Smishing: Mobile-First Social Engineering Simulation

PTEF-Aligned:Profile → Tailor → Simulate → Evaluate → Evolve

Threat Narrative

SMS phishing bypasses email controls and exploits mobile trust. Attackers use urgent, plausible messages (delivery issues, account locks, payroll updates, "verify now") to drive taps on malicious links, credential entry, or direct replies—often outside corporate monitoring. Cyberorca simulates smishing only under written client authorization to measure human response, mobile reporting behavior, and the organization's readiness to contain account takeover and fraud attempts originating from mobile channels.

How Cyberorca Runs This Service

Governance applies across all phases.

1

Profile & Scope

Scope, Consent & Targeting Controls — Define approved recipient groups, timing windows, and "do-not-contact" rules. Recipient lists are client-approved. Establish opt-out and escalation paths.

2

Tailor Scenarios & Controls

Scenario Design (Mobile-Realistic, Non-Abusive) — Create short, realistic SMS scenarios aligned to business workflows avoiding coercive or harmful content.

3

Simulate (Controlled Execution)

Controlled Delivery Execution — Deliver messages via approved sender method (client-provided long code/short code/alphanumeric sender where applicable) with rate limits and live monitoring.

4

Evaluate (Telemetry & Reporting)

Safe Telemetry & Reporting — Measure outcomes using minimal data: delivered, tapped, reported, repeat exposure. Avoid collecting sensitive content; reporting is aggregated by role/department where possible.

5

Evolve (Remediation & Hardening)

Remediation & Mobile Reporting Enablement — Provide mobile-specific micro-training. Repeat with progressive difficulty.

Metrics & Outcomes

Delivery Rate (deliverability by carrier segment where available)
Tap/Interaction Rate (by role/department and scenario type)
Report Rate (who reports and through which channel)
Repeat Exposure Rate (users who fail across multiple waves)
Mobile Reporting Adoption (growth of correct reporting behavior over cycles)
Note: Outcomes vary based on baseline posture, reporting UX, and program maturity.

Governance & Ethics

  • Written Authorization & Recipient Controls: client-approved lists only; defined windows; do-not-contact groups enforced
  • Telecom Compliance & Opt-Out: opt-out keyword supported and suppression lists maintained
  • No Harmful Payloads: no malware, no exploits, no real credential collection
  • Data Minimization & Retention: minimal telemetry; aggregated by default; defined retention; RBAC and audit trails

Engagement Model

Smishing Baseline Assessment (2–4 weeks): 1–2 waves + hotspot report + mobile reporting recommendations Quarterly Mobile Resilience Program: quarterly simulations + trendline reporting + role-based mobile training Multi-Channel Program: integrated with email/QR/vishing as a unified human attack surface program with executive scorecards