Real Bank Text vs Smishing (SMS Phishing)
How to tell a genuine text from your bank from an SMS phishing (smishing) scam.
Last reviewed: 1 June 2026
Smishing attacks — phishing via SMS — succeed because they can appear in the same conversation thread as genuine messages from your bank. Scammers spoof sender IDs so their messages look like they come from 'YOURBANK'. But there is one difference that remains consistent: a real bank text never contains a link asking you to enter your full credentials or card details. Genuine fraud alerts and security messages either ask you to call the number on your card or log in via the official app — never via a link in the message itself.
Side-by-side comparison
| Real bank text | Smishing | |
|---|---|---|
| Link destination | Directs to the official app or official domain only | Links to a lookalike domain designed to harvest credentials |
| Credential request | Never asks for full passwords, PINs, or card details via a link | Linked page asks for login details, card numbers, and codes |
| One-time codes | Sends codes for actions you initiated; doesn't ask you to read codes back | Tells you to 'confirm' by entering a code the bank just sent |
| Action required | If fraud suspected, asks you to call back on the official number | Urgent link or call request that bypasses normal channels |
| Thread position | Consistent with a pattern of genuine bank messages | May appear in the same thread due to sender-ID spoofing |
Common red flags
- Link in a fraud alert asking you to enter card details or passwords
- Lookalike domain that closely resembles your bank's official URL
- Being asked to enter a code that was sent to you as part of 'verification'
- Urgency: 'your account will be suspended in 24 hours'
- Message sent at an unusual hour with no prior account activity to explain it
- Short link (URL shortener) used instead of a full bank domain
Verification steps
- Do not click the link; instead, open your bank's official app or type the URL directly
- Call the number on the back of your card if you're concerned about account security
- Check your account activity directly in the official app to see if the alert reflects reality
- Report suspicious texts to your national fraud SMS reporting number
What not to do
- Don't click links in unexpected bank texts asking you to verify credentials
- Don't enter card details, PINs, or one-time codes on a page you reached via a text link
- Don't assume a message is real because it appeared in the same thread as genuine bank messages
- Don't call a number provided in the text — find the official number independently
A safe response
Ignore the link and open your bank's official app directly to check your account. If there is a genuine problem, the app will show it. Report the text to your bank's fraud team and to your national SMS fraud reporting service.
Frequently asked questions
How can a fake text appear in the same thread as my real bank messages?
Scammers spoof SMS sender IDs so their messages display under the same label as your genuine bank texts. Phone carriers are working to prevent this, but spoofing remains possible. Never judge authenticity by thread position alone.
What if I already entered my details?
Call your bank immediately using the number on your card. Ask them to freeze the account if necessary and walk you through any security steps needed. Act quickly — the faster you call, the better the chance of limiting any loss.
Should I always ignore links in bank texts?
It's safest to ignore them and open the official app instead. Genuine bank texts work even if you don't click the link — any real account issue will be visible in the app.