Skip to content
Back to Security Center

Smishing: SMS Phishing Attacks

What Is Smishing?

Smishing (a combination of "SMS" and "phishing") is a cyberattack delivered via text message. Criminals send fraudulent SMS messages that impersonate trusted organisations, such as banks, delivery companies, government agencies, and online platforms, in an attempt to trick you into taking a harmful action. This might involve clicking a link to a fake website, calling a fraudulent phone number, downloading malware, or replying with personal information.

Smishing is particularly effective because text messages have a much higher open rate than emails. Most people read a text message within minutes of receiving it, and the limited screen space on a mobile device makes it harder to scrutinise links and sender details.

Common Smishing Scenarios

Criminals tailor their smishing attacks to exploit situations that people encounter in everyday life:

Fake Delivery Notifications

"We attempted to deliver your parcel today. Please reschedule your delivery here: [link]." These messages spike during busy shopping periods such as Black Friday and the Christmas season. The link leads to a convincing replica of a courier's website, where you are asked to enter personal details and pay a small "redelivery fee", which captures your card information.

Bank Alert Messages

"Unusual activity detected on your account. Verify your identity immediately: [link]." These messages exploit fear and urgency. The linked website replicates your bank's login page, capturing your username, password, and sometimes even your one-time verification code. Legitimate banks will never ask you to verify your identity through a link in a text message.

HMRC Tax Refund Messages

"HMRC: You are owed a tax refund of GBP 437.80. Claim now: [link]." HMRC will never notify you of a tax refund via text message. These scams exploit the appeal of unexpected money and direct you to a fraudulent website designed to steal your personal and financial details.

Subscription and Account Messages

"Your subscription is about to expire. Update your payment details to avoid service interruption: [link]." These messages impersonate streaming services, app stores, or other subscription platforms and aim to capture your card details.

How to Identify Smishing Messages

Developing a critical eye for text messages can prevent you from falling victim to smishing attacks:

  • Examine the sender: Legitimate organisations typically send messages from a recognisable name or short code. Messages from random mobile numbers claiming to be your bank are almost certainly fraudulent.
  • Inspect links carefully: Before tapping any link, press and hold it to preview the full URL. Look for misspellings, unusual domain extensions, or addresses that do not match the organisation being impersonated. If in doubt, navigate directly to the organisation's website by typing the address into your browser.
  • Question the urgency: Smishing messages almost always create artificial time pressure. "Act within 24 hours", "Your account will be suspended", and "Immediate action required" are common phrases designed to prevent you from thinking critically.
  • Watch for generic greetings: Messages that begin with "Dear Customer" rather than using your name may indicate a mass-distributed scam.
  • Check for errors: Whilst scam messages have become more polished, some still contain grammatical errors, unusual formatting, or inconsistencies in branding.

Reporting Smishing Messages

In the UK, you can report suspicious text messages by forwarding them to 7726. This is the number used by all UK mobile networks to collect reports of spam and scam messages. The process is simple:

  1. Forward the suspicious message to 7726.
  2. Your network provider will respond asking for the phone number the message was sent from.
  3. Reply with the sender's number.

This reporting mechanism feeds into a national database used by telecommunications providers and law enforcement agencies to identify and block scam campaigns. You can also report smishing to Action Fraud and to the NCSC by forwarding suspicious emails to report@phishing.gov.uk (for email-based phishing) or by using their online reporting tools.

What to Do If You Have Responded to a Smishing Message

If you have already clicked a link, entered personal details, or provided financial information in response to a smishing message, take these steps immediately:

  • Contact your bank: If you entered card details or banking credentials, call your bank's fraud team immediately. They can block your card and secure your account.
  • Change your passwords: Update the password on any account that may have been compromised. If you used the same password elsewhere, change those too.
  • Scan your device: If you downloaded anything from the link, run a security scan on your device. Consider a factory reset if malware is suspected.
  • Monitor your accounts: Watch for unusual activity on your financial accounts and email in the days and weeks following the incident.
  • Report it: File a report with Action Fraud so the scam is officially recorded and can be investigated.

Smishing attacks continue to evolve in sophistication. Maintaining a default position of scepticism toward unsolicited text messages, verifying claims through official channels, and reporting suspicious messages all contribute to reducing the effectiveness of these attacks for everyone.

AI-Powered Social Engineering

Artificial intelligence is giving criminals new tools to create highly personalised, convincing social engineering attacks that are far harder to detect than traditional scams.

Read article

Voice Cloning Scams

Modern AI can clone a person's voice from as little as three seconds of audio. Criminals are using this technology to impersonate family members and trusted contacts in phone scams.

Read article

Pig Butchering Scams

Pig butchering scams are sophisticated, long-term investment frauds that begin with friendly contact on social platforms and end with devastating financial losses.

Read article
Back to Security Center