Smishing is phishing delivered through SMS text messages or messaging apps. The attacker typically tries to get you to click a link, install an app, or share a code.
Why it matters for account recovery
Smishing matters because mobile interfaces make it harder to inspect domains and because phone numbers are often tied to account recovery. A smish that steals your email or SIM can cascade into many account resets.
Common failure modes and misconceptions
- Short links and mobile UI limits: Attackers rely on truncation and small screens to hide the real destination.
- Fake delivery and bank alerts: These are designed to trigger urgency and get you to act before you verify.
- One-time code extraction: Support impersonation over text often aims to capture verification codes.
Safe best practices
- Do not click links in unexpected texts. Navigate to the vendor site or app directly.
- Treat your phone number as a sensitive identifier and reduce where it is used for recovery.
- If you see repeated verification texts you did not request, treat it as an account takeover signal and secure the related account.
Related terms
Related guides
Smishing succeeds when the message controls your navigation and your timeline. Breaking both, by navigating directly and verifying via known channels, collapses most lures.