Text message scams are rife at the moment with a wave of new scammers using the Coronavirus COVID-19 crisis to target new victims.

They use common tactics to scare people into clicking the link, thinking that an account has been locked or you need to take action to stop something bad happening. Being techy minded I know what to look for but It’s still easy to get caught out!

This article will explain a few things that may help to identify these dodgy messages.

5 simple steps to staying safe

  1. Text message scams and how they work
  2. The Link – look closer
  3. The sender
  4. The potential risk of the CTA
  5. What you can do

Most of us have seen texts like this at one time or another. Right?

HSBC text message scams

At first glance, it looks quite genuine. It says ‘HSBC’ (I have an HSBC account), and all I need to do is click the link to unlock my account. It can’t do that much harm can it? Unfortunately it can lead to huge issues, depending on what the scammer is trying to get from you. These things are not personal, they are sent out in bulk. Even if only a small percentage of the message work, it’s worth it for them.

Education in the only tool we really have to stop them, or at least make their tricks more well-known.

1. Text Message Scams (smishing) and how they work

This scam involves a fraudster sending text messages (also known as an SMS) at random to mobile phones. The text messages claim to come from a reputable organisation such as your bank or mobile phone company.

The message will try to trick you into clicking on a link to a bogus website or calling a phone number, usually by claiming you need to “verify” or “update” your details or “reactivate” an account. The criminal will then attempt to get you to disclose personal or financial information, which they will use for their own fraudulent purposes.

Often the messages will attempt to alarm you, claiming that you need to act urgently or face serious consequences.

How to avoid this type of scam:

Be wary of text messages that:

  • are unsolicited and supposedly come from a reputable organisation, such as a bank or credit card company
  • encourage you urgently to visit a website or call a number to verify or update your details
  • request your personal information such as username, password or bank account.


  • do not reply to the text message
  • be cautious about clicking on any links that may be embedded or calling the number in a text message

If you think you might have responded to a text message scam and provided your bank account details, contact your bank immediately. Source: FFA website – click HERE to visit.

2. The link in the message – look closer

In these images, the links appear legit. The bank one has HSBC and the Tax one has the word TAX in it. The part that is important is the TDL or Top Level Domain.

Top Level Domain Definition

The letters at the end of a website address are known as its TLD. Examples of toplevel domains include the oldest and most recognizable .com, . net and . org

To explain this, you need to know a bit about domain names.

Text message scams what is in a domain name

The part that matters is the LAST PART. Known as the ‘domain name’ or ‘main domain’.

Any website owner can create a sub-domain with any name they choose. I’ll show you how in a minute.

In these examples, these are the domains with the subdomains showing:

  • HSBC.customer-info2020.com
  • tax.refund-ref121l.com

The subdomains are HSBC and TAX. If we remove the sub-domains, we are left with the main domain or website that created the sub-domains.

  • customer-info2020.com
  • refund-ref121l.com

Note: URL’s or website addresses are NOT case sensitive. The capital letters used in the ‘HSBC’ example are there to make sure the user notices it quickly and then automatically assumes it to be legit, especially if the user happens to have an account with the bank or organisation being used.

Let’s have a look at the HMRC message in more detail:

HMRC text message scams

Do we still think this is from the real HMRC? Here’s how’s they do it.

Sub-domains – our working case study

We’ve created the new subdomain on our website to show how it works.

Our new subdomain is hsbc.dieselcoffee.ltd and we’re going to point it to another website. Our main domain is dieselcoffee.ltd.

From the website Cpanel, we login and create a new sub domain.

This new subdomain can have its own email accounts, full website installed with separate databases and works separately from anything on the main domain.

Creating a new sub domain using HSBC

Creating a new sub domain using HSBC

hsbc.dieselcoffee.ltd re-directs to MedwaySEO.com

hsbc.dieselcoffee.ltd re-directs to MedwaySEO.com

So, the new subdomain ‘hsbc.dieselcoffee.ltd’ we created now re-directs to MedwaySEO.com.

Working example: https://hsbc.dieselcoffee.ltd/ – If this is working correctly, it should redirect you to Medway SEO, this is one of our brands.

3. The sender – a random mobile?

Take a look at the number that sends the message. A random mobile number that is not in your contacts? Most organisations never notify you of problems in this way. They also publish their policies for contacting customers.

4. The potential risk of the CTA

A CTA is marketing speak for a Call To Action. This is the action we want people to take when visiting a site. On legit websites, this action will lead you to a page of information, send a message or ask you to complete a form.

On the internet a link or URL can literally lead you anywhere. These links can install software, inject viruses, malware or other internet nasties. They can gather device information, gain your personal details The list really is endless.

Summary – so what do we know?

  1. Text message scams – we know how to identify potentially dodgy messages
  2. The Link – look closer and see if it’s a real domain as normally used by the company
  3. The sender – we know how to check to see if this method of contact is typical for that company
  4. The potential risk of the CTA – We know what can happen if we click bad links
  5. What you can do – hold tight, we’re about to show you

5. What you can do to protect yourself

  • Check the link and see if its actually from the company it looks like.
  • Check any previous genuine message you may have had from them and compare them.
  • Login to your genuine account and see if everything is working fine, or call them. They will be able to verify your account status instantly.
  • Check the sender number – do you recognise it? If not, try googling it.

As with most things, the best way to stay safe is to be vigilant and stay up-to-date with your most used accounts.

If you found this article informative in any way, please consider sharing for the benefit of others.