Skip to main content

How to create a Smishing simulation campaign

  • Updated

This article explains how to schedule a Smishing simulation campaign in SMARTFENSE, detailing each available configuration field and the indicators the campaign collects.

What is a Smishing simulation campaign?

Smishing simulation campaigns consist of SMS messages that aim to deceive the user into revealing confidential information. These SMS messages include links that redirect to a page with a form that attempts to capture that information.

They allow you to measure the real behavior of users against a controlled mobile messaging attack and, if unsafe behavior is detected, trigger a Teachable Moment to raise the user's awareness at the right time.

Create the campaign

  1. From the main menu, go to Campaigns > Calendar.
  2. Click the New campaign button.
  3. Select Smishing.

Campaign configuration

Essentially, Smishing simulation campaigns require the following data to be scheduled:

  • Groups
  • Scenario
  • Start date
  • Expiration date

SMARTFENSE automatically detects the time zone of the administrator's device when scheduling. The dates and times you configure will be defined in the time zone of the device from which you are creating the campaign.

Groups

By default, SMARTFENSE allows you to select Groups as recipients of a campaign. The other options can be displayed by clicking the More options button at the bottom of the screen.

The platform requires you to select at least one recipient to schedule a campaign.

Scenario

Defines the theme of the Smishing simulation campaign. It is possible to select more than one scenario.

If you choose more than one scenario, when the campaign is sent each user will receive a specific scenario randomly selected from the chosen set. This means that, although several scenarios are selected, each user will participate in only one. It is not possible to send multiple scenarios to the same user in a single campaign.

Start date

Date on which the campaign begins sending simulation SMS messages and collecting interaction statistics.

Starting from the Start date, you will only be able to modify the Expiration date of the campaign while it is in progress. This action can be performed from the Calendar or Campaigns list. To do so, locate the campaign you want to edit and go to View campaign details > Information and actions.

Expiration date

Date on which the campaign stops collecting statistics.

The maximum duration of a Smishing simulation campaign is 4 days. This allows simulating attacks more aligned with reality and obtaining results similar to those of campaigns carried out by cybercriminals.

More options

The following fields are displayed by clicking the More options button at the bottom of the screen.

Mode

Defines how users are assigned to the campaign. There are two options:

  • One-time initial assignment with specific expiration date: all recipient users are assigned when the Start date arrives. Changes made to the groupings after that date are not considered.
  • Recurring assignment with relative duration: the campaign periodically checks which users meet the recipient conditions and assigns them automatically. Each user's expiration date is calculated based on the defined Duration in days, starting from the moment they are assigned.

User management in Recurring assignment with relative duration campaigns:

  • Users added to a recipient grouping after the start date are assigned automatically, but on the day after the edit and at the same time as the start date (it is not immediate).
  • Users removed from the grouping after being assigned remain assigned to the campaign.

Phone number

To send the Smishing messages, the phone number configured in the user's profile is used. Make sure the number is saved in the correct format, including the country code.

By default, it is recommended that the country code be added without a + sign or leading double zeros. For example, a valid recipient could be the number 34541498675, where:

  • 34 is the country code.
  • 54 is the area code.
  • 1498675 is the phone number.

If there are delivery issues, you can try the following variants:

  • Replace the country code with +34.
  • Replace the country code with 0034.
  • Add a period after the country code: +34.541498675.

User import

Import processes allow you to load the user's phone number.

  • For imports via CSV file or API, the phone is just another field that must be completed in the correct format.
  • For import from Microsoft Entra ID, the phone is obtained from the mobilePhone field. If it is null, the first available number in the businessPhones list is used.
  • For import from Google, the list of phones in the phones field is used. If one is marked as primary, that one is used; otherwise, the first one in the list is used.

If the end user or the administrator manually set a phone, it is not overwritten with the import data. The user can set a phone from their profile, or an administrator can modify it from the Users table.

Recipients

In this section different types of groupings can be selected as campaign recipients: Groups, Functional areas, Hierarchical levels, Smart groups, and Individual users.

You can combine the selected groupings in two ways:

  • Assign users who belong to at least one grouping of each type.
  • Assign users who belong to any of the selected groupings.

