Every UK SMS scam — from fake bank fraud alerts to delivery-fee phishing to gov.uk impersonation — follows the same four-stage pattern. Learn the universal mechanics and the 3 rules that defeat every variant.
Last reviewed: 13 May 2026 · ScamSupport research
UK Finance’s 2025 Annual Fraud Report attributed £460m+ in Authorised Push Payment (APP) losses to scams largely driven by SMS phishing. Report Fraud’s quarterly reporting puts smishing among the top three growing fraud categories by volume. The UK is disproportionately targeted globally because: high smartphone penetration; a regulated banking system whose fraud-alert SMS patterns are easy to clone; widely-spread expectation that legitimate organisations communicate by SMS (delivery notifications, GP appointments, gov.uk alerts); and a sender-ID system that doesn’t verify the sender.
The breadth is enormous — banks (Barclays, NatWest, HSBC, Lloyds, Santander, Halifax, Nationwide, Monzo, Revolut, Starling, TSB), couriers (Royal Mail, Evri, DPD, Yodel, Parcelforce, FedEx, UPS), government (HMRC, DVLA, DWP, NHS, council tax, TV Licence, passport office), big-tech (Microsoft, Apple, PayPal, Amazon, Netflix, Spotify), and emerging channels (NHS App, gov.uk verify, FCA “warning” texts). But the underlying mechanic is identical across all of them.
UK SMS sender IDs are not authenticated. A criminal can send an SMS with the displayed sender set to “Barclays”, “HMRC”, “Royal Mail” or any other text. The recipient’s phone shows that text in the SAME thread as any genuine messages already received from that sender ID — because the phone groups messages by displayed sender, not by underlying source. This means a thread containing a real OTP from Barclays can also contain a scam text from “Barclays”.
The message creates a reason to act. The dominant UK pretexts in 2026: (a) “Suspicious transaction of £X to Y” bank fraud alerts — the highest-loss category. (b) “Your parcel could not be delivered — pay £1.99 customs fee” courier scams. (c) “HMRC tax refund / DVLA licence update / NHS appointment fee” gov.uk impersonation. (d) “Your [Apple / Microsoft / Netflix] account is suspended”. The pretext is plausible because the recipient legitimately receives texts in all of these categories.
Time pressure suppresses verification. “Action required within 24 hours.” “Your account will be suspended.” “Pay within 12 hours or shipment returned.” Two action types: (a) a phone number to call — almost always for bank-fraud-alert variants, leading to the “safe account” script. (b) a link to click — almost always for courier / gov.uk / account-suspension variants, leading to a credential / card-harvest page on a typosquatted domain.
For call-back variants: the “fraud team” confirms the (fake) suspicious transaction, then tells the victim to transfer money to a “safe account in your name” while the “investigation” runs. The safe account is the criminal’s; the money is gone the moment it lands. For click-link variants: the lookalike domain captures username + password + 2FA code, allowing real-time login to the victim’s online banking; or captures full card details for resale and immediate use. Either way, the smishing mechanic ends in money or credentials extracted within minutes of the victim engaging.
The rules are simple and universal. Every UK smishing scam fails if you apply all three:
Rule 1 — Never call a number from an SMS. Ever.
If a text gives you a number to call, that number is the trap. Real banks, real couriers, real government departments, real tech companies always tell you to call them on a number you already know — the back of your bank card, the published number on the real website, your saved number from when you registered. If the SMS itself provides the number, the scam is the call. Hang up. Call the real organisation back on a number you trust.
Rule 2 — Never click a link from an unsolicited SMS. Ever.
If a text asks you to click a link — to verify your account, pay a fee, reschedule a delivery, confirm your identity, claim a refund — don’t. Type the organisation’s real domain into your browser yourself. Real organisations communicate through their app, posted letter, or known-domain website. If a real notification exists, you’ll see it when you log in directly. If you don’t see it, the SMS is fake.
Rule 3 — Never read a security code on the phone. Ever.
If you’re on a phone call and they ask you to read out an OTP, 2FA code, or security code that just arrived on your phone, you’re mid-scam. The whole purpose of the code is to prove YOU are authorising something. Reading it to a caller authorises THEIR transaction — on YOUR account. No legitimate organisation will ever ask for this. Hang up immediately.
If you have a text in front of you right now from a specific brand, jump to the corresponding guide:
Barclays · NatWest · HSBC · Lloyds · Santander · Nationwide · Halifax · Monzo · Revolut · Starling · TSB · Generic banking scam checker
Royal Mail · Evri · DPD · Yodel · Parcelforce · FedEx · UPS
HMRC · DVLA · DWP · PIP · Child Benefit · Student Loans · Council tax · TV Licence · NHS · Passport Office · Gov.uk fake email check
7726 spells “SPAM” on a phone keypad. Every UK mobile network supports it (EE, O2, Three, Vodafone, Sky Mobile, Tesco Mobile, Lebara, GiffGaff, BT Mobile). Forward the scam SMS to 7726; you may receive a follow-up asking for the sender number (forward that too if asked). The text is forwarded to the National Cyber Security Centre (NCSC) and the mobile networks, who use the reports to block sender numbers and take down associated phishing infrastructure. NCSC reports taking down over 100,000 scam URLs each month using SERS + 7726 data combined.