Phishing, Smishing and Quishing: The UK Scam Playbook in 2026

The most common cyber threat facing UK users isn’t a dramatic Hollywood-style hack, it’s a message. It might arrive as an email, text, WhatsApp message, social media advert, QR code, phone call or fake delivery notice. It may look like it came from your bank, Royal Mail, HMRC, a parking company, a retailer, a streaming service, a job recruiter or someone you know.

This is why phishing remains so effective. It doesn’t need to break into your device first, it tries to make you open the door.

In the UK government’s Cyber Security Breaches Survey 2025/2026, phishing remained the most common type of breach or attack by far, affecting 38% of businesses and 25% of charities. That matters for consumers too, the same techniques that work against organisations also work against individuals: urgency, authority, fear, curiosity and convenience.

Phishing is the broad term for scam messages designed to trick you into revealing information, clicking a malicious link, installing malware or sending money. Smishing is phishing by text message. Quishing is phishing through QR codes. Vishing is phishing by voice call. The labels are useful, but the goal is usually the same: get you to act before you think.

Quishing: The Threat Many Still Underestimate

QR codes feel harmless because they’re common in restaurants, car parks, posters, invoices and delivery slips. You point your phone, the website opens, and you carry on, that convenience is exactly why criminals like them. A fake QR code sticker on a parking meter can send you to a convincing payment page. A QR code in an email can move the attack from a work computer to a personal phone, bypassing some company security filters.

Action Fraud warned in 2025 that it had received 784 reports of quishing between April 2024 and April 2025, with almost £3.5 million lost. Car parks, parcel delivery messages and payment pages are especially obvious targets because people expect to act quickly.

Slow Down, Scams Rely on Momentum

The best defence is to slow down. Scams want you to pay a small delivery fee, secure your account, confirm a refund, avoid a penalty, claim a prize, or respond to a fake emergency. If a message makes you feel rushed, that’s the moment to pause.

For email scams, check the sender, but don’t rely on it, sender names can be spoofed or disguised. Look at the link before clicking, but remember that shortened links, tracking links and lookalike domains can be deceptive. The safest method is to avoid the link entirely and open the official app or website yourself.

For text scams, be especially wary of parcel messages, bank alerts, parking fines, HMRC refunds, energy support claims, missed payments and fake family emergency messages. If a text asks you to pay, verify identity or install an app, treat it as suspicious until proven otherwise.

For QR codes, be selective. Don’t scan random QR stickers in public places without checking them. If you’re paying for parking, use the official app listed on the machine or the council website. If a QR code opens a website, check the address carefully before entering payment details, and if a code has been stuck over another code, don’t use it.

For phone calls, remember that caller ID can be spoofed, a call appearing to come from your bank may not be your bank. If a caller says your account is at risk, hang up and call the bank using the number on the back of your card. Don’t move money to a “safe account”, that’s a classic fraud tactic.

Where Security Tools Help

Security tools help, but they don’t replace judgement. A good password manager can stop you entering passwords into fake websites because it won’t autofill on the wrong domain. Two-step verification can block account access even if a password is stolen. A VPN can protect you on public Wi-Fi, but it won’t stop you sending money to a scammer. Antivirus and web protection can block some malicious links, but no tool catches everything.

Email aliases and alternative phone numbers can reduce exposure — if you use a masked email for shopping and that alias starts receiving phishing, you know roughly where the problem came from, and if you use an alternative number for low-trust signups, your real mobile number is less likely to be passed around.

Reporting Matters

In the UK, suspicious emails can be forwarded to [email protected]. Suspicious texts can be forwarded to 7726. Fraud should be reported to Action Fraud, or to Police Scotland if you’re in Scotland. Reporting helps authorities and providers take down malicious sites and numbers.

Verdict

The big lesson is that phishing has moved beyond bad spelling and obvious fake logos. Scams now use leaked data, AI-written messages, familiar brands and realistic timing, a fake delivery text arriving when you’re expecting a parcel is dangerous because the context feels right.

The safest habit isn’t paranoia, it’s independent verification. Don’t use the link in the message. Don’t trust the number on the call. Don’t scan the sticker without checking. Go to the source yourself.

Frequently Asked Questions

What is the difference between phishing, smishing and quishing?

Phishing usually involves fraudulent emails designed to steal information or encourage victims to visit a fake website. Smishing uses text messages or messaging apps to achieve the same goal, while quishing relies on malicious QR codes that direct people to fraudulent websites, payment pages or login screens.

How can I tell whether an email or text message is a scam?

Warning signs include unexpected requests, urgent language, spelling mistakes, unfamiliar sender addresses, shortened links and demands for passwords, payment details or security codes. A message may still look professional, so it is always safer to contact the organisation directly using a trusted website, app or phone number.

Can scanning a QR code infect my phone?

Scanning a QR code does not usually infect a device by itself, but it can open a malicious website, start an unwanted download or direct you to a fake login page. Check the web address shown by your phone before opening it and avoid entering personal or payment information unless you are certain the destination is genuine.

What should I do if I clicked a suspicious link?

Close the page immediately and do not enter any information. If you entered a password, change it straight away and update any other accounts that use the same password. You should also enable two factor authentication, run a security scan and contact your bank if financial details may have been exposed.

Why are scam messages becoming more convincing?

Criminals now have access to leaked personal data, convincing website templates and artificial intelligence tools that can produce polished messages. They may include your name, address, employer or recent purchase details, which makes it increasingly important to verify unexpected requests independently.

Can banks or government organisations ask for security codes by text or email?

Legitimate organisations may send security notifications, but they should not ask you to reveal passwords, full card details, one time passcodes or banking security information in response to an unsolicited message. Never share a verification code with someone who contacts you unexpectedly.

How should I report phishing, smishing or quishing in the UK?

Suspicious emails can usually be forwarded to [email protected], while suspicious text messages can often be forwarded to 7726. Fraud and cybercrime can also be reported through the official UK fraud reporting service. Contact your bank immediately if money has been taken or your account details have been compromised.

What is the best way to protect myself from these scams?

Use unique passwords for every account, enable two factor authentication and keep your phone, computer and apps updated. Avoid opening unexpected links, check web addresses carefully and access important accounts through official apps or bookmarks rather than links received by email, text message or QR code.

Sources

About The Author: Estrella

Consumer Security Guides & Digital Safety

Estrella Dalton is a skilled technology writer, editor, and advocate for digital safety, known for her clear, approachable style and commitment to helping everyday users navigate the online world with confidence.