Users must belong to at least one grouping of each type

Users who meet each of the following points will be assigned to the campaign:

  • Belong to at least one of the selected Groups.
  • Also belong to at least one of the selected Functional areas.
  • Additionally belong to at least one of the selected Hierarchical levels.
  • And finally belong to at least one of the selected Smart groups.

Users must belong to any of the selected groupings

Users who meet any of the following points will be assigned to the campaign:

  • Belong to at least one of the selected Groups.
  • Or belong to at least one of the selected Functional areas.
  • Or belong to at least one of the selected Hierarchical levels.
  • Or belong to at least one of the selected Smart groups.

Scheduling

In addition to choosing the start and expiration date, Smishing simulation campaigns allow you to select the send type:

  • Normal sending: SMS messages are sent to all recipient users when the campaign's start date and time arrives.
  • Random sending: SMS messages are sent at different times of the day to each user. Sending is performed in the first half of the range between the start date and the expiration date, between 09:00 and 18:00 hours.

Assigned users will receive the SMS during the sending days. The campaign remains active and collecting statistics until the day selected as the expiration date.

Random sending cannot be used to make each user receive a random scenario. Randomness refers only to the day and time of sending.

Campaign details

  • Name: identifies the campaign within the platform.
  • Description: displayed on the calendar when hovering over the campaign.
  • Test campaign: if you enable this option, the campaign runs without affecting reports or generating records in the user or campaign audit.

Derived actions

Allows you to add a Teachable Moment to the Smishing simulation campaign. Teachable Moments are used to raise user awareness at the moment they perform an unsafe behavior within the simulation.

To configure it you must define:

  • Topic of the Teachable Moment.
  • User action that triggers its sending:
    • Click on the Smishing link received by SMS.
    • Enter data on the Smishing page.
  • Delivery mode:
    • Instantly when the action occurs in the web browser.
    • Instantly when the action occurs in the web browser and also send it by email at the same time.
    • Select a date after the campaign expiration to send all corresponding Teachable Moments by email.

The Teachable Moment will have a final validation question and feedback after the user's response. Both have components editable from Settings > Simulations > Teachable moments.

Advanced

Sample sending

If you enable this option, the simulation SMS is sent only to a sample of the total recipients. You must enter the sample size as a percentage. The included users are randomly chosen from the total recipients.

Smishing URL

Defines the URL used in Smishing simulation SMS messages.

  • Use SMARTFENSE URLs (default option): the link is built with the platform's subdomain and a domain randomly selected from a list of SMARTFENSE domains intended to host simulated Smishing traps.
  • Use custom URL: allows you to select a custom Hostname, managed in Settings > Organization > Hostnames, and explicitly choose a domain from the list of available domains.

If you select the Random domain option, the platform will randomly choose a domain for all the campaign's links. This domain will be the same for all recipient users. If you want to use a custom domain, contact technical support from the Help Center.

Password entry

Defines the behavior of the login form on the simulation's landing page.

  • Allow the user to enter their password (default option): only whether or not data was entered in the form is recorded. The entered data is not stored, analyzed, or manipulated at any time.
  • Prevent the user from entering their password: the password field is disabled. The user can only enter a single character in the username field. When they do, the form is automatically submitted and the Data entered statistic is recorded.

On the landing page, the fields referring to the username and password must have the attributes name="user" and name="password" respectively, so that the platform correctly captures the user's action.

Send me a test

Before scheduling the campaign, you can receive a test on your configured number by clicking the Send me a test button. The test takes the following configured parameters into account:

  • Scenario: the test is sent with the configured scenario.
  • Password entry: the form will allow or not the password entry as configured.
  • Teachable Moment: the defined configuration will be applied.

Other parameters such as Smishing URL have no effect on the Send me a test button. Their effect can only be seen in a scheduled campaign.

Available SMS shots

To use the Smishing functionality you must have SMS shots available. Each SMS sent consumes one shot.

You can check the number of available shots in:

  • In the informational note that appears when selecting Recipients, it shows how many users the campaign will reach and how many SMS shots remain available.
  • Dashboard > General, in the Contracting information box, next to the contract end date and the contracted components.

