I work at a company that has a large number of field users. We have been sending out simulated phish for a couple of years, and the overwhelming majority of failures are from mobile devices. Management is asking for reasons why we should care about people falling for phish on a mobile device. For context, we are almost completely BYOD and have MFA enable on every user account. Most users are unlikely to have any sensitive information on their phones. I have been struggling to come up with a good reason why we should care. Malware and compromised accounts seem to be low risk. The best arguments I have are that sloppy behavior on a mobile phone would translate to the same behavior on a laptop, and falling for a real phish on a mobile device could lead to spear-phishing and social engineering. Both of those arguments are not very strong.