The Scam-Text Protection Index · 17 countriesReviewed July 2026

Why does a scam text reach you at all? In five countries, it doesn't.

When a scammer sends you a text that says it is from your bank, the word at the top of the screen is not checked by anyone. It is a field the sender fills in. Some countries have decided that is unacceptable and made businesses register the name they send under — so an impersonator's message is stopped, or arrives stamped as suspect. We compared 17 countries on that one question. Britain, which invented the fix, is not among the ones using it.

3
Block the impersonator
2
Flag it as suspect
7
No scheme identified
The Scam-Text Protection Index, July 2026: of 17 countries, Ireland, Spain and India block a text whose branded sender name is not registered; Singapore relabels it "Likely-SCAM" and Australia marks it "Unverified"; the United Kingdom and Denmark have only voluntary registries, the UK's after Ofcom decided a mandatory one would be too burdensome for business; the United States, Canada and Belgium do not display branded sender names at all; and in France, Germany, Italy, the Netherlands, Sweden, Norway and Finland no mandatory scheme was identified.
Five countries now require businesses to register the name they text under. Three of them refuse to deliver the message if it is not registered. Reviewed July 2026; sourced per country below.
How we rank it. One factual axis: when a text arrives carrying a real company's name as the sender, what does the country's regime do about it? Blocked = it never arrives. Flagged = it arrives, relabelled as suspect. Voluntary = a registry exists but nothing requires it. Not applicable = branded sender names aren't shown to consumers there at all. None identified = we found no mandatory scheme. Tap any country for the regime and the source.

17 countries, reviewed July 2026. Tap a country for the regime, what actually happens to an impersonated text, and the source.

The fix Britain built, and did not use

The idea is not new, and it is not foreign. The SenderID Protection Registry began in Britain in 2019, as a proof-of-concept backed by the National Cyber Security Centre, UK Finance and Mobile UK. The premise is simple: if a business has to register the name it sends texts under, then a criminal cannot put that name on a message. The impersonation collapses at the network, before it reaches anyone.

Ireland adopted the model and made it law: since October 2025, an unregistered branded text is not delivered at all. Singapore made registration mandatory in January 2023 and rewrites unregistered senders to read "Likely-SCAM" — and its regulator reported a 64% fall in SMS scams after the registry went in. Spain began blocking unregistered senders in June 2026. Australia joined in July 2026, with the mildest version: a label reading "Unverified."

In Britain, it is still voluntary. Ofcom examined a mandatory, centralised registry in its Combatting mobile messaging scams consultation and decided against it, on the grounds that it would be too burdensome for businesses and aggregators, given the significant upfront and ongoing costs of registration and maintenance. Instead it proposes duties on the operators — sender-ID verification, "Know Your Traffic" monitoring, blocking of known scam links. Those may well work. But the specific mechanism that Ireland used to stop the messages outright, and that Britain designed, is not among them. Ofcom's final decision is due in summer 2026.

A note on that sourcing, because it matters: Ofcom's consultation document sits behind a bot-protection wall we could not get through, so we have not read its exact wording ourselves. The rationale above is reported from published legal analysis of the consultation, and we state it as substance rather than as a direct quotation from Ofcom. If Ofcom's own wording differs, we will correct this page and say so.

What this does not say

Three honest limits, because an index that overclaims is worth less than one that doesn't.

A missing scheme is not a proven absence. Regulators publish the rules they make; they do not publish pages announcing the rules they haven't made. So for the eight countries in the "none identified" tier, we are reporting the result of a search, not a fact about the world. If a scheme exists that we missed, we want to be told, and we will correct the row and say we did.

"Not applicable" is not a failing grade. The United States and Canada do not appear in the blocking tiers because business texts there arrive from a number, not a brand name — there is no sender name to register or to fake. That is a different network architecture, not negligence. It also means American readers should not relax: impersonation there simply moves into the body of the message and the link.

Registration is not a cure, and the countries that did it are not claiming otherwise. Every regime here governs the branded sender name. A scammer texting from an ordinary mobile number is untouched by all of it — and so is every scam that arrives by WhatsApp, iMessage or a dating app. This mechanism kills one specific, very common trick: wearing a real institution's name. It does not kill the con.

And the best regime in the index has a hole in it. Ireland is our top tier, but the trade publication Commsrisk reported in May 2026 that organisations registering a sender name often cannot tell which of Ireland's 95 aggregator routes actually carries their traffic — so they register across all of them, which leaves their own name usable right across the ecosystem. Fraudsters have also moved to ordinary numbers and short codes, which no sender-ID registry governs. The honest reading is that a registry displaces this particular trick rather than eliminating SMS fraud, and the effectiveness of the UK-invented model has been publicly disputed. We are reporting what each country has built, not promising that any of it makes a country safe.

How this index is built

The index rests on a single factual question, applied identically to all 17 countries: when a text message arrives carrying a real organisation's name in the sender field, does the national regime block it, relabel it, or let it through unchanged? We do not score sub-factors or compute a composite rating — the reality is close to categorical, and a tier is more honest than invented precision.

Each country sits in one of five tiers. Blocked, Flagged, Voluntary and Not applicable are positive findings: each is sourced to the regulator, the named scheme, or the published network requirement, and each row links out so the claim can be checked at source. None identified is deliberately worded as a search result, not an assertion — see the limits above.