Indicators collected by the campaign

Once started, the campaign records the following indicators:

  • Sent: the SMS was sent to the user.
  • Delivered: the SMS was delivered to the user.
  • Link click: the user clicked on a link inside the Smishing simulation SMS.
  • Data entered: the user entered data into the form on the Smishing simulation landing page.
  • Teachable moments sent by email: the user performed an action that triggered the sending of the Teachable Moment by email.
  • Teachable moments opened: the user viewed the Teachable Moment in their email or instantly in their browser.
  • Teachable moments answered correctly: the user correctly answered the Teachable Moment question used to validate its reading.
  • Teachable moments answered incorrectly: the user incorrectly answered the Teachable Moment question used to validate its reading.

SMS statuses

In the campaign Audit, within Campaign details, each SMS can have the following statuses:

  • Waiting for delivery confirmation: the SMS was sent to the carrier and successful delivery confirmation is awaited.
  • Delivered: the SMS was delivered to the recipient.
  • Retrying delivery: the carrier will retry delivery until the campaign expires.
  • Expired: the carrier could not deliver the message and the campaign expired.
  • Delivery error: the SMS could not be delivered to the recipient.

Delivery error reasons

  • Unknown subscriber: the recipient's number is not associated with an active line.
  • Insufficient balance: the cost of sending is greater than the available credit in the account.
  • Generic delivery failure: the carrier did not provide more information about the error.
  • Unavailable subscriber: the recipient's line is not available at this time.
  • Received network error: the recipient's network has a problem that prevents delivering the SMS.
  • Opted out: the recipient revoked consent to receive SMS from the sending line.
  • Carrier rejected: the recipient's carrier blocks the message. It may be due to a lack of campaign registration (in some countries it is mandatory to register SMS campaigns) or to content prohibited or illegal under the country's regulations.
  • Capacity limit reached: the carrier blocks reception due to SMS quantity limits in a period or country policies (for example, sending allowed only at specific hours).

Known issues

Below are the most common issues when working with campaigns that send SMS.

Identity spoofing

In some countries it is not possible to send SMS performing identity spoofing. In specific cases, this type of SMS is only delivered if the sender's number uses a different country code than the recipient's. In those situations, the sender can be replaced with a generic number (for example, 1234).

Additionally, sending a spoofed-identity SMS within the same mobile carrier and within the same country may not work.

Issues with the SMS sender

In SMARTFENSE you can customize the SMS sender with an alphanumeric string of up to 11 characters or a phone number. If the desired sender is not accepted, try variants such as:

  • Replace the country code with +34.
  • Replace the country code with 0034.
  • Add a period after the country code: +34.541498675.

If no variant works, you can use an empty sender. In that case, the carrier will assign a default sender value. If sending works correctly with the default sender, it is recommended to use an alphanumeric string (for example, José Vicente) as the sender instead of a phone number.

Issues with the recipient's number

A message may not be delivered if the recipient's number is not saved in the correct format. Make sure the users' number includes the country code, without a + sign or leading double zeros. If there are delivery issues, try the variants mentioned in the Phone number section.

Issues with links

Some carriers block the links present in SMS messages. In these cases you can try removing the protocol (http or https) from the URL.

💡 Best practices

  • Send a Test campaign to analyze statistics and detect possible delivery issues before a mass send.
  • Verify the Phone number in the users' profile and ensure the country code has the recommended format.
  • Define an Expiration date consistent with the objective and keep the campaign within the 4-day maximum to obtain realistic results.
  • Use Random sending to simulate real behaviors and reduce the "user-to-user warning" effect during the campaign.
  • Combine the Smishing simulation with a Teachable Moment to raise user awareness at the exact moment they perform an unsafe behavior.
  • Use Send me a test to validate the scenario and form behavior before scheduling the campaign.
  • Review the Available SMS shots in Dashboard > General and in the informational note when selecting Recipients to avoid failures due to insufficient credit.
  • If you detect Delivery error or Carrier rejected, adjust the sender or number format and consider country or carrier restrictions before relaunching the campaign.

Related to

Related articles