Smishing — SMS phishing — has become one of the most prevalent forms of cyber fraud in the UK. Criminals send text messages impersonating trusted brands, tricking recipients into clicking malicious links, sharing personal data, or making payments. For the brands being impersonated, the damage extends beyond the immediate fraud — it erodes the trust that makes SMS marketing effective.
How Smishing Works
A typical smishing attack follows a predictable pattern:
- The victim receives a text that appears to come from a trusted brand — their bank, Royal Mail, HMRC, or a retailer
- The message creates urgency: "Your account has been locked", "You have a parcel waiting", "You're owed a tax refund"
- A link directs the victim to a convincing fake website that harvests login credentials, card details, or personal information
The attacks are increasingly sophisticated. Scammers use sender ID spoofing to make messages appear in the same conversation thread as legitimate messages from the brand they're impersonating.
The Scale in the UK
- 45 million UK adults received a suspected scam text in a six-month period (Ofcom)
- £479 million was lost to authorised push payment fraud in 2023, much of it initiated via SMS (UK Finance)
- 82% of UK adults have received at least one smishing message (Action Fraud)
How Smishing Damages Legitimate Businesses
Even if your business isn't directly targeted, smishing affects you:
- Reduced trust: Consumers become wary of all SMS messages, including legitimate ones
- Lower engagement: Recipients hesitate to click links in texts, even from brands they know
- Brand impersonation: If scammers spoof your sender ID, victims associate the fraud with your brand
- Regulatory pressure: Increased fraud leads to stricter regulations that add compliance burden for legitimate senders
Protecting Your Brand
Technical Measures
- Register your sender ID: Work with your SMS provider to register your brand's sender ID with UK mobile networks. This prevents scammers from spoofing it
- Use consistent sender IDs: Don't change your sender ID frequently — consistency helps recipients recognise legitimate messages
- Avoid URL shorteners: Shortened links look suspicious. Use your own branded domain for any links in messages
- Implement DMARC for SMS: Work with providers who support sender verification protocols
Content Best Practices
- Never ask for passwords, PINs, or full card numbers via SMS
- Don't create artificial urgency ("Act NOW or your account will be closed")
- Include your company name and a way for recipients to verify the message
- Direct recipients to your official website or app rather than embedding long URLs
What Faretext Does to Combat Smishing
Faretext takes a proactive approach to SMS fraud prevention:
- We verify the identity of every business customer before activating their account
- We monitor outbound traffic for patterns associated with fraud
- We register sender IDs with UK mobile networks
- We maintain strict governance policies and fraud prevention measures
Using a reputable provider with direct carrier connections is one of the most effective ways to protect your brand's SMS reputation. Connect with Faretext to discuss your messaging security.
Sources: Ofcom — Telecoms Research · UK Finance — Annual Fraud Report · Action Fraud
