What is smishing? How SMS phishing works and how to spot it

Smishing is phishing carried out via text message. The name is a blend of SMS and phishing, and it works on the same principle: a scammer impersonates a trusted organisation to trick you into clicking a link or handing over your details.

It is one of the fastest-growing forms of online fraud, and for a straightforward reason - people tend to trust text messages more than emails. We are used to filtering out spam in our inbox, but a text from what looks like Royal Mail or our bank feels more immediate and harder to ignore.

How smishing works

The anatomy of a smishing attack is simple:

1. You receive a text claiming to be from a bank, delivery company, government service, or retailer
2. The message creates urgency - a missed delivery, a suspicious payment, a fine due, a refund waiting
3. It contains a link to a fake website designed to look like the real one
4. You enter your login credentials, card details, or personal information
5. The scammer has what they need

The whole thing can take two minutes. You may not realise anything happened until money disappears from your account or you find your details being used elsewhere.

Common smishing lures

Fake parcel delivery notifications

The most common smishing type in the UK. A text claims to be from Royal Mail, Evri, DPD, DHL, or Amazon saying a parcel couldn't be delivered, a customs fee is due, or a delivery needs to be rescheduled. The link goes to a convincing fake page asking for your card details to pay a small fee.

Real delivery companies do send SMS notifications, which makes this lure particularly effective. The key difference: genuine delivery texts do not ask for payment card details via a link.

Bank fraud alerts

A text claims to be from your bank, warning of suspicious activity on your account. It urges you to click a link to verify your identity or secure your account. The fake page captures your online banking login, and sometimes your card details and one-time passcodes too.

Your bank will never send you a link and ask you to log in to verify yourself. If you receive this, go directly to your bank's official website or app - do not use the link.

HMRC refund and fine texts

Texts claiming to be from HMRC offering a tax refund, or threatening a fine for unpaid tax. HMRC does not issue refunds or payment demands via text message with a link. These are always scams.

Package customs fees

Particularly common for purchases from non-UK retailers. A text claims customs duty is owed on a parcel and must be paid to release it. This one is convincing because you may actually be expecting a delivery from abroad. Genuine customs fees are handled through official Royal Mail or courier processes - not through a link in a text.

Account verification and "unusual activity"

Texts claiming your Netflix, Amazon, PayPal, or other account has been suspended, locked, or flagged. Clicking the link takes you to a fake login page.

How to spot a smishing message

No single tell is definitive, but these are consistent warning signs:

• You weren't expecting it - an unsolicited text about a delivery, payment, or account issue
• Urgency - "Act within 24 hours", "Your account will be closed", "Final notice"
• A link that doesn't match the organisation - hover or long-press the link to preview the destination URL before tapping
• Generic greeting - "Dear Customer" instead of your name
• Shortened URL - bit.ly or similar that hides the real destination
• Requests for payment or personal details via link - legitimate organisations do not ask for this over text

What to do when you receive a suspicious text

Do not click the link. If you think the message might be genuine, go directly to the organisation's official website or app - type the address yourself or use a saved bookmark.

Check the link without visiting it. Copy the URL from the text (press and hold the link, then copy) and paste it into SniffTest. It runs 17 checks and returns a plain-English verdict before you open anything.

Report it. Forward suspicious texts to 7726 (spells SPAM on a keypad). This is a free service that UK mobile networks use to investigate and block smishing numbers. In the US, forward to 7726 or report to the FTC at reportfraud.ftc.gov.

Delete it. Once you've reported it, delete the message so you're not tempted to tap the link later.

If you already clicked and entered your details

Speed matters. The sooner you act, the better your chances of limiting the damage.

If you entered banking credentials:

1. Log into your bank's official app or website immediately and change your password
2. Call your bank's fraud line to alert them
3. Enable additional verification if available

If you entered card details:

1. Call your bank immediately and ask them to cancel or freeze the card
2. Ask them to monitor for and reverse any fraudulent transactions

If you entered personal details:

1. Note what you shared - name, address, date of birth, National Insurance number
2. Report it to Action Fraud at actionfraud.police.uk (UK) so it's on record
3. Monitor your credit report for any unusual applications made in your name

Frequently asked questions

Q: What is smishing in simple terms?

A: Smishing is a scam delivered by text message. The scammer pretends to be a trusted organisation - your bank, a delivery company, HMRC - and sends a link to a fake website designed to steal your login details or payment information. The name comes from SMS and phishing.

Q: How can I tell if a text is smishing?

A: Look for unsolicited messages creating urgency, links that don't match the organisation's real domain, requests for payment or personal details, and generic greetings like "Dear Customer." When in doubt, do not click - go directly to the organisation's official website instead, and copy the link into SniffTest to check it.

Q: Do real banks send texts with links?

A: Banks do send SMS alerts, but they do not send links asking you to log in or verify your identity. If you receive a text claiming to be from your bank with a link to a login page, it is almost certainly smishing. Call your bank directly using the number on the back of your card.

Q: Is smishing more dangerous than email phishing?

A: It can be. People tend to trust texts more than emails, and mobile screens make it harder to examine a link closely before tapping. Smishing response rates are generally higher than email phishing, which is why scammers increasingly prefer it.

Q: What is the number to report smishing in the UK?

A: Forward the suspicious text to 7726 (free from all UK mobile networks). You can also report the scam to Action Fraud at actionfraud.police.uk.