Short-Code Spoofing
A fraud where attackers mimic messages from legitimate five- or six-digit short codes used by businesses and governments, embedding malicious links or requests.
Also known as: short-code fraud, 5-digit SMS scam, short-code smishing
Last reviewed: 10 June 2026
Short codes — typically five or six digits such as 12345 — are leased by businesses and government agencies for bulk messaging: delivery alerts, two-factor codes, emergency alerts, and marketing. Because consumers have learned to trust messages from recognisable short codes, fraudsters create look-alike campaigns that appear to originate from those numbers. In practice, true short-code spoofing on domestic networks is technically difficult, so attackers more often register similar-looking short codes in foreign markets and route them internationally, or use sender-ID spoofing to display the same alphanumeric name.
The messages typically warn of package delivery problems, unpaid fines, or account suspension, and carry links to credential-harvesting or malware-serving sites. The messages can be indistinguishable from legitimate ones in terms of formatting and brand imagery.
Consumers should not click links in unexpected short-code messages. Go directly to the brand's website by typing the address manually. If you receive an unexpected two-factor code you did not request, treat it as a sign that someone is attempting to access your account and change your password immediately.