Smishing UK 2026

SMS phishing patterns currently active in the UK, the 10 dominant variants (bank / HMRC / Royal Mail / DVLA / DWP / NHS / Amazon / TV Licensing / Council Tax / Hi Mum), forwarding to 7726 + specialist short codes, and what to do if you've clicked. Over 90 million smishing texts were sent to UK mobiles in 2024 — this page covers the pattern + protective routes.

Last reviewed: 15 May 2026 · ScamSupport research

The 10 dominant UK smishing variants in 2026

1. Delivery (Royal Mail / Evri / DPD / Yodel / Parcelforce)

"We tried to deliver but you weren't in. Reschedule or pay £1.99 fee here: [link]". By volume, the #1 smishing category in the UK. Lure: paying tiny fee captures card details + 3D Secure codes.

2. HMRC

"You have a £284.55 tax refund waiting. Confirm details to receive: [link]" or "Unpaid tax penalty. Failure to act will result in legal action: [link]". HMRC NEVER texts about refunds; refunds always arrive via Self Assessment portal.

3. Bank impersonation

"NatWest: New payee 'JOHN SMITH' added to your account. If this wasn't you, cancel here: [link]". See per-bank guides linked below.

4. DVLA

"DVLA: Your driving licence requires renewal. Confirm details to avoid £1,000 fine: [link]". DVLA only contacts by post for licence renewals.

5. DWP / Universal Credit

"DWP: Your Universal Credit payment is on hold. Verify identity to release: [link]". DWP contacts via the Universal Credit journal, NOT SMS.

6. NHS

Historically COVID vaccine cert variants; now rare but still circulating. "Your NHS digital health record needs updating: [link]". NHS doesn't text patients for record updates.

7. Amazon / Apple

"Amazon: A £1,299 iPhone was purchased on your account. Not you? Cancel: [link]" or "Apple ID locked. Verify here: [link]". Real Amazon / Apple alerts come via their app, not SMS with external links.

8. TV Licensing

"TV Licensing: Your direct debit failed. Pay £14.50 to avoid loss of access: [link]". Real TV Licensing contacts by letter for payment issues.

9. Council Tax

"Council: You're entitled to a £200 rebate. Confirm details to receive: [link]" or "Overdue Council Tax. Court action pending: [link]". Local councils don't text about Council Tax.

10. "Hi Mum" / "Hi Dad"

"Hi Mum I've lost my phone, this is my temporary number. Can you message me on WhatsApp on [new number]?" Then on WhatsApp: urgent request for money. See dedicated guide.

What makes smishing work — and how to defeat it

Three things give smishing its power:

  1. Spoofed sender labels. Criminals can set the sender to "HMRC" or "HSBC" or "Royal Mail" — the label is not a guarantee of identity. The UK SMS Sender ID Protection Registry protects ~50 major brands from NEW senders but offshore criminals still spoof regularly.
  2. Urgency. "Click within 24 hours or your account will be locked" / "Pay £1.99 fee or parcel returns to depot" — all designed to bypass careful thought.
  3. Branded URLs that look real. Typosquats (roy4l-mail.co.uk, hmrc-uk.co), subdomain tricks (royalmail.delivery-reschedule.com), URL shorteners (bit.ly/abc) hiding the real destination.

The single rule that defeats most smishing

If a message is asking you to click a link or call a number to take action, don't use the link or number in the message. Go directly to the organisation's known website or call the number on the back of your card / on gov.uk / on the official app. The text-supplied contact is the trap; the trusted contact you already have is the safe route.

How to forward to 7726 (step-by-step)

  1. Long-press the suspicious SMS in your messaging app
  2. Select "Forward" (or copy and paste into a new message)
  3. Recipient: 7726
  4. Send
  5. You may receive an automated reply asking for the suspicious sender's number — reply with that number

Total time: under 30 seconds. Free on every UK mobile network. The carrier's threat-intel team uses the data to block sender numbers and report patterns to NCSC.

Specialist short codes

  • 60599 — HSBC specifically (HSBC's own short code)
  • 60069 — DVLA-impersonator texts
  • report@phishing.gov.uk — email forwarding for phishing emails (NCSC)

If you've clicked a smishing link — what to do

  1. Don't panic. Most clicks alone don't compromise you — the trap is entering credentials or payment details on the next page.
  2. If you entered credentials: change them immediately on the real site. Bank: call fraud line via the number on the back of the card. Other: change the password directly via the legitimate app/website.
  3. If you entered payment details: call your bank fraud line. Cancel the card. Watch for unauthorised transactions over the next 7 days.
  4. If you downloaded anything: run an antivirus scan. Malwarebytes free, Bitdefender free, Microsoft Defender (built into Windows).
  5. Forward the SMS to 7726 for the national threat intel.
  6. File an Report Fraud report at reportfraud.police.uk for a reference number.
  7. If money was taken: start a PSR claim. Banks signed up to the Mandatory Reimbursement Scheme refund qualifying claims within 5 working days.
  8. If ID details were entered: add CIFAS Protective Registration to prevent identity-fraud applications. £25 / 2 years.
  9. Watch for follow-up scams. Known smishing victims are heavily targeted by recovery scams. See recovery scam warning.

