Identify fake fraud-alert, payee-added and OTP-request texts impersonating NatWest
Last reviewed: 11 May 2026 · ScamSupport research
The NatWest impersonation playbook in 2026
NatWest, Royal Bank of Scotland and Ulster Bank all share the same anti-fraud SMS infrastructure, and all three are heavily targeted by criminals running the “safe account” APP fraud pattern. UK Finance reports that bank-impersonation losses exceeded £460m in 2024 and continued to rise in 2025. NatWest customers receive a disproportionate share of these because of the bank’s large retail customer base and the SMS sender ID (“NWB”, “NatWest”) being trivially spoofable.
Three NatWest scam-text variants seen in 2026
From: NWB or NatWest (spoofed sender ID; appears in the same SMS thread as real NatWest alerts)
Body: “NatWest: A new payee “JOHN HARRIS” has been added to your account from a new device. If this wasn’t you, call 020 XXXX XXXX immediately to block.”
Red flags:
Real NatWest payee-added alerts don’t request a call to a stated number. They’ll direct you to the app or to the number on the back of your card.
When you call the number provided, you reach a “fraud agent”. They’ll “confirm” the payee is fraudulent and walk you through moving your money to a “safe holding account”. The holding account is the criminal’s.
The named payee is plausible but generic. “JOHN HARRIS”, “SMITH J”, “PAYEE 8421” — designed to provoke a panic response without being so specific you can verify it.
From: NatWest (spoofed)
Body: “NatWest: Your security code is 482917. Do not share this code. If you didn’t request a code, call 020 XXXX XXXX to investigate.”
Red flags:
The criminal is initiating an online banking login or a payment at the same moment you receive the “security code”. The code is real — it’s the OTP NatWest sends to authenticate the transaction. When you read it to the “fraud team”, you authorise the criminal’s transfer.
The text reads like a genuine OTP delivery. Because it IS a genuine OTP — the criminal triggered it by attempting to log in to your account or set up a new payee. Your bank delivered the code in good faith.
Never read an OTP to anyone on a phone call. Not to your bank, not to the police, not to a recovery firm. Banks have other ways to verify your identity. Anyone asking for an OTP over the phone is the criminal.
From: NatWest (spoofed)
Body: “NatWest: Your debit card has been temporarily suspended due to unusual activity. Re-activate at: natwest-reactivate-uk[dot]com”
Red flags:
Card suspensions are managed in the NatWest app, never on third-party domains. The page looks identical to NatWest’s real login, harvests your username, password, memorable word, and asks for the security number from a card reader. The card-reader number is what the criminal needs to authorise a real transfer.
The domain. Real NatWest lives at natwest.com and www.natwestonline.com only. Anything-NatWest-anything is a clone.
Two-factor doesn’t save you here. The page asks for the OTP NatWest texts you in real-time. The criminal enters the OTP into the real NatWest within seconds, completing the takeover.
How to verify a NatWest text is real
Four rules:
Never call any number in the text. Hang up the moment you read a phone number in the SMS. Real NatWest fraud alerts direct you to call the number on the back of your card or use the in-app secure chat. Always.
Open the NatWest app to check. Every genuine NatWest alert is also visible in the app’s message centre. If the SMS isn’t in the app, it isn’t from NatWest.
Never read an OTP to anyone on a phone call. Not even if they sound official. The OTP’s purpose is to prove YOU are authorising a transaction. Sharing it with a caller authorises THEIR transaction.
If you’re unsure, hang up and call NatWest’s real number from the back of your card. The real fraud team will confirm or deny the alert in seconds.
If you’ve already transferred money or shared an OTP
Call NatWest’s real fraud line on 0800 161 5153 (or the number on the back of your card) immediately. Use the phrase: “This was an authorised push payment scam. Please log it under the PSR reimbursement scheme.”
The PSR Mandatory Reimbursement Scheme requires NatWest to reimburse APP fraud victims up to £85,000 for transfers after 7 October 2024 unless the bank can prove gross negligence on the customer’s part. Make the claim in writing within 13 months of the loss.
Report to Report Fraud at reportfraud.police.uk. You’ll need a crime reference number for any subsequent recovery action and Financial Ombudsman complaint.
Read our UK Scam Recovery Guide for the full first-60-minutes playbook, including the PSR “gross negligence” defence strategy when banks initially refuse to reimburse.