According to Proofpoint’s 2023 report, 71% of organisations experienced a successful phishing attack in the past year.
Most of these started when an employee responded to a message that appeared routine. The format didn’t matter – some arrived via email, others through SMS or a phone call.
In these cases, traditional technical controls like EDR, email filters, and MFA are not the first layer of defence. The breach starts with a user decision. That decision is often made under pressure, without the time or context to verify what appears to be a standard internal or service request.
Phishing simulations are designed to test and improve this layer of human decision-making. But in most organisations, simulation programs only model email-based scenarios. That’s a significant limitation.
Attackers now deliver phishing payloads through multiple formats: SMS, voice calls, QR codes, collaboration platforms, and in some cases, physical materials. These formats are often preferred because they are less protected, more trusted, and more likely to be acted on quickly.
Take the digital arrest scam as an example. This attack has nothing to do with email. Instead, it involves a phone call from someone claiming to be from law enforcement.
Attacks like these bypass filters entirely. They target user behaviour directly and succeed by applying psychological pressure. Yet very few phishing simulations attempt to reproduce this type of scenario.
For a CISO, security manager, or compliance lead, this creates two risks. First, there is no visibility into how users might respond to non-email phishing attempts. Second, existing simulation data gives a false sense of readiness because it reflects only a narrow slice of the actual threat surface.
This blog breaks down how phishing really operates across different channels, where current simulation programs fall short, and what a complete multi-channel strategy should look like if it’s meant to reflect real-world risk.
Understanding Multi-Channel Phishing in Practice
Modern phishing attacks are not limited to one format. Attackers increasingly blend delivery methods, relying on timing, context, and perceived legitimacy rather than traditional payloads. Below are several channels that are being actively exploited.
1. Smishing (SMS Phishing)
Smishing attacks have seen a significant increase, with a 1,265% rise in malicious phishing emails observed since the end of 2022. Attackers use SMS messages to deliver malicious links or impersonate internal systems like HR or IT platforms. These messages may use URL shorteners and mimic internal communication styles, posing a heightened risk in BYOD environments where personal devices are used for work-related activities.
2. Vishing (Voice Phishing)
Vishing refers to phishing via voice calls. Attackers impersonate internal personnel, such as IT support or HR staff, and apply social pressure to manipulate users. Some vishing campaigns use pre-recorded messages, while others involve live calls. The most effective vishing attacks are contextual, often referencing recent events or system changes that make the request seem credible.
3. Callback Phishing
In a callback phishing scenario, a user receives a seemingly benign email that urges them to contact a phone number to resolve a billing issue or subscription renewal. The email may pass through all filters because it contains no links or attachments. The actual attack occurs during the call, where the user is persuaded to grant access, install software, or disclose sensitive information.
4. Quishing (QR Code Phishing)
Quishing leverages QR codes embedded in physical materials such as posters, flyers, or digital PDFs. When scanned, these codes often lead to spoofed login pages or credential capture sites. Because QR codes are not directly clickable, they often bypass conventional scanning tools. The risk is especially high when users scan codes using personal devices that are outside the control of corporate MDM systems.
Each of these channels is increasingly used in coordinated campaigns that unfold over multiple steps, making detection more difficult and increasing the likelihood of user error.
Why Email-Only Simulations Are Insufficient
Despite the diversification of phishing tactics, many organisations continue to simulate only email-based phishing attacks. This narrow focus presents several issues:
- False Assurance: Users may perform well in email simulations but remain vulnerable to other phishing methods.
- Channel Mismatch: Significant operational communication occurs outside of email, necessitating simulations that reflect actual user workflows.
- Underreported Exposure: Without assessing responses to SMS, voice, or QR-based phishing, organisations lack a complete understanding of their risk landscape.
Attackers exploit these gaps, and simulations that ignore them diminish the effectiveness of awareness programs.
Key Components of a Technically Complete Simulation Program
A modern phishing simulation program should replicate the conditions under which real attacks occur. This means reflecting the format, delivery method, and behavioural context of the threat. The following elements are essential.
Multi-Channel Delivery
Simulations should be able to test user responses across SMS, voice, QR code, and web-based platforms, in addition to traditional email. For instance, an SMS-based simulation might mirror the language and structure of the organisation’s MFA or HR alert systems. Vishing simulations can include both pre-recorded calls and real-time impersonation scripts.
Role-Specific Payloads
Simulation scenarios should reflect the actual workflows and responsibilities of each department. A procurement employee is more likely to receive supplier-related fraud attempts, while finance teams might face payment request impersonation. Designing simulations that mirror these roles improves relevance and detection accuracy.
Device Awareness
Effective simulation programs consider the types of devices users interact with. QR code simulations should account for scanning via mobile phones, particularly in BYOD setups. Simulations should also distinguish between actions taken on managed endpoints and those taken on personal devices.
Real-Time Feedback
Simulations should provide immediate, specific feedback when users fail or report suspicious activity. Rather than offering generic advice, the feedback should explain what indicators were present, why the message was risky, and how to identify similar attempts across different formats.
Measurable Risk Indicators
Beyond simple pass/fail metrics, organisations should track indicators such as time-to-click, time-to-report, and escalation behaviour. Repeated failures or slow reporting should trigger more tailored interventions. Some platforms also integrate risk scores that factor into broader compliance and audit frameworks.
Compliance and Regulatory Relevance
Security awareness training is not just a best practice; in many regulated industries, it is a legal requirement. More importantly, regulators increasingly expect training to reflect actual risk exposure.
- Under GDPR Article 32, organisations are required to implement security measures appropriate to the risk. That includes training users on the specific threat vectors relevant to their environment.
- HIPAA §164.308(a)(5) mandates periodic security updates and training tailored to users’ roles and system access.
- PCI DSS v4.0 expects awareness programs to account for both digital and social engineering risks, including phishing delivered outside traditional email channels.
A simulation program that fails to reflect these realities can not only increase security risk but also weaken the organisation’s compliance position during audits or breach investigations.
Questions to Guide Evaluation of Simulation Tools or Internal Programs
To ensure your simulation program aligns with real-world threats and enterprise requirements, consider the following questions:
- Can the platform simulate phishing via SMS, voice, and QR codes in addition to email?
- Does it support hybrid scenarios that combine multiple formats (e.g., SMS followed by a phone call)?
- Can simulations be customised to reflect internal communication formats and workflows?
- Are role-specific simulations available for different departments and levels of seniority?
- Is there support for multilingual delivery and mobile device targeting?
- Can the simulation metrics integrate with your existing SIEM, GRC, or audit systems?
These are necessary for simulation to function as a valid security control.
Awareness Training Must Reflect Communication Behaviour
Users interact with multiple devices and communication platforms daily. Threat actors exploit this complexity, tailoring their campaigns accordingly. Simulation strategies must evolve to mirror this environment, evaluating decision-making under realistic conditions and accounting for timing, format, context, and device.
Programs limited to email-based simulations cannot provide accurate visibility into risk or demonstrate compliance with current security obligations. A comprehensive simulation strategy, underpinned by meaningful metrics, serves as both a behavioral safeguard and a regulatory asset.
