WhatsApp Phishing Simulation: Training for Real-World Smishing Attacks
Lucy 5.5 introduces WhatsApp phishing simulation, giving organisations realistic smishing training to protect employees against modern messaging app attacks
Why WhatsApp Phishing Matters
Email is no longer the only channel for phishing. Attackers are now targeting users through messaging apps like WhatsApp, and SMS. These smishing attacks often look authentic, carrying urgent calls to action and links to fake websites.
With employees increasingly using mobile devices for both work and personal communication, WhatsApp phishing has become a real security risk.
Introducing WhatsApp Phishing Simulation in Lucy 5.5
The Lucy 5.5 release includes the ability to create WhatsApp phishing simulations. This lets organisations prepare employees for the reality of modern attacks.
Key capabilities:
Customisable templates: Start with built-in examples or design your own.
Personalisation with Lucy variables: Insert employee names, departments, or roles to increase realism.
Mobile-first training: Deliver phishing tests through the same channels attackers are using.
By simulating real WhatsApp attacks, companies can test employee awareness where it matters most.
How a WhatsApp Phishing Simulation Works
A campaign might look like this:
A user receives a WhatsApp message pretending to be from HR, IT, or even a delivery company.
The message contains a link urging them to “update details” or “verify an account.”
If the employee clicks, Lucy captures the interaction and delivers instant awareness training.
This approach mirrors real-world smishing techniques, giving staff the practice they need to spot and avoid the threat.
Double barrel or lure attacks can also be delivered.
Benefits of WhatsApp Phishing Simulation
Running a WhatsApp phishing simulation with Lucy provides:
Realistic awareness: Employees face scenarios that match real attacks.
Customisation: Tailor campaigns to your organisation’s environment.
Better resilience: Staff build confidence in spotting suspicious messages.
Regulatory alignment: Under frameworks like NIS2, realistic training is now expected, not optional.
Beyond WhatsApp: Other Updates in Lucy 5.5
Alongside WhatsApp phishing simulation, the Lucy 5.5 release also delivers:
Phishing risk scoring (Beta) – AI-driven analysis of reported emails.
Safe upgrade guardrails – preventing system interruptions during live campaigns.
New Microsoft 365 Outlook plugin – smoother and more reliable integration.
UI and security enhancements – a cleaner, safer platform for admins.
Final Thoughts
Attackers are moving beyond email. That’s why the Lucy 5.5 release adds WhatsApp phishing simulation — giving organisations the tools to train employees where the risks are highest.
By combining realistic smishing tests with AI-driven phishing risk scoring, Lucy continues to set the standard for awareness training that prepares people for the threats they actually face. Here you can see our Realistic Phishing article from the 2025 ITSEC event publication on why Realism in Phishing matters.
Contact us if to find out how we can help.
See our version 5.5 release video on YouTube.
