mobile banking woman using smartphone

Banks not doing enough to tackle phishing scams online, report warns

Image credit: Dreamstime

Some banks are not doing enough to prevent their customers from falling prey to spoof communications designed to steal their personal data, Which? research has found.

Following the introduction of the Covid-19 lockdowns in March 2020, cyber crime surged by 72 per cent as criminals took advantage of the shift to home working.

But Which? has said that some banks are failing to use all the tools available to them to combat scammers, leaving weaknesses in their security systems that scammers could exploit.

Legitimate-looking messages are sent to customers that are designed to tempt people into divulging sensitive information, such as bank account details, usernames or passwords. Phishing scams may try to imitate (or ‘spoof’) banks’ genuine email addresses or domains, sometimes by making slight changes – for instance, by changing ‘’ to ‘.com’.

Which? looked at the protections banks were putting in place to prevent their customers from receiving fraudulent emails, SMS messages and phone calls and said they should be implementing a system that protects web addresses they own or use – known as ‘domain-based message authentication, reporting and conformance’ (DMARC) – to prevent spoofing attacks.

But at the time of the investigation, the Bank of Ireland and Agricultural Mortgage Corporation – a wholly owned subsidiary of Lloyds Banking Group – had not yet introduced DMARC.

This could have allowed scammers to forge their email address and send messages that would appear indistinguishable from genuine ones from their bank. Both have since taken action to resolve this.

The investigation also found that Nationwide, TSB and Virgin Money had not set their policies to ‘reject’ all emails that fail DMARC checks. TSB and Virgin Money told Which? that they are working towards this.

Nationwide said it has security features to protect against spoofing and will "look at ways to improve email security, including future enhancements to DMARC security".

The investigation also uncovered that The Co-operative Bank, First Direct, Starling and Tesco Bank had no DMARC system in place for their alternative domains, but did for their primary domains. 

Which? is calling for all banks to implement DMARC and configure it correctly, setting their policies to ‘reject’, meaning email providers should block any emails that fail these checks.

Jenny Ross, Which? Money editor, said: “It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked – so it is crucial that banks take every measure to protect their customers from these devastating scams.

“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”

Katy Worobec, managing director of economic crime at trade association UK Finance, said: “The banking industry is focused on tackling fraud on all fronts and preventing the devastating impact it can have on victims and society.

“It’s vital that every sector plays its part to protect the public and stop criminals being able to take advantage of technology. We continue to work with the telecoms industry and Ofcom to stamp out the threat.

“Criminals are experts at impersonating a wide range of trusted organisations and websites, not just the financial industry.

“It’s important that customers remain vigilant to these scams and follow the advice of the Take Five to Stop Fraud campaign: always stop and think before parting with your money or information and avoid clicking on links in emails or text messages in case it’s a scam.”

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles