Scam Texts UK: How to Spot, Check and Report a Fake Text

By Andy Pickett · Chief Technology Director and AI Champion

Published 10 June 2026 · About the author

Scam texts — also called smishing (SMS phishing) — are now one of the most common ways fraudsters reach UK consumers. They imitate banks, delivery firms, HMRC and even your own family to make you tap a link or hand over details. This guide shows you how to spot a fake in seconds, how to check who really sent it, and how to report it so the sender gets blocked.

The scam texts doing the rounds in the UK in 2026

Most scam texts are variations on a handful of templates. If a message matches one of these patterns, be on your guard:

• Delivery scams — “Your parcel could not be delivered, pay a £1.99 redelivery fee.” Royal Mail, Evri and DPD never ask for payment by text link.
• Bank fraud alerts — “A new payee has been added to your account. If this wasn’t you, visit [link].” Banks never ask you to confirm details through a text link.
• “Hi Mum / Hi Dad” messages — a “child” texting from a “new number” asking for urgent money. Always ring the old number to check.
• HMRC rebates or arrears — tax refunds and prosecution threats. HMRC sends some genuine reminders (see our 60300 short-code page) but never asks for bank details by text.
• Account-locked alerts — fake Apple, Google, Amazon or Netflix warnings designed to harvest your password.
• Missed-voicemail links — “You have a new voicemail” with a link that installs malware on Android phones.

How to check who really texted you

Before you act on any unexpected text, identify the sender:

• Full-length number (07…, 01…, 02…, 03…): run it through our free UK Phone Number Checker. You’ll see the number type, the Ofcom range holder, a risk level and reports from other people who got the same message.
• Short 3–8 digit number: look it up in our UK SMS short-code directory. Codes like 7726 and 65075 are genuine services; an unlisted code deserves caution.
• A name instead of a number: sender IDs like “EVRI” or your bank’s name can be spoofed. Judge the message by what it asks, not the name it shows.

You can also check our live list of the most-reported scam numbers in the UK — high-volume smishing campaigns usually appear there within days.

Seven red flags that a text is a scam

• It creates urgency — “within 24 hours”, “immediately”, “or your account will be closed”.
• It asks you to tap a link to pay, log in, or “verify” anything.
• The link domain is odd — royalmail-redelivery.com is not royalmail.com.
• It asks for a one-time passcode, PIN or password. No genuine organisation does this.
• The number is a normal mobile claiming to be a big organisation — banks text from registered sender IDs or short codes, not random 07 numbers.
• The tone is slightly off — odd grammar, generic greetings (“Dear customer”), or a “new number” story.
• You weren’t expecting it. Unprompted contact is the single biggest tell.

Real examples help calibrate your radar. Recent UK campaigns have used wording like “Royal Mail: your package has a £2.99 unpaid shipping fee”, “HSBC: a payment of £240.00 to MR J WALKER was attempted from a NEW DEVICE”, and “Mum I’ve broken my phone, this is my temporary number”. All three look plausible on a busy day. All three fail the same test: a link or a payment request you weren’t expecting.

What to do if you already tapped the link

Don’t panic — acting quickly limits the damage:

• If you entered card or bank details, call your bank now using the number on the back of your card. They can freeze cards and watch for fraud.
• If you entered a password you use elsewhere, change it everywhere and turn on two-factor authentication.
• If you downloaded anything (Android), uninstall it, run Play Protect, and consider a factory reset if your phone behaves oddly.
• Watch your accounts for a few weeks. Fraudsters often wait before using stolen details.

Why scam texts keep getting through

It’s reasonable to ask why, in 2026, your phone still receives obvious fraud. The answer is industrial scale. Criminal groups send millions of messages at a time through three main routes:

• SIM farms — racks of devices loaded with cheap pay-as-you-go SIMs, each sending thousands of texts before the number is burned and replaced. This is why the same scam arrives from a different 07 number every time.
• Spoofed sender IDs — bulk-messaging routes that let a sender display a name like “EVRI” or a bank’s brand instead of a number. Your phone may even thread the fake into a genuine conversation history, which is what makes these so dangerous.
• Compromised accounts abroad — international routes where UK rules are harder to enforce, often used for the high-volume delivery and prize scams.

UK networks now run firewalls that block hundreds of millions of scam texts a year, and every message you forward to 7726 trains those filters. Ofcom has also been tightening the rules on who can register branded sender IDs. But filters chase patterns, and fraudsters change wording weekly — which is why the human checks in this guide still matter.

Scam texts and scam calls: two arms of the same operation

The groups behind smishing rarely stop at texts. A common pattern is a text “from your bank” followed an hour later by a call from “the fraud team” — the text plants the worry, the call harvests the details. If a number has both called and texted you, look it up once and read the community reports: our checker covers London 020 numbers, mobiles and everything in between, and reports frequently describe exactly this one-two pattern. Treat an unsolicited call that references an earlier text as a near-certain scam.

How to report a scam text in the UK

Reporting takes seconds and genuinely gets numbers blocked:

• Forward the text to 7726 — free on EE, O2, Vodafone, Three and every UK virtual network. It spells “SPAM” on a keypad. Your network investigates and can block the sender for everyone. More detail on our 7726 short-code page.
• Lost money? Report it to Action Fraud on 0300 123 2040 (England, Wales and NI) or Police Scotland on 101.
• Bank impersonation? Tell your bank as well — they track active campaigns against their customers.
• Persistent marketing texts? Report the sender to the ICO and register with the free Telephone Preference Service.

Never reply to a scam text — not even “STOP”. A reply confirms your number is live and usually leads to more messages, not fewer. If a text came from a number you don’t recognise but you’re not sure it’s a scam, see our guide to handling texts from unknown numbers.

One more pattern worth knowing: campaigns are short. A typical smishing wave runs hard for a few days from a batch of numbers, then vanishes as reports pile up and the numbers get blocked. That has two practical consequences. First, a number with even two or three recent scam reports is almost certainly part of an active campaign — you don’t need fifty reports for confidence. Second, “this number has no reports” doesn’t prove innocence; you may simply be among the first recipients. When reports are absent, fall back on the red flags above and let the message’s demands make the decision.

Can your business be targeted too?

Yes — smishing increasingly targets staff phones with fake IT alerts, courier notices and CEO-impersonation messages. If your team uses company mobiles, build “check before you tap” into your security training, and make sure numbers can be looked up quickly. Connection Technologies supplies business mobile fleets with spam-filtering and mobile-device management included, so suspicious texts get flagged before they cost you money.

Get a quote: Business Mobiles or Hosted VoIP

Frequently Asked Questions