What's actually going on
You get a text that looks like it came from your bank. It sits right below a genuine message your bank sent you last week. Same conversation, same thread, same sender name at the top of the screen. The message says something alarming: a payment you did not make, a locked account, a security alert. There is a link to sort it out.
The link goes to a fake website built to look exactly like your bank's login page. You type in your username and password. Sometimes it asks for a one time passcode too. Within minutes, criminals have everything they need to clear out your account. This is called smishing (SMS phishing), and it is one of the fastest growing fraud types in the UK. Ofcom found that half of all UK mobile users received a suspicious text or iMessage between November 2024 and February 2025.
How they pull it off
The trick works because of the way mobile phones group text messages. Your phone uses the sender name, not the actual number, to decide which conversation a message belongs to. Criminals exploit this.
1. The spoofed sender name
When businesses send texts, they use an alphanumeric sender ID rather than a phone number. Your bank might send from "Barclays" or "NatWest" or "HSBC". Criminals can set the exact same sender name on their messages using cheap online SMS services. Your phone sees the matching name and drops the scam text into the same conversation thread as your genuine bank messages.
Why your phone can't tell the difference
The SMS system was designed in the 1980s and has no built in way to verify who actually sent a message. Ofcom has been working with mobile networks on new rules to block spoofed sender IDs, but full protection is still being rolled out across all providers.
2. The fake link
The text always contains a link. It might look close to the real thing, using a URL like "barclays-secure.co" or "hsbc-verify.com". Some use URL shorteners to hide the destination entirely. The link goes to a website that is a near perfect copy of your bank's login page. It can be very hard to spot the difference on a phone screen.
How they build convincing fake sites
- • They copy the HTML, logos, and colours from the real bank website
- • Many include HTTPS padlock icons to look legitimate
- • Some register domain names just hours before sending the texts
- • The sites often only last a few days before being taken down
3. They grab your login
Once you enter your details on the fake page, the criminals capture them in real time. Some of these operations are run by people sitting at a computer watching your details come through as you type them. They log into your real bank account within seconds using what you gave them.
One time passcodes do not make you safe
Many of these fake sites also ask for the one time passcode your bank sends you. If you enter it, the criminals use it immediately before it expires. Some operations have automated this process so the stolen passcode is entered within seconds of you typing it in.
4. The account is emptied
With your login credentials and passcode, they have full access. They change your contact details first so you stop receiving alerts. Then they transfer money out, often to multiple accounts in quick succession to make it harder for the bank to recover. The whole thing can happen in under ten minutes from the moment you click the link.
What these texts look like
The wording changes, but the pattern is always the same. Something alarming, followed by a link. Here are the most common versions reported to Action Fraud and the National Cyber Security Centre.
"Suspicious payment"
The most common one doing the rounds. A payment you did not make is being processed and you need to click a link to cancel it or your money will go. The amount is usually specific enough to feel real but not so large that you know it is made up.
"A payment of £214.99 is being processed from your account. If this was NOT you, visit [link] to cancel immediately."
"Account locked"
Your account has been temporarily restricted due to unusual activity. You need to verify your identity to unlock it. This one works well because many people panic at the thought of not being able to access their money.
"Your account has been temporarily locked due to unusual activity. Please verify your identity at [link] to restore access."
"New payee added"
A new payee has been added to your account and a payment is ready to go. If this was not you, click here. This plays on a specific fear because adding a new payee is something your bank actually does text you about in some cases, which makes the scam feel more plausible.
"A new payee 'J Smith' has been added to your account. If this wasn't you, secure your account now: [link]"
"Device login"
Someone has logged into your account from a new device. This is a tactic that plays on legitimate security alerts. Many banks do send device login notifications, so people are primed to take this kind of message seriously.
"A new device has logged into your account. If this wasn't you, please review your account security at [link]."
Why so many people fall for it
The reason these texts catch so many people is that everything about them feels right. The sender name matches your bank. The message sits below a genuine alert from last month. Your phone does not flag it or put it in a separate thread. There is no visual clue that anything is wrong.
On top of that, people read texts quickly. You are on the bus, at the supermarket, or halfway through cooking dinner. A message pops up saying your money is at risk. You tap the link without thinking twice. That instant reaction is what the fraudsters are counting on.
What makes it convincing
- • The text appears in the same thread as real bank messages
- • The sender name matches your bank exactly
- • The message uses the same kind of language banks use
- • People read texts fast and react on impulse
- • You cannot reply to business texts, so there is no way to verify
What should make you stop
- • Any text from your bank that contains a link
- • Urgency or threats about losing access to your account
- • Being asked to enter your details anywhere outside the official app
- • Spelling mistakes or slightly odd wording
- • A URL that does not match your bank's real website
How real bank texts differ from scam ones
UK banks have published guidance on what they will and will not include in text messages. This table is based on information from UK Finance, Barclays, Lloyds, HSBC, and NatWest.
Real bank texts
- Will never include a clickable link
- May tell you to call the number on the back of your card
- Might ask you to reply YES or NO to confirm a transaction
- Will reference your app for more details
- Send one time passcodes you requested yourself
Scam texts
- Contain a link you need to click
- Ask you to enter login details or personal information
- Create panic with words like "immediately" or "your account will be closed"
- Give you a phone number to call that is not your bank's real one
- Use a URL that is slightly different from the official website
If you get a suspicious text
Do not click the link
Even if it looks right. Even if it appeared in the same thread as your real bank messages. Do not click it. That is the single most important thing you can do.
Forward the text to 7726
7726 spells "SPAM" on a phone keypad. Forwarding the message to this number reports it to your mobile network, which helps block the sender and protect others. All UK networks support this service and it is free to use.
Open your banking app directly
If the message made you worried about your account, open your banking app yourself. Do not use any link in the text. If there really is a problem with your account, it will show up in the app or on the official website.
Call your bank on a number you trust
If you want to speak to someone, ring the number on the back of your card or dial 159 to be connected to your bank's fraud team directly.
159 is the UK's Stop Scams number, backed by most major high street banks. It routes straight through to your bank's genuine fraud department.
Delete the text
Once you have forwarded it to 7726, delete the message. This removes the temptation to click the link later and stops anyone else who picks up your phone from falling for it.
Already clicked the link?
Do not panic, but you need to move fast. The quicker you act, the better your chances of keeping your money safe.
-
1
If you entered your login details, call your bank now
Use the number on the back of your card or dial 159. Tell them you entered your details on a site you think was fake. They can lock your online banking and block transactions while they investigate.
-
2
Change your passwords straight away
Change the password on your online banking. If you use the same password anywhere else, change those too. Criminals know most people reuse passwords and they will try your details on other sites.
-
3
Check for unusual transactions
Look at your recent statements for any payments you do not recognise. Criminals sometimes make small test transactions before taking larger amounts. Report anything suspicious to your bank.
-
4
Report to Action Fraud
Call 0300 123 2040 or report online at actionfraud.police.uk. You will get a crime reference number. Even if you have not lost money, reporting helps the authorities track and shut down the criminals behind these texts.
The short version
Red flags
- • Any text from your bank that contains a link
- • Urgency or threats about your account being closed
- • A URL that is not your bank's real web address
- • Being asked to enter login details or passcodes
- • A phone number in the text that is not the one on your card
What to do
- • Do not click the link
- • Forward the text to 7726
- • Open your banking app directly to check
- • Dial 159 to reach your bank's fraud team
- • Report to Action Fraud (0300 123 2040)