Scam Text Messages (Smishing): Spot, Stop and Report

Scam texts - known as smishing (SMS phishing) - are now one of the most common ways criminals reach us, because a text is cheap to send, easy to fake, and lands right in your pocket. From fake parcel fees to "Hi Mum" messages, they all share the same goal: get you to tap a link or reply. This guide shows you how to spot, stop and report them.

What smishing is

Smishing is phishing delivered by text message. Criminals send a message that appears to come from a trusted source - a bank, a courier, a government body, even a family member - and rely on you reacting before you think. The "from" name or number can be faked, so a scam text can even slot into the same conversation thread as genuine messages from a real company.

The text almost always wants one of two things: for you to tap a link (to a fake login or payment page) or to reply/call (to start a conversation that extracts money or details).

The common scam text types

• Parcel/delivery. A "missed delivery" or "unpaid fee" with a link - see our parcel delivery scam guide.
• Bank alert. "We've blocked a payment - confirm it wasn't you" linking to a fake bank login, often a prelude to a safe-account call.
• HMRC / tax. A "tax refund" or "outstanding tax" text - see the HMRC phone scam.
• "Hi Mum/Dad". A message from an unknown number claiming to be your child with a new phone, asking for money - often from a +44 7 mobile.
• Prize / refund. "You've won" or "you're owed a refund - claim here".
• Two-factor code requests. A text (or follow-up call) trying to get you to read out a one-time code.

A realistic example:

"FROM HSBC: A new payee 'J SMITH' was added to your account. If this wasn't you, verify immediately: [link]." The link opens a perfect copy of the bank's login page. Enter your details and the scammer has everything they need - and may call moments later, posing as the "fraud team", to finish the job.

Red flags in a scam text

• A link asking you to log in, pay, or "verify" details.
• Urgency - "within 24 hours", "immediately", "final notice".
• A slightly-off web address or a link shortener.
• Spelling or grammar that's not quite right (though many are now polished).
• An unexpected context - a parcel you didn't order, a bank you don't use.
• A request for codes, passwords or card details.

What to do with a scam text

1. Don't tap the link and don't reply.
2. Forward it to 7726. Texting the message to 7726 (which spells "SPAM") is free and reports it to your mobile network, which can investigate and block the source. You may then get a reply asking for the sender's number.
3. Verify independently if it might be genuine - log into your bank or the retailer's app, or call the organisation on a trusted number (159 for banks).
4. For "Hi Mum" texts, call your relative on their usual number before doing anything.
5. Delete the text once reported.
6. Report to Action Fraud if you've lost money or shared details, and contact your bank immediately.

How real organisations text you

Genuine texts won't ask you to enter your password or full banking details through a link, won't threaten you, and won't demand one-time codes. Many banks now include your name or other personalisation, but don't rely on that alone - the safe move is always to check by logging in yourself rather than following a message.

The bottom line

Smishing works because a text feels personal and urgent. Build one reflex: never tap a link in an unexpected text. Forward scam texts to 7726, verify anything that might be real through your own app or a trusted number, and delete the rest. That single habit - check it yourself, don't follow the message - neutralises almost every scam text you'll ever receive.