Text Message Scams: Fake Delivery, NHS and Tax Messages

In 2025, the French Cybermalveillance.gouv.fr platform recorded a 53% increase in reports related to fraudulent text messages compared to 2023 (source: Cybermalveillance.gouv.fr annual report, March 2025). Seniors are particularly targeted. This guide helps you recognise these fake messages and adopt the right responses — without panic.

Receiving a text from a delivery service, the NHS, or a tax authority can seem perfectly normal. That is exactly what scammers exploit. They impersonate trusted organisations to push you into clicking a link and sharing your personal or bank details. This technique is called smishing (a combination of SMS and phishing).

The good news: with a few simple habits, you can spot these fake messages in seconds.

Why fraudulent texts are so effective

A trusted channel misused

Text messaging is perceived as an official and personal channel. According to a study by the French Banking Federation published in September 2024, 72% of French people over 60 trust a text message more than an email for official communications. This trend is similar across Europe.

Scammers know this. They send millions of texts in bulk using automated platforms, hoping that a small percentage of recipients will click.

Urgency as a lever

Almost all fraudulent texts play on urgency:

• “Your parcel is waiting, pay 1.99 delivery fee within 24 hours”
• “Your health card is about to expire”
• “A refund of 248.50 is waiting for you”

This urgency pushes you to act fast, without thinking. That is exactly the desired effect.

The 3 most common text scams in 2025-2026

1. Fake delivery texts (Royal Mail, DPD, Hermes)

What it looks like:

You receive a text like: “Royal Mail: your parcel could not be delivered. Confirm your address and pay 1.95 redelivery fee here: [link].”

The link leads to a site that looks exactly like the official delivery site, but whose address (URL) is different.

Testimonial: Martine, 68, retired, December 2025: “I was actually expecting a parcel from my son. The text came at just the right time. I clicked and entered my card details. I was charged 1.95, then 89 euros three days later.” (source: signal-arnaques.com forum)

How to recognise it:

• Delivery services never send texts asking for payment via a link
• The URL does not match the official website domain
• The amount is small (1 to 3 euros/pounds) to seem harmless
• The tracking number does not correspond to any real shipment

The right response: If you are expecting a parcel, go directly to the official tracking website by typing the address yourself. Never click the link in the text.

2. Fake health service texts (NHS, Ameli)

What it looks like:

“NHS: your new health card is available. Update your details to receive it: [link].” Or: “Health Service: a refund of 312.80 is pending. Confirm your bank details.”

How to recognise it:

• Health services do not send payment links by text
• The URL is not the official domain but an imitation
• Health services never ask for your bank card number by text

The right response: Log in to your health service account directly via the official website or app. Any legitimate message will be visible there.

3. Fake tax texts (HMRC, DGFiP)

What it looks like:

“HMRC: following your declaration, a refund of 184.30 has been calculated. Receive it within 48 hours by confirming your bank details: [link].”

How to recognise it:

• Tax authorities never refund via a text link
• Refunds are paid automatically to your known bank account
• The URL does not match the official tax website
• The message creates artificial urgency (“within 48 hours”)

The right response: Check your personal tax account directly by typing the address yourself. If a refund is due, it will be shown there.

How to recognise a fake text in 4 steps

Step 1: Check the sender

Real official texts come from short names. But be careful: these names can be spoofed. A legitimate sender name does not guarantee the text is genuine.

Step 2: Examine the link without clicking

Look at the URL in the message without clicking it. Official sites use their real domain names. If the URL contains suspicious hyphens, added words, or a different domain, it is a scam.

Step 3: Consider the urgency

An official organisation never puts you under pressure to pay or confirm your data “within 24 hours” by text. Urgency is the most reliable sign of a scam.

Step 4: Verify through the official channel

When in doubt, contact the organisation directly using their official phone number or website.

What to do if you clicked the link

Do not panic. Here are the steps to follow:

If you only clicked without entering anything

The risk is low. Close the page. As a precaution, clear your browser cache and run an antivirus scan if you have one.

If you entered your bank details

1. Call your bank immediately to cancel your card
2. Monitor your bank statements in the following days for suspicious charges
3. File a report with your local police or national fraud centre

If you entered your login credentials

1. Change your password immediately on the official site
2. Change it on all sites where you use the same password
3. Enable two-factor authentication if the service offers it

How to report a fraudulent text

Reporting is important: it allows authorities to block numbers and shut down fake sites.

In the UK: Forward to 7726

Forward the fraudulent text to 7726 (free). The number will be passed to your mobile operator who can block it.

Report online

Use your national fraud reporting platform:

• UK: Action Fraud (actionfraud.police.uk)
• France: Pharos (internet-signalement.gouv.fr) and 33700

5 habits to avoid being tricked again

1. Never click on a link in a text asking for payment or personal information. Always go directly to the official website by typing the address.

2. Be wary of urgency. No official organisation threatens consequences if you do not respond within hours.

3. Talk about it. If a text seems suspicious, show it to a relative or call the organisation. There is no shame in asking for advice.

4. Report systematically. Every report counts to block fraudulent numbers.

5. Keep your phone updated. Smartphone updates fix security vulnerabilities. According to the ANSSI, 60% of attacks exploit known vulnerabilities already fixed by updates (source: ANSSI “Mobile Security” guide, 2024).

Conclusion: vigilance is your best protection

Text scams are increasingly sophisticated, but they all rely on the same mechanisms: imitating a trusted organisation and creating urgency. By knowing these mechanisms, you are already well protected.

If you must remember just one rule: never click on a link in a text asking you to pay or provide personal information. Always go directly to the official website.

And if you have doubts, talk to a relative or call your national fraud helpline. It is never too late to ask for help.

---

Editorial note

Sources consulted: Cybermalveillance.gouv.fr annual report 2024, ARCEP report 2024, DGCCRF report 2024, ANSSI “Mobile Security” guide 2024, French Banking Federation (September 2024 survey), signal-arnaques.com forum, Pharos platform.

Limitations of this guide: The text examples presented are based on real reports but exact wording varies constantly. Scammers constantly adapt their messages. Reporting figures may not reflect the true scale of the problem (many victims do not report).

Verification date: 26 March 2026

Conflicts of interest: none

Questions fréquentes

How do I recognise a fake delivery text message? ▼

What should I do if I clicked on a fraudulent link in a text? ▼

How do I report a fraudulent text message? ▼

Does the NHS send texts asking for bank details? ▼

Can HMRC text me about a tax refund? ▼