What is smishing?

You are mid-morning, halfway through a cup of tea, when your phone buzzes. It is Royal Mail, apparently, letting you know there is a package waiting and that you owe £2.99 to rebook the delivery. The link looks plausible enough. The message sounds exactly like something Royal Mail would send. So you tap it.

This is smishing in action, and it catches far more people than you might expect, particularly as malicious text messages become more sophisticated.

If you have received a suspicious text message that you believe may have compromised your personal or business information, contact Zensec immediately.

What is smishing?

Smishing is the term for phishing attacks carried out via text messages. The term combines “SMS” with “phishing,” the well-known social-engineering tactic that tricks people into handing over sensitive data via deceptive text messages.

While the practice is mostly associated with email phishing, smishing applies the same principles to the SMS messages that land on your phone every day.

It is not limited to traditional SMS (short message service formats) either. Smishing attacks arrive via iMessage, WhatsApp, and multiple channels with the same frequency.

Wherever you receive messages, threat actors will try to reach you on your mobile devices.

Why text messages work so well

One reason smishing has grown so rapidly is that people instinctively trust text messages more than emails. Most of us have been trained, over years of exposure, to be suspicious of unsolicited emails. We know about spam folders, we have seen dodgy subject lines, and we understand that an email from a Nigerian prince is probably not legitimate.

Text message scams feel different. They feel personal. They come from our network providers, legitimate service providers, and the couriers delivering our parcels. Criminals know this, and they exploit it deliberately.

Criminals use this trust to trick victims into sharing their login credentials, account details, and personal details. It’s also important to remember that many attacks are part of wider smishing campaigns, where thousands of identical messages are sent in bulk.

According to data from Barclays’ 2025 scam report, SMS-originated scams surged by 40% compared to the previous year. Fraud now accounts for an estimated 41% of all crime in England and Wales, according to the National Crime Agency, and smishing sits at the heart of much of it, alongside related threats like voice phishing and identity fraud.

The most common types of smishing attacks in the UK

There are many types of SMS phishing cybersecurity attacks in the UK, but each has a similar goal: to access your personal or financial details. Here are the most common types of smishing:

Parcel delivery scams

These scams are currently among the most widely reported in the UK. You receive a text claiming to be from Royal Mail, Evri, or DPD, stating that a delivery has been missed or that a small customs fee is due.

The link often leads to a convincing fake site or fake login page, designed to capture your bank account details or payment information.

HMRC impersonation

Another persistent offender is HMRC impersonation. Since 2023, HMRC has received over 296,000 reports of impersonation attempts, with a significant portion arriving via text.

These messages typically claim you are owed a tax refund, or that you owe unpaid tax and face penalties. The urgency in the messaging is a deliberate smishing tactic: it is designed to make you act before you think.

Bank impersonation texts

Financial services smishing scams are particularly dangerous because they appear in conversation threads as genuine messages from your bank. Criminals use these smishing text attacks to spoof sender names, meaning a fraudulent text can appear directly beneath a legitimate one.

These messages typically warn you of unusual activity on your account and urge you to log in immediately via the provided link, which leads to a convincing replica of your bank’s website.

How smishing attacks work

Most smishing attempts follow a predictable pattern, even if the disguise varies:

• A message arrives from what appears to be a trusted organisation.
• It contains either a link or a phone number.
• The goal is to get you to take one of three actions: click the link, make a phone call, or reply with personal information.

If you click the link, one of two things typically happens. You may be taken to a fake website designed to harvest your credentials, card details, or personal information. Alternatively, and more seriously, visiting the link may trigger the download of malicious software onto your device.

This malware can masquerade as a legitimate app, quietly running in the background while it collects login details, intercepts messages, or monitors your activity.

For businesses, the consequences can extend well beyond one compromised phone. Malware installed through a smishing attack has been used to gain a foothold in corporate networks, escalating from a single compromised handset into something far more damaging. In the most serious cases, attackers use this access to deploy ransomware that locks organisations out of their own systems and data, often with devastating consequences.

Spear smishing: When attacks get personal

While most smishing is sent in bulk to thousands of numbers at once, a more targeted variant known as spear smishing is becoming increasingly common. Criminals research their targets using publicly available information, often drawn from social media profiles, LinkedIn, or data exposed in previous breaches. The result is a message that feels genuinely personal.

A spear smishing message might reference your employer, a recent purchase, or even the name of a colleague.

This level of personalisation is designed to lower your guard considerably, and it works. Advanced social engineering techniques drive these attacks and are increasingly used in coordinated smishing campaigns.

How to spot a smishing message

Smishing messages have become increasingly polished, but there are still patterns worth watching for.

• Any message that creates a sense of urgency, whether that is a threat of a fine, a missed delivery fee, or a looming account suspension, deserves additional scrutiny before you act.
• Legitimate organisations, whether your bank, HMRC, or a courier company, will never ask you to provide sensitive information, confirm card details, or log in via a link sent in a text message.
• Shortened URLs, mismatched domain names, or links to unfamiliar web addresses in an otherwise official-looking message are a reliable warning sign.
• Spelling errors and grammatical inconsistencies still appear in many smishing messages, particularly those originating from international criminal operations using translation tools.

If something feels slightly off about a message, even if you cannot pinpoint exactly why, that instinct is worth listening to.

What to do if you receive a suspicious text

Do not click any links, call back any numbers listed in the message, or reply to it. If the message claims to be from an organisation you have a genuine relationship with, contact them directly using the phone number or website you already have saved, not any details provided in the text.

A quick search for the sender’s number online will often confirm whether others have received the same scam message.

You can report suspicious texts in the UK by forwarding them to 7726, a free service available on all major networks. This feeds directly into the National Cyber Security Centre’s (NCSC) takedown processes. Between April 2020 and April 2025, reports made via 7726 led to the removal of over 27,000 scam websites.

What to do if you have already clicked

If you have already tapped a link or entered information into a website you now suspect was fraudulent, act quickly. Change the passwords on any accounts you may have accessed or whose credentials you entered, starting with your bank and email accounts. Contact your bank directly if you provided any financial details, and let them know what happened. They can often freeze transactions or flag your account for additional monitoring.

Report the incident to Action Fraud at www.actionfraud.police.uk, which is the UK’s national reporting centre for fraud and cybercrime. If the incident involved a business device or a corporate account, your IT or security team needs to know immediately so they can assess whether further access to your organisation’s systems has occurred.

The broader picture for businesses

For individuals, smishing is disruptive and potentially costly. For businesses, the stakes are higher. A single employee who clicks a malicious link, particularly on a device connected to a corporate network or cloud services, can give attackers a way in that far exceeds what the initial text message implied.

The volume of smishing attacks in the UK is not falling. The NCSC’s Suspicious Email Reporting Service has received over 41 million reports since 2020, and the rate of reporting increased by 44% year-on-year in 2023 alone. Raising staff awareness of what smishing looks like and building a culture where people feel comfortable reporting suspicious messages without embarrassment remain among the most cost-effective things an organisation can do.

Being caught out by a well-crafted smishing attack does not reflect poorly on someone’s intelligence. These messages are designed by professionals who understand human psychology. What matters is knowing what to do next and taking steps to prevent smishing attacks in the future.