Some banks can and should be doing more to protect their customers from criminals trying to steal sensitive information, Which? research has found.
With the last year seeing an increase in scams, many consumers will expect that the companies they deal with in their everyday lives are doing everything they can to protect them.
However, a new Which? investigation has found that some banks are failing to use all the tools available to them to combat scammers, leaving weaknesses in their security systems that scammers could exploit.
The consumer champion looked into what protections banks were putting in place to protect their customers from receiving fraudulent emails, SMS messages and phone calls.
These so-called phishing attacks are worryingly common. Scammers send legitimate-looking messages that are designed to tempt people into divulging sensitive information, such as bank account details, usernames or passwords.
Phishing scams may try to imitate (or ‘spoof’) banks’ genuine email addresses or domains, sometimes by making slight changes – for instance, by changing ‘.co.uk’ to ‘.com’.
Banks should be implementing a system that protects web addresses they own or use – known as ‘domain-based message authentication, reporting and conformance’ (DMARC) – to prevent spoofing attacks. Banks can use DMARC to tell email providers how to handle the unauthorised use of their domains.
The process of introducing DMARC is frequently done gradually: by initially setting records to ‘none’ (a monitoring phase where no action is taken if DMARC checks fail) before working towards ‘quarantine’ (which moves emails to junk/spam if they fail the checks) and ultimately, a policy of ‘reject’ (which blocks all emails that fail the checks).
When Which? asked security experts at technology company 6point6 in April to check whether banks offered this protection, some banks were falling short.
At the time of the investigation, the Bank of Ireland and Agricultural Mortgage Corporation – a wholly owned subsidiary of Lloyds Banking Group – had not yet introduced DMARC. This could have allowed scammers to forge their email address and send messages that would appear indistinguishable from genuine ones from their bank. Both have since taken action to resolve this.
The investigation also found that Nationwide, TSB and Virgin Money – nationwide.co.uk, tsb.co.uk and virginmoney.com, respectively – had not set their policies to ‘reject’ all emails that fail DMARC checks. TSB and Virgin Money told the consumer champion that they are working towards this.
Nationwide said it has security features to protect against spoofing and will ‘look at ways to improve email security, including future enhancements to DMARC security.’
The investigation also uncovered that The Co-operative Bank, First Direct, Starling and Tesco Bank had no DMARC system in place for their alternative domains, but did for their primary domains.
Although The Co-operative Bank has protected its ‘co-operativebank.co.uk’ email address, there are no DMARC records for ‘co-operative.co.uk’ and ‘coop.co.uk’ – two domains that are owned by The Co-operative Group, a separate company not associated with the bank – making them vulnerable to scammers who could pose as The Co-operative Bank using alternative email addresses.
Since the investigation, Starling and Tesco Bank have now applied DMARC to alternative domains, starlingbank.co.uk and tescobank.co.uk, respectively. First Direct and The Co-operative Bank told Which? they are reviewing the inclusion of their alternative domains – firstdirect.co.uk and co-operativebank.com – within their existing DMARC policies.
While banks are further ahead than other industries when it comes to implementing DMARC, Which? believes that it is often too hard for customers to tell the difference between a phishing email and genuine communication from banks due to inconsistent practices across the industry.
This is particularly concerning amid a worrying culture of banks blaming victims for falling for scammers’ tricks, despite their heightened sophistication. This means people often face a lottery to get their money reimbursed under the industry’s voluntary bank transfer scams code.
Which? is calling for all banks to implement DMARC and configure it correctly, setting their policies to ‘reject’, meaning email providers should block any emails that fail these checks.
Banks should also be clamping down on number spoofing, which involves scammers manipulating caller IDs to mimic the phone numbers of legitimate organisations. To tackle this, Ofcom worked with the banking industry body UK Finance to identify a list of ‘do not originate’ (DNO) numbers – numbers that are never used for outbound calls.
