whaling prevention), bank fraud intervention impersonation (a caller claiming to be from the fraud department of the target's bank warning of a suspicious transaction and asking for account verification), and government agency impersonation (callers claiming to represent the IRS, Social Security Administration, or law enforcement to create compliance pressure).
Understanding Smishing: How SMS Phishing Works
Smishing—SMS phishing—uses text messages to deliver phishing content. The message typically includes a malicious link, a fraudulent phone number to call, or a request for information, and it is designed to appear to come from a trusted source: a bank, a delivery company, a government agency, a known colleague, or the target's own organization.
Smishing has grown rapidly as an attack vector for several reasons.
SMS has a dramatically higher open rate than email. Marketing statistics consistently show that text messages are opened at rates exceeding 90 percent, compared to email open rates typically in the 20 to 30 percent range. This engagement differential makes SMS an attractive channel for social engineering—the message is far more likely to be seen.
The mobile context reduces scrutiny. People read text messages in a different cognitive mode than email. The shorter format, the personal nature of the channel, and the typical on-the-go reading context all reduce the deliberate evaluation that employees might apply to email. A text message that arrives while commuting, during a meeting break, or while handling a child is processed less carefully than the same content in an email environment.
Mobile devices blur personal and professional boundaries. Many employees receive work-related communications on personal phones—two-factor authentication codes, urgent messages from managers, calendar notifications. A smishing attack that exploits this blending can reach employees through a channel they associate with trusted personal communication, reducing the baseline skepticism they might apply in a clearly professional context.
Common smishing scenarios include package delivery notifications with malicious tracking links, bank fraud alerts requesting immediate action, IT security alerts about compromised accounts, HR or payroll notifications with embedded links, and fake authentication requests designed to harvest MFA codes.
Why Training Programs That Cover Only Email Leave Critical Gaps
The behavioral skills that protect an employee from email phishing—careful examination of sender addresses, skepticism about urgency, verification through independent channels, awareness of link manipulation—are necessary but not sufficient for protection against vishing and smishing.
Voice and SMS attacks exploit different cognitive vulnerabilities, operate in different contexts, and require different defensive skills. An employee who has been thoroughly trained to recognize email phishing may be entirely unprepared when a persuasive caller claims to be from IT support and asks for their credentials. The training they received was designed for a channel and a cognitive context that does not apply to the attack they are facing.
This gap is not theoretical. Post-incident analysis of vishing attacks consistently finds that targeted employees were not unsophisticated or careless—they were simply operating outside the context for which they had received security training. The caller was convincing, the request seemed plausible in the moment, and nothing in their prior training experience had given them a framework for evaluating a phone-based social engineering attempt.
The same pattern holds for smishing. Employees who routinely apply appropriate skepticism to email consistently report that they did not apply the same skepticism to SMS, because they did not consciously associate the text message channel with the phishing threat category they had been trained to recognize.
What Multi-Channel Simulation Training Involves
Effective multi-channel simulation training extends the core simulation-and-training model from email to voice and SMS channels. The specific implementation differs across channels but follows the same behavioral conditioning logic.
Smishing simulation involves sending controlled, realistic fake text messages to employees' mobile phones—typically with advance organizational authorization and compliance review—and observing whether employees click the links, call the numbers, or report the messages. When employees click or call, they are directed to a brief educational experience that explains what indicators they missed and what a correct response looks like. When employees report the suspicious message, they receive positive acknowledgment.
Smishing simulation requires careful coordination with mobile device management (MDM) policies, legal review regarding consent and privacy, and clear communication to employees about how the program works—all of which are standard implementation considerations for mature simulation platforms. The logistical complexity is higher than email simulation, but the behavioral value of extending simulation to a channel that most employees have never been trained against is correspondingly high.
Vishing simulation is more operationally complex than either email or SMS simulation because it involves live or recorded phone calls to employees. Two primary formats are used in practice.
Recorded vishing scenarios deliver pre-recorded voice messages to employees—voicemails that mimic common vishing attack patterns—and observe whether employees call back to an attacker-controlled number, provide information if they do call back, or report the suspicious message to the security team. This format scales well and does not require human callers.
Live vishing simulations involve trained callers—either internal red team personnel or external simulation service providers—making real-time calls to employees under controlled conditions, following a script designed to test specific social engineering vulnerabilities. This format provides richer behavioral data and more realistic social pressure simulation but requires significantly more operational investment.
For most organizations beginning multi-channel simulation, recorded smishing and vishing scenarios provide the most accessible entry point with the highest behavioral value relative to implementation complexity.
Key Skills to Train for Voice and SMS Attack Defense
The defensive skills that protect against vishing and smishing are specific and learnable, but they differ enough from email phishing recognition skills that they need to be explicitly trained rather than assumed to transfer.
For vishing defense:
Verification through independent channels is the single most important skill. Any caller who requests credentials, authorizes financial transactions, provides access to systems, or makes requests that deviate from normal workflow should be verified through a separate, independently confirmed contact method before compliance. This means hanging up the call—politely but firmly—and calling back to a number from official organizational records, not a number provided by the caller.
