SMS Scams: How to Spot and Avoid Smishing Attacks

Your phone vibrates. A text message arrives from what looks like Royal Mail, your bank, or HMRC. It tells you something urgent has happened and you need to click a link immediately. This is smishing — and it is now one of the most common forms of cybercrime targeting everyday people in the UK and worldwide.

Unlike email phishing, smishing lands directly in the same place you receive messages from your friends and family. That familiarity makes it far more dangerous. Research consistently shows that people respond to text messages faster and with less critical scrutiny than they apply to emails. Scammers know this and they have built entire criminal industries around exploiting it.

What is smishing and why is it so effective

Smishing is a portmanteau of SMS and phishing. It refers to any fraudulent text message designed to deceive you into taking an action that benefits the attacker — clicking a malicious link, calling a scam number, replying with personal information, or making a payment.

What makes smishing uniquely dangerous compared to other forms of phishing is the psychological context in which it operates. When you receive a text message, your guard is typically lower than when you receive an email. You are usually on your phone, often doing something else simultaneously. The message is short, the link is right there, and there is a strong social convention that text messages are personal and require a prompt response.

Smishing campaigns have become dramatically more sophisticated in recent years. Modern smishing attacks use your real name (harvested from previous data breaches), reference real services you actually use, and arrive from numbers that appear legitimate. Some campaigns use number spoofing technology to make the message appear to come from a number you already have saved in your contacts.

The most common smishing scenarios in 2026

Parcel delivery scams are currently the most prevalent smishing attack type in the UK. You receive a text claiming to be from Royal Mail, DPD, DHL, or Amazon stating that a delivery has failed and you owe a small fee to reschedule it. The fee is typically £1.99 to £3.99 — deliberately small to reduce your hesitation. The link leads to a convincing fake website that collects your payment card details, often including your full card number, expiry date, CVV, and billing address. Some variants also request your online banking login details to “verify your identity”.

Bank fraud alerts are the second most common type. These texts claim to be from your bank — Barclays, NatWest, Lloyds, HSBC, or another major institution — and warn you that suspicious activity has been detected on your account, that a large payment is pending, or that your account has been temporarily restricted. The urgency is designed to panic you into clicking the link immediately. The fake banking website that follows is often pixel-perfect and nearly indistinguishable from the real one.

HMRC and government texts claim you are owed a tax rebate, that you have an outstanding fine, or that your National Insurance number has been used fraudulently. HMRC never contacts taxpayers about refunds by text message. Any text claiming to be from HMRC asking you to click a link is a scam without exception.

Mobile network texts claim your bill is overdue, your account is about to be suspended, or that you have won a loyalty prize. These often ask you to “verify your account” by entering your login details on a fake operator website.

NHS and health service texts increased dramatically during and after the pandemic. These claim to be about appointments, prescriptions, or — alarmingly — claim there is a problem with your vaccination record that requires immediate verification.

How to identify a smishing text message

The single most reliable indicator of a smishing attack is a text message that contains both a sense of urgency and a link, and asks you to enter personal or financial information. Legitimate organisations — banks, delivery companies, government agencies, and mobile operators — do not ask you to verify sensitive information or make unexpected payments by clicking a link in a text message.

Look carefully at the link itself. On a smartphone, press and hold the link to see where it actually goes before you tap it. Scam links often use domains that look plausible at first glance but contain subtle differences: royalmail-redelivery.com instead of royalmail.com, or uk-gov-rebate.co.uk instead of gov.uk. The legitimate domain for HMRC is always gov.uk. The legitimate domain for Royal Mail is always royalmail.com.

Check the sender number. While sophisticated smishing attacks can spoof legitimate-looking numbers, many use mobile numbers or short codes you do not recognise. However, a familiar-looking sender number is not proof of legitimacy — spoofing is common.

Real examples of smishing texts and the warning signs

Here are real smishing text formats reported to Action Fraud in the UK, with the warning signs explained:

“Your Royal Mail parcel with tracking number GB123456 could not be delivered. A redelivery fee of £1.99 is required. Please pay at: royalmail-delivery.info/GB123456” — Warning signs: Royal Mail does not send texts asking for payment to redeliver. The domain is royalmail-delivery.info, not royalmail.com. The tracking number format looks real but is fabricated.

“BARCLAYS: We have detected unusual activity on your account. Your account has been restricted for your security. Please verify immediately: barclays-secure.com/verify” — Warning signs: Barclays would never send a text with a link to a domain other than barclays.co.uk. The use of all caps for the bank name is common in smishing. The word “immediately” is a pressure tactic.

“HMRC: You are entitled to a tax refund of £312.54. Click here to claim your refund before it expires: hmrc-rebate.org/claim” — Warning signs: HMRC never contacts people about refunds via text message. Any domain other than gov.uk claiming to be HMRC is fraudulent. Tax refunds do not expire within hours.

What to do immediately when you receive a suspicious text

• Do not click any link in the message under any circumstances
• Do not call any phone number included in the text
• Do not reply to the message — even replying “STOP” confirms your number is active
• If the text claims to be from your bank, call your bank directly using the number on the back of your card or on their official website
• If it claims to be about a delivery, go directly to the carrier’s official website by typing the address yourself
• Screenshot the text before deleting it so you have a record for reporting
• Delete the message from your phone

If you have already clicked a link but did not enter any information, you are likely safe, but change your passwords for any accounts you were logged into on that device as a precaution and run a security scan on your phone.

If you entered payment card details on a fake website, contact your bank immediately — call the number on the back of your card. Tell them you believe you have been a victim of a smishing fraud and ask them to block your card and issue a new one. Under UK banking rules (the Contingent Reimbursement Model), you have a strong case for reimbursement if you report promptly.

How to report smishing in the UK and internationally

In the United Kingdom, forward suspicious text messages to 7726 (which spells SPAM on your keypad). This is a free service run by Ofcom and your mobile network provider. Your report goes directly to your carrier’s fraud team who investigate and block malicious numbers. You can also report smishing attacks to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040.

In the United States, forward suspicious texts to 7726 (the same number) or report to the FTC at reportfraud.ftc.gov. In Canada, report to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca.

Reporting matters because it contributes to the takedown of fraudulent websites and phone numbers. When enough people report the same smishing campaign, mobile networks can block the sending numbers and internet registrars can suspend fraudulent domains. Your report protects others who might receive the same text tomorrow.

Protecting yourself long term

The most powerful long-term protection against smishing is developing the habit of never clicking links in unexpected text messages, regardless of how urgent or official they appear. This single habit eliminates the overwhelming majority of smishing risk.

Consider enabling your mobile network’s spam filtering features — most major UK carriers including EE, Vodafone, O2, and Three offer built-in SMS filtering. On iPhone, go to Settings, Messages, and enable Filter Unknown Senders. On Android, open the Messages app, tap the three-dot menu, and enable spam protection.

Register your number with the Telephone Preference Service (TPS) at tpsonline.org.uk to reduce unsolicited marketing texts. While this does not stop criminal smishing, it reduces overall text volume from unknown senders, making suspicious messages easier to identify.