❶ Purpose of the Smishing module
The Smishing module covers the SMS phishing channel: it allows you to test your employees against simulated SMS attacks, in addition to email phishing. The infrastructure used is pre-approved by our SMS provider (SMSMode) and telecom operators, preventing blocking or rejection during campaigns.
Testing employees only through email leaves part of the attack surface uncovered: SMS scams (fake MFA codes, fake deliveries, banking fraud, payroll updates) are part of attackers’ everyday tactics. Smishing fills this blind spot.
💡 Good to know: When an attack is sent to an employee, Riot prioritizes their professional phone number first, then their personal number if the option has been enabled and shared by the employee.
❷ Why include smishing in your cybersecurity program?
Coverage of a second attack channel: fraudulent SMS messages are a daily reality. A phishing program limited to email leaves the entire SMS surface untested.
Operator pre-approved infrastructure: each campaign is announced in advance to our SMS provider and the relevant telecom operators. No telecom complaints, no blacklisted numbers, no unexpected rejections.
Country-based targeting validation: only phone numbers in international E.164 format and from supported countries are considered valid targets. Unsupported or incorrectly formatted numbers are automatically filtered out when building the audience.
👍 Good to know: Smishing generally shows a lower compromise rate than email phishing. This is expected: users tend to be more suspicious of SMS messages, the link is fully visible (no “hover” option to inspect the URL), and the channel offers fewer creative possibilities than email. This is not a product limitation — it is simply useful to know before launching a smishing campaign.
❸ How does a smishing attack work?
Audience filtering: only employees with phone numbers in E.164 format and from supported countries are included. Others are automatically filtered out.
48-hour telecom pre-notification: Riot manually pre-notifies SMSMode (and downstream operators) so the campaign is not flagged as fraudulent. Campaigns must therefore be scheduled at least 48 hours in advance.
SMS delivery: the SMS is sent through SMSMode with the configured Sender ID (default short number or custom sender name — see section ❺).
Click and phishing page: the employee clicks the link in the SMS and lands on the same phishing page used for email campaigns. Standard events are recorded (page opened, credentials submitted, employee compromised).
Cancellation (“voided”): if the operator rejects the SMS or the message cannot be delivered after the retry window (phone turned off, operator unavailable, etc.), the attack is cancelled and excluded from statistics.
❹ Supported countries and phone number format
Smishing is currently available in the following countries:
🇦🇹 Austria — example: +43 XXX XXX XXXX
🇧🇪 Belgium — example: +32 XXX XX XX XX
⚠️ Special case — Belgium: the local operator imposes an additional 3-day waiting period before sending. Campaigns targeting Belgium therefore remain pending for 3 extra days in addition to the standard 48-hour delay.
🇩🇰 Denmark — example: +45 XX XX XX XX
🇫🇮 Finland — example: +358 XX XXX XXXX
🇫🇷 France — example: +33 X XX XX XX XX
🇩🇪 Germany — example: +49 XXX XXXX XXXX
🇮🇸 Iceland — example: +354 XXX XXXX
🇮🇹 Italy — example: +39 XXX XXX XXXX
⚠️ Special case — Italy: older 9-digit Italian mobile numbers (without extension, predating the E.164 standard) are not supported. Example: +39 337 123456 will be rejected.
🇱🇺 Luxembourg — example: +352 XXX XXX XXX
🇳🇱 Netherlands — example: +31 X XXXXXXXX
🇳🇴 Norway — example: +47 XXX XX XXX
🇵🇱 Poland — example: +48 XXX XXX XXX
🇵🇹 Portugal — example: +351 XXX XXX XXX
🇷🇴 Romania — example: +40 XXX XXX XXX
🇪🇸 Spain — example: +34 XXX XXX XXX
🇸🇪 Sweden — example: +46 XX XXX XX XX
🇨🇭 Switzerland — example: +41 XX XXX XX XX
French overseas territories are also supported (treated as an extension of France): Réunion, Guadeloupe, Martinique, French Guiana, New Caledonia, and French Polynesia.
Only the international E.164 format (+XX...) is accepted. The following separators are valid (France examples, same logic for other countries):
+33687097493
+33-7-12-34-56-78
+33.6.12.34.56.78
+33(0)612345678
(+33)612345678
💡 An employee does not appear in the smishing audience even though they have a mobile number? Check the following 3 points:
Their number is not in a valid E.164 format → once corrected, the employee will reappear in the audience.
The employee’s email domain is not verified in the workspace.
Their country is not in the list of supported countries.
❺ Sender ID: who appears as the sender?
You have two options for the Sender ID (the identity displayed as the SMS sender):
1. Short number (default, mainly 🇫🇷)
By default, the Sender ID is a short number. You cannot choose or reserve a specific one: the provider randomly selects one at sending time (e.g. 36084, 38184, 38601, 38079…). Short numbers are mainly available in France; outside France, alphanumeric sender IDs are generally the default option.
2. Alphanumeric sender ID (custom sender name)
You can choose a custom sender name for the SMS — useful for impersonating a service (e.g. TicketM). Rules to follow:
3 to 11 characters
Letters and numbers only
No special characters
Cannot contain only numbers
No generic terms (e.g. Alert, Appointment)
No unauthorized brand names or restricted terms
❻ Important delays and limitations
48-hour delay before launch: each campaign requires a manual notification to SMSMode 48 hours in advance for telecom pre-validation. Campaigns scheduled less than 48 hours ahead will be blocked.
Delivery may take up to 48 hours after sending: most SMS messages arrive in under 20 seconds, but if the phone is turned off or the operator experiences latency, the network retries delivery for up to 48 hours before cancelling the attack. The attack remains in “pending” status in the Hub until delivered or cancelled.
Lower scores than email phishing (expected): see explanation in section ❷. This is not a product issue — it is simply the nature of the SMS channel.
Key takeaways
The Smishing module tests your teams through the SMS channel, an essential complement to email phishing.
The infrastructure is pre-approved by telecom operators: no risk of blacklisting or unexpected rejections on the customer side.
Plan at least 48 hours between campaign creation and actual sending (+3 additional days for Belgium).
Only numbers in E.164 format and from supported countries are eligible — filtering is automatic.
A lower score than email phishing is normal and should be framed appropriately from the start of the program.