Smishing: How to Spot a Fake Bank Text Message
Smishing is SMS phishing — fake bank texts designed to steal your credentials. Learn the 6 signs and what to do if you responded.
Last Updated: February 2026
Key Takeaways:
- Smishing is SMS phishing — a fake bank text designed to steal your credentials or money
- Fraudulent texts can appear in the same conversation thread as genuine bank messages due to sender ID spoofing
- Never click a link in an unexpected banking text — navigate directly to your bank's app or website
- The 6 red flags in this article apply to virtually every smishing attempt
- Report suspicious texts to your bank and to your national text-spam reporting service
What Is Smishing?
"Smishing" combines SMS and phishing. It is a fraudulent text message designed to look like it comes from your bank, a payment provider, a delivery company, or a government agency — with the goal of tricking you into clicking a link, calling a number, or sharing information.
Bank smishing specifically targets your banking credentials or tricks you into initiating a transfer.
What makes smishing particularly effective is that mobile users are often more trusting of text messages than emails — texts feel personal, immediate, and often come from a small number of trusted senders. Criminals exploit this trust by spoofing legitimate sender IDs.
The Sender ID Spoofing Problem
On many mobile networks, the displayed sender name in an SMS is not verified. A criminal can send a message that appears to come from "Barclays," "Chase," or "HMRC" — and it may appear in the same conversation thread as genuine messages from that organisation.
What this means for you: The sender name displayed in a text message is not evidence that the text is genuine. The message content and where its links lead are what matter.
6 Red Flags in a Smishing Message
1. Urgency and Threats
"Your account will be suspended unless you verify within 2 hours." "Suspicious activity detected — click now to prevent account closure."
Genuine bank texts about genuine issues do not typically threaten immediate account closure unless you act immediately. If a text creates extreme urgency, slow down.
2. A Link to a Non-Bank Domain
A genuine bank text, where it does include a link, will use the bank's own registered domain. Be suspicious of:
- Links to shortened URLs (bit.ly, tinyurl.com, etc.)
- Links with the bank's name embedded but not as the primary domain:
chase-alert.comrather thanchase.com - Long, garbled URLs with multiple hyphens or numbers
Best practice: Do not click any link in a banking text. Instead, open your banking app directly or type your bank's URL manually.
3. A Request to Call a Number in the Text
"Please call 0800 XXX XXXX immediately regarding suspicious activity." The number in the text may be a criminal's line, not your bank's. Always call the number on the back of your card or on your bank's official website.
4. A Request for Personal Information
No legitimate bank text will ask you to reply with your full card number, password, or PIN. Ever.
5. It References a Transaction You Don't Recognise
"A payment of £750 has been processed. If this wasn't you, click here." This is effective because it triggers concern — but clicking the link takes you to a phishing page. The safer action: open your banking app and check your transactions directly.
6. It Asks You to Approve a "New Payee" or "Transfer"
"You have a pending outgoing payment. Approve or reject here: [link]" If you receive an authentication request you did not initiate, it means someone is attempting to access or use your account. Do not click "approve." Call your bank immediately.
Smishing Example Messages
These are illustrative examples based on reported patterns:
[NATWEST]: Unusual activity detected on your account. Action required now: natwestsecure.alerts.com
Why it's fake: "natwestsecure.alerts.com" is not NatWest's domain (natwest.com). The urgency is a pressure tactic.
LLOYDS BANK: A new device has been linked to your account. If this wasn't you, verify: lloydsportal.link/verify
Why it's fake: Shortened domain, urgency around a security event designed to panic.
HMRC: You are due a tax refund of £284.49. Claim your refund: bit.ly/refund-claim
Why it's fake: HMRC does not send refund links by text. Shortened URL.
What to Do With a Suspicious Text
- Do not click any link
- Do not call any number in the text
- Do not reply — some smishing texts harvest data even from replies
- If you are genuinely concerned about your account, open your banking app directly or call the number on your card
- Report it:
- UK: Forward to 7726 (spells "SPAM") — a free reporting service across major carriers
- US: Forward to 7726 or report to FTC at reportfraud.ftc.gov
- Forward to your bank: Most banks have a number or email for reporting phishing/smishing
- Delete the message after reporting
If You Clicked a Smishing Link
Act quickly:
- If you entered any banking credentials, call your bank immediately and change your password from a clean device
- If you only clicked (did not enter information), still change your banking password as a precaution and run a malware scan on your device
- Enable or change your 2FA method if you believe credentials were captured
- Monitor your account closely for the next 60 days
- Report to your national fraud reporting service Payment Fraud Incident Response: A Step-by-Step Guide
Payment Fraud Incident Response: A Step-by-Step Guide
How Smishing Relates to Vishing and SIM Swap
Smishing, vishing, and SIM swap are often used together in the same attack:
- Smishing harvests your banking credentials (via fake login page)
- Vishing harvests your OTP (a follow-up call asks you to "confirm" the code just sent to your phone)
- SIM swap may be used to take over your number so the criminal receives your real OTPs
Understanding how these techniques connect helps you recognise a multi-stage attack. Vishing: The Phone Call Scam That Empties Bank Accounts and SIM Swap Fraud Explained: What It Is and How to Stop It
Frequently Asked Questions
Q: A text appeared in the same conversation thread as my real bank messages. Doesn't that mean it's genuine? A: No. Criminals use sender ID spoofing to insert fraudulent messages into existing genuine threads. The thread location is not evidence of legitimacy.
Q: I accidentally clicked a smishing link but didn't enter any details. Am I safe? A: You may be — but not certainly. Simply clicking a malicious link can, in some cases, trigger a drive-by download that attempts to install malware on your device. Change your banking password as a precaution and run a security scan on your phone.
Q: Why do banks send texts at all if they can be faked? A: Genuine bank texts serve legitimate purposes (transaction alerts, OTPs, fraud flags). The challenge is that the SMS infrastructure does not provide reliable sender authentication. Banks are working on more secure alternatives, but SMS remains prevalent. The consumer defence is never to click links in banking texts — always navigate directly.
Q: Can smishing steal my money without me clicking anything? A: No — smishing requires your interaction (clicking, calling, or replying) to succeed. The link is the attack vector; it does nothing without your click.
Internal Links
- Social Engineering & Banking Scams: How to Spot and Stop Them — Social Engineering Guide
- Online Banking Security: How to Protect Your Accounts — Online Banking Security
- Vishing: The Phone Call Scam That Empties Bank Accounts — Vishing: Phone Scams
- Bank Phishing Emails: How to Spot a Fake and What to Do — Phishing Emails
- SIM Swap Fraud Explained: What It Is and How to Stop It — SIM Swap Fraud
- Payment Fraud Incident Response: A Step-by-Step Guide — Incident Response
Last Updated: February 2026 | If you clicked a smishing link and entered banking details, call your bank immediately. Educational purposes only.
Need Professional ATM Security Support?
ATM Fortify provides anti-skimming hardware, security assessments, and fraud prevention consulting for ATM operators and financial institutions across 30+ countries.