How do I spot a fake bank text message?
Fake bank texts create false urgency about account problems and ask you to click a link or call a number — your real bank never needs you to verify details by text.
Last reviewed: 10 June 2026
Explanation
Fraudsters send texts that mimic your bank's name, sometimes appearing in the same thread as genuine messages because they spoof the sender ID. The goal is to panic you into clicking a link that leads to a fake login page where your credentials are harvested, or to call a number staffed by the fraudster.
The most reliable tell is the action they want you to take. A genuine bank alert says 'your card ending 1234 was used at Tesco — reply Y to confirm or N to dispute.' A fake alert says 'your account is suspended — verify now at bit.ly/bank-confirm' or 'call us immediately.' That combination of threat plus external link is the signature.
Check the URL in any link before tapping. Real bank domains are short and exact — yourbank.co.uk or yourbank.com. Fake ones add hyphens, swap letters, or use a subdomain like yourbank.secure-login.net where the real domain is secure-login.net, not yourbank.co.uk.
If you receive a suspicious bank text, open your bank's official app or call the number on the back of your card independently. Never call back a number given in the text and never type your full password into a page you reached from a text link.
Common red flags
- Link domain does not exactly match your bank's official website
- Message asks you to 'verify', 'confirm' or 'update' account details by clicking
- Urgent tone: 'your account will be closed', 'unauthorised access detected'
- Sender is a generic mobile number rather than a named short-code
- Text contains spelling errors or awkward phrasing
- The message asks for your full PIN or password
What to do now
- Do not tap any link in the text
- Open your bank's official app and check your account directly
- Call the number on the back of your debit or credit card
- Forward the text to 7726 (SPAM) in the UK, or report to the FTC in the US
- Delete the text after reporting it
- If you did click the link, change your online banking password immediately and tell your bank
Frequently asked questions
Can scammers make their text appear in my real bank's thread?
Yes. They spoof the alphanumeric sender ID your bank uses. Appearing in the same thread is not proof of legitimacy — always verify through the bank's official app or card-back number.
What if I already tapped the link?
Close the page immediately. Change your online banking password, then ring your bank's fraud team using the number on your card.
Does two-factor authentication protect me?
Partly. Smishing attacks often try to steal the OTP in real time through a fake site. Never enter an OTP on a page you reached from a text link.