How do I protect myself from smishing (SMS phishing) attacks?
Never click a link in an unexpected text about a bank account, delivery, or government benefit — go directly to the organisation's app or website instead to check any claimed issue.
Last reviewed: 10 June 2026
Explanation
Smishing (SMS phishing) sends fraudulent text messages that impersonate banks, delivery carriers, tax authorities, and government benefit programs. SMS is more trusted than email by many recipients because it feels more personal and immediate, and because phone numbers carry an appearance of accountability that email addresses do not. Scammers exploit this trust differential to achieve higher click rates.
The most common smishing formats are: bank fraud alerts asking you to call a number or click a link to verify a suspicious transaction; parcel delivery notifications requiring a small fee or address confirmation; HMRC or IRS notifications about a tax refund or overdue payment; and benefit or government account notifications about an update required to continue receiving payments. In each case, the link goes to a convincing fake login page that captures your credentials or card details.
The safe response to any unexpected text about a financial account or service is to go to that service's official app or website directly — never via the link in the text — and check whether there is any genuine notification waiting for you. Real banks send authenticated in-app alerts; real delivery carriers have a tracking page on their official website; real tax authorities communicate primarily by post for significant matters.
If you receive a smishing text, report it without clicking the link: forward it to 7726 (SPAM) in the US and UK. This feeds data to carrier systems that flag and block high-volume smishing campaigns. The FTC and NCSC in the UK also accept smishing reports.
Common red flags
- Unexpected text from your bank saying a transaction was blocked — with a link
- Delivery notification with a customs or re-delivery fee link from a number you do not recognise
- HMRC, IRS, or government benefit notification requiring immediate action via a link
- Text from a short code number with an offer that seems too good to be true
- Link in the text does not match the official domain of the claimed organisation
- Text creates urgency: 'act within 24 hours or your account will be closed'
What to do now
- Never click links in unexpected texts about bank accounts, deliveries, or government benefits
- Open your bank app or the carrier's official website directly to check any claimed issue
- Forward smishing texts to 7726 (SPAM) without clicking the link
- Block the sending number on your phone after forwarding
- Report smishing texts to the FTC at ReportFraud.ftc.gov
- If you already clicked and entered details, contact your bank immediately and change your passwords
Frequently asked questions
How do I know if a text is from my real bank?
Your bank sends texts from a short code or number you can verify by calling your bank directly and asking what sender ID they use. More importantly, no genuine bank text requires you to click a link to 'verify' account details — banks handle anomalies through their app or a call to the number on your card.
Can I get a virus just from receiving a smishing text?
Receiving a text is safe. The risk occurs if you click the link, which may lead to a phishing page or trigger a malicious download. On most modern phones, simply receiving a text poses no risk. Block and delete the message.