Most banks had signed up to the scheme at the time of the investigation, apart from The Co-operative Bank and Nationwide – although both have since told Which? they plan to join.
Banks can also protect their SMS headers – the name or number a text message appears to come from – against spoofing by registering with the SMS SenderID Protection Registry run by the Mobile Ecosystem Forum.
The consumer champion believes that if banks did not include weblinks or phone numbers in their official SMS communications – sensitive information that is prone to spoofing – consumers could feel more secure and be able to spot scams more easily.
Which? is working on a best practice guide for businesses to help raise standards of SMS communications and bring greater consistency to how they protect consumers.
Jenny Ross, Which? Money Editor, said:
“It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked – so it is crucial that banks take every measure to protect their customers from these devastating scams.
“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”
Notes to editor
- Bank of Ireland UK, Barclays, Danske Bank, First Direct, HSBC, Lloyds Banking Group, Metro Bank, Nationwide, NatWest Group, Santander, Starling, and TSB are all members of the SMS SenderID Protection Registry. However, The Co-operative Bank is yet to sign up and has no current plans to do so. AIB UK, Tesco Bank and Virgin Money told us they’re in the process of signing up. Monzo didn’t confirm its status.
- Which? – How to spot an email scam
- Which? – Scam alerts service
- Which? – How your personality could increase your fraud risk – and what to look out for
- Which?’s Money Helpline is staffed by experienced financial advisers and gives independent, one-to-one and tailored guidance on all sorts of money matters over the phone.
Rights of reply
Bank of Ireland: “We can confirm that we do not send emails from either bankofireland.com” or “bankofirelanduk.com”. We have comprehensive processes in place to detect, report and block malicious domains targeting our customers and are currently taking action to introduce further technical anti-spoofing protection.”
Agricultural Mortgage Corporation (Lloyds Banking Group): “Helping to keep our customers’ money safe is our priority. We have a range of controls in place to protect our customers from fraudsters and take an active role in helping to prevent people from becoming victims. For example, In the last 12 months alone, we have removed over 33,000 phishing sites which could have resulted in people losing money to scams.”
Nationwide: “Nationwide takes the security of its members’ data and money very seriously. Many of our members have opted to receive their communications by email and we have a range of security features such as dedicated email domains, which have SPF & DKIM protocols to protect against spoofing and spammers. However, we are not complacent and we continue to look at ways to improve our email security including future enhancements to DMARC security.”
TSB: “TSB is currently in the midst of a programme to enhance email security. The programme includes implementation of both DMARC and DKIM. We expect the introduction of DMARC to be completed shortly.”
Virgin Money: “We are aware of our current DMARC record configuration, and are working towards setting the policy to ‘Reject’.”
The Co-operative Bank: “The Bank does employee email spoofing technologies for Bank websites and email addresses, including DMARC. The coop.co.uk and co-operative.co.uk are not domains owned by The Co-operative Bank – they are part of the Co-operative Group who are a separate company and not associated with the Bank, we therefore have no influence on how these domains are managed. While co-operativebank.com is not used by the Bank, it is registered to us and we will review our controls on this domain.”
The Co-operative Group: The Co-operative Group didn’t respond to repeated requests for comment.
First Direct: “Our primary domain firstdirect.com (which is the only one we routinely send mail from) has been covered by a DMARC reject policy since 4Q20. This technology, combined with our Sender Policy Framework implementation, helps recipients of email to determine the authenticity of that mail. firstdirect.co.uk is a domain we own for the purposes of redirecting web traffic, and as part of our ongoing review of our protective controls we are now reviewing the inclusion of such domains in our DMARC policies.”
Starling: “Historically we have had anti email spoofing protection setup for our .com domain but not .co.uk, as this is not our corporate domain. We have reviewed our domains, thanks to the input of Which?’s researchers and now have put spoofing protections in place for other domains, including .co.uk”
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at firstname.lastname@example.org.