Skip to content
Step 1 /
flag Introduction

Smishing and chat

Same patterns, different channel. Phishing via SMS, WhatsApp, and iMessage works shorter and more personally than email, and leans heavily on emotion. The routine stays the same: reflect, and verify the sender and the destination. The emphasis here is on verifying through a different channel.

target What you will learn in this module
  • check_circle How phishing via SMS and chat works and why a sender name proves nothing
  • check_circle What to do about the 'Hi mum' scam: verify through a different channel
  • check_circle Practise with real SMS and chat messages, including a genuine one
smartphone Why different

Why SMS and chat need extra care

A short message on your phone feels more personal and more urgent than an email. And that is exactly where the traps are.

  • The sender name proves nothing. “NatWest”, “DHL”, or “Royal Mail” as the sender of an SMS can be faked (sender ID spoofing). The name is not evidence.
  • Links are harder to check. On a mobile you cannot easily hover over a link. Tap and hold the link to see the real address, or better, type the address yourself.
  • It goes fast and emotional. A message from a “family member” or “colleague” counts on your willingness to help and your urgency.
gpp_bad Real banks and government bodies do not send action links via SMS

Your bank, the government, or HMRC will never ask you to sign in or “verify” your details via an SMS link. If you get a message like that, it is almost certainly phishing.

verified_user The golden rule

The ‘Hi mum’ scam: verify through a different channel

A common form: a message from an unknown number claiming to be your child, partner, or a close friend. “I have lost my phone, this is my new number.” Then comes an urgent request for money.

The golden rule is simple: do nothing, and certainly do not make a payment, until you have actually spoken to or seen the person through a known channel. Call the old, known number. Meet up. Ask a verification question only the real person can answer.

phone_disabled Pressure not to call is itself the signal

“I cannot call right now” is not a coincidence. The scammer wants to avoid you hearing their voice. Do not let that rush you.

forum Example 1 of 3 · chat

”Hi mum”

Tap on the name at the top to see the number, then give your verdict. Feel free to switch between iMessage, Android, and WhatsApp.

View in
Hi mum, it is me. I lost my phone and this is my temporary number. Can you save this number?
I cannot call right now. Can you urgently transfer £200 to a friend's account so I can pay a late bill? I will pay you back tonight. ❤️
The account number is sort code 20-00-00, account 12345678, in the name of L. Peters. Thanks mum!
Messagearrow_upward

Is this message phishing or trustworthy?

sms Example 2 of 3 · bank SMS

An SMS “from the bank”

Inspect the sender and the link before you judge.

View in
NatWest: we noticed unusual activity on your account. Verify within 24 hours to avoid a block:
Messagearrow_upward

Is this message phishing or trustworthy?

cases Example 3 of 3 · watch out

Not every bank message is fake

Sometimes you do get a real message, for example a verification code that you requested yourself. Pay attention to the differences.

View in
Your NatWest verification code is 458213. Never share this code with anyone, not even a NatWest employee.
Messagearrow_upward

Is this message phishing or trustworthy?

quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
You get a WhatsApp from an unknown number: "Hi dad, new number, can you urgently transfer £300?" What do you do?
Correct: always verify through a different, known channel before you do anything. Call the old number or meet up. Replying to the message itself confirms nothing, because you are still talking to the scammer.
quiz Practice · question 2 of 2
Which statement about a real SMS from your bank is true?
Correct: real banks never send an action link via SMS to sign in or 'verify', and they never ask for your code. The sender name can also be spoofed. When in doubt, go to the app or the official site yourself.
summarize Summary

What you take away from module 3

  • bolt Same patterns as email, but shorter, more personal, and more emotional.
  • bolt A sender name (like 'NatWest' or 'mum') proves nothing: it can be spoofed or come from an unknown number.
  • bolt Banks and government bodies never send an action link via SMS to sign in or verify.
  • bolt For the 'Hi mum' scam: do nothing until you have actually spoken to the person through a known channel.
  • bolt On mobile: tap and hold a link to see the real address, or type the address yourself.
workspace_premium Module complete

Module 3 complete 🎉

You can now recognise phishing via SMS and chat, and you know how to avoid the ‘Hi mum’ scam. In module 4 we look at phishing at work and what to do if something does go wrong.

lock_open 3 of 5 modules

On your way to your “Recognising phishing” certificate

Complete all 5 modules and pass the final exam (at least 70%) to receive a personal certificate of attendance in your name.

check_circle Modules 1-3 completeradio_button_unchecked Module 4radio_button_unchecked Final exam ≥ 70%
workspace_premium