Where a regulator publishes a figure, we cite it and attribute it (Singapore's 64%). Where no figure exists, we describe the position in words rather than invent a statistic. The data was last reviewed July 2026, and several rows are in motion — Ofcom decides this summer. It is compiled by Tutela Digitalis, an independent fraud-education resource with no telecoms or bank funding.

For journalists

This index is free to cite, and the graphic above is free to republish, with credit (CC BY 4.0). The one-line finding: the UK invented the registry that stops impersonated texts, and is the only country in this index that built the mechanism and then declined to require it — Ofcom decided a mandate would be too burdensome for business, while Ireland, using the same model, now blocks the messages outright.

One sourcing caveat we would rather you knew than discovered: Ofcom's consultation PDF is behind a bot-protection wall, so we have not read its exact wording first-hand. We report Ofcom's rationale as substance, from published legal analysis, and never as a verbatim quote. Everything in the Blocked, Flagged and Not-applicable tiers is sourced to the regulator or the published network requirement.

Suggested citation: The Tutela Digitalis Scam-Text Protection Index, July 2026 — tuteladigitalis.com/scam-text-protection-index

Need the underlying country-by-country data, a correction, or a quote? Email press@tuteladigitalis.com. We publish corrections.

How to tell a real text from a fake one

Wherever you live, the defence is the same — and it does not depend on the sender name, because in most of the world that name is worth nothing.

1Ignore the sender name. In most countries the name at the top of a text is unverified and can be set to anything. Unless you are in a country that blocks unregistered senders, that name is not evidence of anything.
2Read what it is asking you to do. Strip away the branding. Is it asking you to pay, verify, log in, or move money? No legitimate bank, tax authority or courier makes those asks by surprise text.
3Never use the link. Do not tap it, even to look. The link is the entire delivery mechanism. Acting inside the scammer's channel is what the scam needs.
4Go to the source yourself. Open the company's official app, or type its address by hand. A genuine notice will be waiting in your account. A scam will not.
5Report it. Forward the text to your country's reporting number (7726 in the UK, Ireland, Australia and several others) and delete it. Reporting is what feeds the blocking lists.

Go deeper

Check a specific text, or see what each company says it will never do:

Impersonation Index — what 27 companies say they never doIs this UK text real?Is this Irish text real?Is this Australian text real?Is this US text real?Scam-Refund Index — who gets their money back

Common questions

Which countries block scam texts that impersonate a company?

Of the 17 countries in this index, 5 require businesses to register the brand name that appears as the sender of a text. Three of them — Ireland, Spain and India — block the message outright if the name is not registered, so an impersonated text never reaches the phone. Two more — Singapore and Australia — let it through but relabel it: Singapore rewrites the sender to "Likely-SCAM", Australia marks it "Unverified" and files it in a separate thread. Everywhere else in the index, a scammer can put a bank's name on a text and it arrives looking exactly like the real thing.

Why does the UK still get scam texts that impersonate banks?

Because in the UK, registering a sender name is voluntary. The mechanism was actually invented in Britain — a 2019 pilot backed by the National Cyber Security Centre, UK Finance and Mobile UK — and Ireland and Singapore went on to adopt the model and make it law. In its Combatting mobile messaging scams consultation, Ofcom considered a mandatory, centralised registry and decided against it, on the grounds that it would be too burdensome for businesses and aggregators given the significant upfront and ongoing costs of registration and maintenance. It proposes duties on the operators instead. Ofcom's final decision is due in summer 2026.

Does a sender-ID register actually reduce scams?

The strongest published evidence comes from Singapore, whose regulator (IMDA) reported a 64% fall in SMS scams after its Sender ID Registry was set up. That is the regulator's own figure and it covers the period around the registry's introduction, so it should be read as a strong indication rather than a controlled experiment. It is, however, the clearest number any regulator has put on the mechanism — which is what makes Ofcom's cost objection worth scrutinising.

Why isn't the United States on the list of countries that block them?

Because the mechanism does not apply there. In the US and Canada, business texts do not display a brand name at all — they arrive from a number (10DLC, toll-free or a short code). There is no sender name to register, and therefore none to impersonate. That closes one door and leaves another wide open: American impersonation happens in the body of the message and in the link, not in the sender field. So a US reader should not treat "no register" as "no protection needed" — the tells are simply somewhere else.

If my country has no register, how do I tell a real text from a fake?

Assume the sender name proves nothing, because in most countries it proves nothing. Judge the message by what it asks you to do: no legitimate bank, tax office or courier will text you a link to pay, "verify," or move money to a safe account. The safe move is always to ignore the message and go to the source yourself — open the official app, or type the address by hand. Our Impersonation Index lists what 27 major organisations have each published about how they really contact you.

How is this index compiled?

On a single factual axis: when a text arrives carrying a real company's name as the sender, does the country's regime block it, relabel it, or do nothing? Countries are placed in one of five tiers, each sourced to the regulator or the named scheme. Where we found no mandatory scheme, we say we found none — which is a statement about our search, not proof that no scheme exists, and we invite corrections. Last reviewed July 2026.

Got a text you're not sure about? Send us the details.

A real expert reviews every case and replies within 24 hours — whether it's genuine, what to do next, and what to report. Free, confidential, no pressure.

Submit a free case review →Try the Scam Checker