There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour believable.

4140 Parker Ave, St. Louis, MO 63116


      Your employees are nearly 7x more likely to click a fake text than a fake email

      Real smishing simulation data from Nimblr shows SMS-based attacks get clicked at nearly 7 times the rate of phishing emails. Here's what the numbers reveal and what to do about it.

      Shortcuts:

      Most security awareness programs treat the inbox as the main battleground. The data says otherwise.

      Nimblr's smishing simulations show a click rate of 29.4% across our SMS tests. Phishing simulation emails, run across millions of sends in the same period, came in at 4.5%. That gap, nearly 7 times, should prompt a serious conversation about where mobile sits in your security training program.

      This is Nimblr data, drawn from real smishing simulations sent to real employees across the Nordics as part of their security awareness programs. 

      This article breaks down what the numbers reveal, why text-based attacks perform so differently from email, and what realistic smishing training looks like in practice.


      Smishing

      What is smishing?

      Smishing (SMS phishing) is a social engineering attack delivered by text message. An attacker sends a message impersonating a trusted sender: a bank, delivery service, government authority, or employer. The goal is to trick the recipient into clicking a link, sharing credentials, or taking an action that creates a security risk.

      Unlike email, SMS arrives in a more personal, high-trust channel. There's no hover-to-preview a URL. There's no spam folder filtering out obvious fakes. And most people check their phones dozens of times a day, often while distracted.

      That combination is why smishing works so well.


      Data

      The click rate gap is real

      Across Nimblr's own simulation platform, running SMS tests against employee populations in the Nordics, the comparison is stark:

      Channel Click Rate
      Smishing (SMS) 29.4%
      Phishing (email) 4.5%

      The smishing data spans multiple countries, languages, and simulation types, with consistent results above the 25% range in Sweden, Denmark, and Norway.

      For comparison: most security benchmarks flag a phishing click rate above 10% as a serious concern. Smishing runs at nearly three times that level.


      What are employees actually clicking on?

      The highest-performing simulations reveal a clear pattern: people click when the message feels relevant, timely, and locally authentic.

      Top performers across all markets:

      These simulations ran in English across multiple countries and reflect broadly effective attack patterns regardless of local context.

      • Free e-books offer: a reward-based message offering access to free digital content. 46.7%
      • Mobile bill refund notification: a message claiming the recipient is owed a refund on their mobile bill. 39.8%
      • Fake Amazon support message: a security or account alert appearing to come from Amazon. 39.1%
      • Bank transaction alert: a message claiming unusual activity on the recipient's bank account. 32.0%

      Market-specific highlights:

      When simulations use local brands and local authorities, click rates climb significantly. A few standouts:

      • Fake MediaMarkt sale alert (Swedish): a promotional SMS mimicking a flash deal from a well-known Nordic electronics retailer. 69.4%
      • Fake pharmacy notification (Danish): a message impersonating a major Danish pharmacy chain. 58.3%
      • Fake insurance claim (Danish): an urgent message appearing to come from a local insurance provider. 56.7%
      • Fake SMHI emergency weather warning (Swedish): a spoofed official alert from Sweden's meteorological authority. 51.7%

      The gap between the two groups is telling. Reward-based and security-alert messages work broadly. But add a brand employees actually recognize, or an authority they trust, and the click rate jumps by 20 to 30 percentage points.

      What makes the high performers work isn't just the brand. It's the combination of a recognized name, a plausible scenario, and a clear reason to act quickly.


      Language

      Local context drives clicks

      One of the clearest signals in the data is how much local context matters. A fake SMHI weather warning is highly convincing in Sweden because SMHI is a known, trusted authority. Employees have received real alerts from them before. A fake MediaMarkt promotion works because it mirrors messages employees actually receive from that retailer.

      Simulations that use generic, internationally-neutral scenarios consistently underperform their locally-specific equivalents. A fake "parcel delivery failure" message outperforms a generic delivery alert when it uses a delivery brand employees actually recognize.

      This has direct implications for training programs that rely on a single English-language simulation library. The messages your employees actually receive, from local delivery services, regional tax authorities, and national retail brands, don't look like that. Attackers know this. Their campaigns are localized. Training should be too.


      Why smishing is harder to catch than email

      The behavioral context of SMS is fundamentally different from email:

      No URL preview. On a phone, there's no way to hover over a link before clicking. The URL is hidden behind a short link or embedded in the message itself.

      Personal device, distracted context. Employees check personal phones constantly, during commutes, between meetings, at lunch. The cognitive bandwidth available to evaluate a message is lower than when sitting at a desk reviewing email.

      High baseline trust. SMS is still perceived as a more legitimate channel than email. Spam SMS is common, but scam SMS from a brand you recognize feels different. Organizations like banks, delivery companies, and government agencies all use SMS legitimately, which attackers exploit.

      No IT filter. Corporate email goes through security gateways. Personal SMS does not. An organization's email security stack offers little protection against a smishing attack landing on an employee's phone.


      Smishing Training

      What good smishing training looks like

      The goal of smishing simulation isn't to trick employees into feeling foolish. It's to create the muscle memory to pause before acting on a text message, especially one that creates urgency, offers a reward, or requests credentials.

      Effective smishing training has a few consistent elements:

      Realistic, localized scenarios. Generic "package delivery" messages underperform real ones. Simulations should reflect the brands and authorities employees actually interact with in their daily lives.

      Immediate feedback. When someone clicks, the learning moment is right then. Nimblr's Instant Learning delivers a short, in-context lesson the moment a user interacts with a simulated smishing message.

      Multi-language support. For organizations operating across the Nordics or Europe, simulations in a single language miss the local authenticity that makes attacks convincing.

      Ongoing cadence. One annual simulation doesn't change behavior. Risk scores change as employees move between roles, locations, and teams. Smishing simulation needs to be part of a continuous program, not a once-a-year checkbox.


      Smishing Simulation

      How Nimblr approaches smishing simulation

      Nimblr's smishing module is an add-on to the core security awareness platform. SMS messages are sent to employees to test their vigilance against mobile-based social engineering, using the same behavioral targeting logic that powers phishing simulations.

      Each simulation is selected based on individual user history. Someone who repeatedly clicks reward-based lures will see more of those, not the same generic scenario repeated. When a user interacts with a simulation, Instant Learning triggers automatically, showing them exactly what they missed and why.

      The simulation library is continuously updated from live threat intelligence, covering the types of attacks actually deployed against Nordic organizations, not hypothetical scenarios from a generic template library.

      The result is that smishing training reduces human risk on a channel that most programs currently leave completely unaddressed.


      The question worth asking

      If your organization runs phishing simulations, you already know that humans make decisions under pressure and that training changes that. SMS is a channel where the same human instincts are in play, under worse conditions, with no technical safety net below it.

      A 29% click rate means roughly one in three employees will act on a convincing fake text. That's a breach risk that doesn't touch your email gateway at all.

      The organizations ahead of this are the ones treating mobile behavior as a training priority, not an afterthought.


      Want to see the full picture on smishing in the Nordics? Download the SMS Under Siege report: five years of smishing and mobile fraud data across Sweden, Denmark, Norway, and Finland.

      Download the report →

      Ready to add smishing simulation to your awareness program? Book a demo →

      Author
      Nimblr Security Awareness
      Nimblr Security Awareness
      The Nimblr team is made up of people who are passionate about cyber security, developing training for real people, and tracking behavioral change.
      Get a personalized demo session at your convenience. Book a demo and let one of our experts walk you through Nimblr solution, the platform, and how quickly you can get started.