Spot fake appointment confirmations, NHS-app login alerts and fake prescription-delivery charges — with the single verification rule that defeats every NHS-impersonation scam.
Last reviewed: 13 May 2026 · ScamSupport research
The one rule that defeats every NHS scam text
The NHS provides clinical care free at the point of use. The NHS does not charge patients for appointments, treatments, vaccinations, prescriptions (in England, fixed-price under the NHS prescription charge regime — never paid by text), prescription delivery, or appointment rebooking. Anyone asking you to pay an NHS-related fee by SMS is running a scam. Full stop.
There are narrow exceptions: NHS prescription charges in England are paid via the EPS service through your pharmacy (NEVER by SMS), and dental treatment has banded charges paid in person at the practice. Neither is requested by text.
NHS scam texts have surged since 2020, when the NHS legitimately began sending high-volume SMS for vaccination appointments. The genuine alerts conditioned the public to expect NHS texts, and scammers exploited the same channel. Report Fraud and the NHS Counter Fraud Authority both warn that NHS impersonation is one of the highest-volume SMS scam categories in the UK.
Three NHS scam-text variants currently in circulation
Variant 1 — Fake appointment booking fee
From: “NHS” or “NHS-UK” (spoofed sender ID; can appear in the same thread as real NHS alerts)
Body: “NHS: You have an appointment booked for 14/05 at 09:30 with Dr Patel. To confirm, complete the £1.99 booking-system update at nhs-confirm[dot]co.uk”
Red flags:
NHS appointments are not subject to booking fees. GP appointments, hospital appointments, vaccinations — none of these have a confirmation fee. The £1.99 / £2.99 amount is deliberately small to bypass risk thresholds; the actual harm is the card details being harvested for later use.
The link domain is not nhs.uk. Real NHS digital services live at www.nhs.uk or *.service.nhs.uk (e.g. booking.gp-online.service.nhs.uk). Domains like nhs-confirm.co.uk, nhs-app-secure[dot]com, nhs-update[dot]net are typosquats.
Real NHS appointment SMS is informational, not transactional. A genuine appointment reminder might say “You have a GP appointment at 09:30 on Tuesday. Reply CANCEL to cancel.” It will never ask you to click a link to pay or verify.
Cancellation by SMS is via free-text reply, never a link. Reply CANCEL or a similar single word is the genuine NHS pattern. Anyone wanting card details to process a cancellation is running the scam.
Body: “NHS App: Your account has been temporarily suspended for security reasons. Re-verify your identity at nhs-app-verify[dot]com within 24 hours to avoid permanent closure.”
Red flags:
The real NHS App lives at www.nhs.uk/nhs-app and is accessed via the App Store / Google Play app or via the NHS login web flow. Any other domain is fake.
NHS App does not threaten 24-hour permanent closure. The real NHS digital team uses standard digital-identity recovery flows. Threatening immediate closure is the urgency hook.
NHS login uses NHS-issued credentials. Once you reach a fake login page, the criminal logs in to your real NHS account in real-time, gaining access to your test results, GP records, prescription history, and your linked GP surgery’s patient list.
What follows the credential harvest: sophisticated identity-theft attacks because the NHS App data set includes your full name, DOB, address, GP, prescription medications, and recent test results. This is enough to impersonate you to many services.
Variant 3 — Fake prescription / Pharmacy First delivery charge
From: “NHS Prescription” or “NHS-Pharm” (spoofed)
Body: “NHS: Your prescription is ready for delivery. Pay the £3.50 dispensing fee at nhs-prescription-pay[dot]com to authorise delivery.” A variant references the “Pharmacy First” service introduced in 2024.
Red flags:
NHS prescription charges in England are £9.90 per item (2025) and paid AT the pharmacy, not by SMS link. The Electronic Prescription Service (EPS) sends prescriptions to your nominated pharmacy electronically; payment happens in person or via prescription pre-payment certificate — never by text.
Pharmacy First is free to the patient. The 2024 Pharmacy First service for common conditions (sore throat, sinusitis, etc.) is a free NHS service in England, Scotland, Wales and Northern Ireland. There is no “dispensing fee” for Pharmacy First.
Real NHS prescription notifications come from your GP surgery or pharmacy by phone or via the NHS App. Generic “NHS prescription ready” SMS asking for payment is not a legitimate communication path.
The page collects full card details for a small fee. Same pattern as the gov.uk and DVLA scam variants — the small fee is cover; the data harvest is the value extracted.
How to verify an NHS communication is genuine
The NHS never charges patients for clinical services via SMS. If the text asks for money, it’s a scam. There are no exceptions.
Real NHS digital domains:www.nhs.uk, *.service.nhs.uk, app.nhs.uk. Anything else is fake.
To check an appointment: open the NHS App (downloaded from the official App Store / Play Store), log in, and look at the “Appointments” tab. Real appointments will be visible there. If they’re not, the SMS is suspect.
To check with your GP surgery: call the practice on the number on your registration letter or on their gov.uk-listed contact page (search www.nhs.uk/services). Never use a number provided in the suspicious SMS.
Report the SMS to 7726 (free, all UK networks). 7726 spells “SPAM” on a keypad. Forwarding scam texts to 7726 helps mobile carriers and the NCSC track and block the source numbers.
If you’ve already clicked a fake NHS link
Card details entered: call your bank fraud line immediately on the number on the back of your card. Cancel and replace the card. Reference any subsequent unauthorised transactions under the PSR Mandatory Reimbursement Scheme.
NHS App credentials entered: change your NHS login password at https://access.login.nhs.uk/account, sign out all active sessions, and enable additional authentication if available. Notify your GP surgery so they can monitor account access. Review your “Health Record” tab for any unauthorised changes to nominated pharmacy, etc.
Personal details entered (DOB, NHS number, address): NHS number is treated by some service providers as a soft identifier; combined with other PII, it enables impersonation. Consider CIFAS Protective Registration — protects your credit file against follow-on identity fraud.
Report the scam to report@phishing.gov.uk (NCSC Suspicious Email Reporting Service) for any URLs received via email, and to 7726 for SMS.