Frequently asked questions

What is smishing?

Smishing is SMS phishing — scam text messages impersonating a trusted organisation (your bank, HMRC, Royal Mail, DVLA, Amazon, NHS) to trick you into clicking a malicious link or calling a fake number. UK Finance estimates over 90 million smishing texts were sent to UK mobiles in 2024. The pattern: short message, branded sender ID (often spoofed), urgency, a link or callback number. Once you click, you land on a credential-harvesting clone of the impersonated service.

What's 7726 and how does it work?

7726 is the UK universal SMS spam-reporting short code (spells 'SPAM' on phone keypads). Forward any suspicious SMS to 7726 — free on every UK mobile network (EE, O2, Three, Vodafone, Tesco, Sky, GiffGaff, etc.). The carrier's fraud team receives the message, identifies the scam infrastructure, blocks the sender, and reports patterns to the National Cyber Security Centre (NCSC). NCSC has used these reports to take down 100,000+ malicious URLs per year. Also: HSBC operates 60599 (HSBC-specific); DVLA operates 60069 for DVLA-impersonator texts.

How do scammers fake the sender name?

SMS sender IDs are spoofable — criminals can set the sender label to 'HSBC', 'HMRC', 'EVRI', 'Royal Mail', etc. The sender label does NOT prove the message is genuine; it tells you nothing about authenticity. The UK introduced an SMS Sender ID Protection Registry in 2024 that protects ~50 major brands from new senders impersonating them, but enforcement is partial and offshore senders still spoof regularly. Treat every SMS as potentially spoofed; verify any contact via a number you already trust (back of bank card, gov.uk for HMRC, etc.).

I clicked a smishing link — what now?

Act in this order. (1) If you entered banking credentials: call your bank fraud line immediately (most are 24/7; use the number on the back of your card, NOT the number in the text). (2) Change any passwords entered on the fake site. (3) Run an antivirus scan on the device if you downloaded anything. (4) Forward the original SMS to 7726 (free). (5) Forward phishing email variants to report@phishing.gov.uk. (6) File an Report Fraud report at reportfraud.police.uk. (7) If money was taken, start a PSR Mandatory Reimbursement claim. (8) Add CIFAS Protective Registration if ID details may have been compromised. (9) Watch for follow-up recovery-scam contact targeting your now-known-victim status.

What are the most common UK smishing variants?

Ten patterns dominate: (1) Royal Mail / Evri / DPD / Yodel — 'we tried to deliver, click here to reschedule'. (2) HMRC — 'tax rebate due' or 'unpaid tax penalty'. (3) Banks (Barclays/NatWest/HSBC/etc.) — 'new payee added' or 'suspicious activity'. (4) DVLA — 'driving licence requires update'. (5) DWP — 'Universal Credit payment pending verification'. (6) NHS — 'COVID-19 vaccine certification' (now rare but still circulating). (7) Amazon / Apple — 'order confirmation' or 'account locked'. (8) TV Licensing — 'licence payment failed'. (9) Council Tax — 'rebate available' or 'overdue payment'. (10) Family emergency (Hi Mum / Hi Dad) — 'I've lost my phone, message me on WhatsApp on [new number]'.

Can I report smishing to anyone besides 7726?

Yes — multiple channels accept reports and each fuels different anti-fraud work. (1) 7726 — universal UK carrier reporting. (2) 60599 — HSBC-specific. (3) 60069 — DVLA-specific. (4) NCSC — report@phishing.gov.uk for any phishing email/SMS. (5) Report Fraud at reportfraud.police.uk if you lost money or want a crime reference number. (6) Citizens Advice consumer line 0808 223 1133 for guidance. (7) Stop Scams UK consumer hotline 0300 320 1313 for in-progress scams. (8) FCA at fca.org.uk/contact if the smishing impersonates a financial firm. Forwarding to 7726 takes 5 seconds and is the highest-impact action — the data feeds national takedown work that protects everyone.

Related scam guides

Related scam guides