The fake bank text marketplace scam
After posting on Facebook Marketplace, sellers receive fake bank security texts designed to steal their login credentials. The timing makes the smishing feel legitimate — it is not.
Free download. iOS & Android. UK-first.
The fake bank text marketplace scam targets sellers: after posting a listing, you receive a smishing text claiming your bank has detected suspicious activity. The link leads to a phishing page harvesting your banking credentials. Your bank will never ask you to log in via a text link. Forward suspicious texts to 7726. Call your bank on the number on the back of your card — never use a number from the text. (Source: NCSC)
What is the fake bank text marketplace scam?
The fake bank text marketplace scam combines two fraud types: marketplace seller targeting and bank-impersonation smishing. A seller posts a listing on Facebook Marketplace and shares or displays their phone number. Shortly after, they receive a text that appears to come from their bank — sometimes even appearing in the same message thread as genuine bank OTP codes, because SMS sender IDs can be spoofed.
The text claims the account has been flagged for suspicious activity and that the seller must click a link to verify their details or unblock their card. The link leads to a fake login page. The timing — coinciding with the fresh Marketplace listing — creates a false but credible sense that the two events are related, making victims less likely to pause and question the text.
How does the fake bank text marketplace scam work?
- 01
You post a listing on Facebook Marketplace
Your phone number may be visible in the listing, or it may be harvested via a prior inquiry message designed to capture your number.
- 02
Smishing text arrives — appears to be from your bank
The sender ID matches your bank's name. The message claims suspicious activity, an account block, or a failed payment requiring verification. It appears in your genuine bank thread.
- 03
You click the link
The page is a convincing replica of your bank's login page. The URL is not your bank's official domain, but under time pressure this is easy to miss.
- 04
Credentials and one-time codes are captured
You enter your username, password, or a one-time code sent to your phone. The fraudster captures these in real time and uses them to log in to your actual banking app or initiate a payment.
- 05
Optional follow-up call from "fraud team"
A caller introduces themselves as your bank's fraud prevention team, using your name (harvested from the listing) to add credibility, and asks you to confirm further details or authorise a "test transfer".
What should you do if you have been targeted by a fake bank text?
- Do not click the link — go directly to your bank’s website by typing the address, or use their official app.
- Forward the smishing text to 7726 — this is the UK’s dedicated SMS phishing reporting shortcode, operated in conjunction with the NCSC and UK mobile networks.
- If you have already entered details, call your bank’s fraud team immediately on the number on the back of your card — not any number in the text.
- Report to Action Fraud on 0300 123 2040 to get a crime reference number.
- Avoid sharing your phone number in Marketplace listings — use in-app messaging where possible.
How does SilentID help protect you from marketplace-triggered smishing?
SilentID Trust Passport verifies your identity through a one-time biometric check stored on your device — you never share your name, address, or contact details during the transaction flow. Reducing the data exposed through a Marketplace exchange reduces the information fraudsters can use to target you with personalised smishing.
Related guides
7 warning signs of the fake bank text marketplace scam
Smishing texts are designed to look exactly like your real bank messages. These signals reveal the fakes.
A bank security text arrives shortly after you list on Marketplace
The timing is not coincidental — in sophisticated operations, scammers scrape contact details from listings and immediately trigger smishing campaigns. If a "bank alert" arrives the same day you posted a listing, treat it as suspect.
The text appears in the same thread as genuine bank messages
Smishers use SMS sender spoofing to insert their message into your genuine bank's conversation thread (e.g. alongside real Barclays or Lloyds OTP texts). This is technically trivial and does not imply the message is from your bank.
The message claims suspicious activity or an urgent security block
"We have detected suspicious activity on your account. Your card has been suspended. Click to verify." Urgency and fear are the primary levers. Your bank will never ask you to click a link in a text to unblock a card.
The link is not your bank's official domain
Genuine UK bank SMS messages from the bank directly do not contain links asking you to log in. Any text containing a link to a login page — regardless of which thread it appears in — is a phishing attempt.
The page asks for full card number, PIN or one-time code
Your bank already has your card number. It will never ask you to re-enter it via a text link. One-time codes are for verifying payments you initiated — never for "security checks".
You receive a follow-up call from "bank fraud team"
After the text, a caller may introduce themselves as your bank's fraud prevention team and ask you to "confirm" your details to resolve the block. Banks will never ask for your full PIN or password over the phone.
The text uses your name or partial account number
Including a name or the last four digits of a card creates false credibility. This data is sometimes obtained from data breaches or scraped from social media linked to the Marketplace profile.
Frequently asked questions
Protect your identity — and your bank account
Download SilentID. Trust Passport verifies without sharing personal data. PIN Pickup means your payment never moves based on a text message.
100% passwordless. UK-based. GDPR-native.
·
Reviewed by the SilentID editorial team. We update each guide quarterly with new UK fraud data.