Caller ID is not proof of identity. Employees should understand explicitly that caller ID can be spoofed and that a familiar number on the display does not confirm that the caller is who they claim to be. This is a specific piece of knowledge that many employees lack and that would prevent a significant proportion of successful vishing attacks.
Urgency in a voice call is a red flag, not a reason to bypass verification. Callers who create time pressure ("your account will be locked in ten minutes if you do not verify now") are often exploiting exactly the urgency trigger that genuine security professionals learn to recognize as a social engineering signal.
It is acceptable to say no to a caller and verify independently. Employees often feel that refusing a caller's request or asking to call back is rude, incompetent, or aggressive. Explicit training that normalizes verification behavior—that it is the correct, professional response to any unusual request—addresses this social compliance barrier directly.
For smishing defense:
Do not click links in text messages. This is a simple, behavioral rule that is surprisingly underemphasized in standard phishing training because it is self-evident in an email context but less so in an SMS context. Employees should be explicitly trained to navigate directly to legitimate websites rather than clicking links in text messages, even when the messages appear to come from trusted sources.
Do not call numbers provided in unsolicited text messages. Numbers provided in smishing messages route to attacker-controlled call centers, not the organizations they appear to represent.
Report suspicious text messages through the same channels as suspicious emails. Many employees do not know whether reporting suspicious text messages is expected, who to report to, or how. Organizations should provide explicit, simple guidance on this and include SMS reporting in the same infrastructure used for email reporting.
Apply the same skepticism to text messages that you apply to email. The framing of this instruction matters: many employees mentally categorize text messages differently from email because they associate SMS with personal communication rather than professional risk. Explicitly connecting the SMS channel to the phishing threat category they already understand from email training is more effective than treating smishing as an entirely separate security topic.
Building Multi-Channel Simulation Into Your Existing Program
For organizations with established email phishing simulation programs, adding multi-channel simulation is an incremental expansion rather than a program overhaul. The behavioral measurement model, training delivery infrastructure, and reporting framework that support email simulation translate directly to voice and SMS channels.
The recommended approach for expanding to multi-channel simulation is sequential rather than simultaneous. Establish a mature email simulation program first, with a consistent cadence and measurable improvement in email phishing metrics. Then introduce smishing simulation as the second channel—it shares the most overlap with email simulation in terms of platform infrastructure and employee reporting behavior. Add vishing simulation as the third component once smishing simulation is running consistently.
This sequential approach avoids the cognitive and administrative overload of introducing three new behavioral training requirements simultaneously, and it allows you to establish baselines and improvement trajectories for each channel independently before combining them into an integrated multi-channel risk score.
The Threat Intelligence Case for Multi-Channel Training
Attackers do not restrict themselves to the channels that are most convenient for defenders to simulate. They use the channels that produce the best results for their specific objectives.
In 2026, vishing attacks targeting two-factor authentication bypass have become a primary tool for account compromise at organizations that have deployed MFA—precisely because MFA has made pure email phishing less effective for credential theft. Attackers call employees posing as IT support, convince them to share the authentication code displayed on their phone, and complete the account compromise before the employee realizes what has happened.
This attack pattern works because it exploits the gap between the authentication security organizations have deployed (MFA) and the social engineering training they have provided (email-focused). Employees who would not provide their password in response to an email request are providing their MFA code in response to a voice call—because they have been trained for one type of attack and not the other.
Effective multi-channel training closes this gap. Organizations that simulate vishing attacks designed to extract MFA codes, combine that simulation with specific training on caller verification and MFA security, and measure behavioral improvement over time are addressing the actual attack patterns their employees will face—not just the ones their training program was designed for.
PhishSkill supports email, smishing, and vishing simulation in a unified platform, giving security teams a complete multi-channel view of their organization's social engineering resilience. Because attackers don't limit themselves to one channel—your training program shouldn't either.
Related Reading
Are your remote employees particularly vulnerable? Learn how to protect them in Social Engineering Awareness Training for Remote Teams: Why Distance Changes the Risk or read our annual report on The State of Phishing in 2026.
To learn more about stopping unwanted calls and texts, visit the FCC: Consumer Guide to Robocalls and Texts.
New to this topic? Start with: What Is Phishing?
More from the Blog
View all
MFA Is Not Enough: How Phishing Attacks Bypass Multi-Factor Authentication and What Training Can Do
Multi-factor authentication has become a foundational security control, but attackers have evolved techniques to bypass it. Learn how adversary-in-the-middle phishing, MFA fatigue attacks, and vishing for OTP codes defeat MFA—and why training is your only defense.
Insider Threat Awareness Training: Building a Program That Protects Without Eroding Trust
Most insider incidents are accidental, not malicious. Learn the difference between insider threat monitoring and insider threat training, how to build a program that addresses negligent insiders without creating a culture of suspicion, and what truly effective insider threat awareness looks like.
Gamification in Security Awareness Training: Does It Actually Work?
Points, leaderboards, and badges are ubiquitous in security awareness training. But do they actually change behavior, or do they just drive engagement metrics? Explore the evidence behind gamification, when it helps, when it distracts, and how to combine it with simulation-based learning.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.