Some banks are not doing enough to prevent their customers from falling prey to spoof communications designed to steal their personal information. Which? research has found.
Following the introduction of the Covid-19 lockdowns in March 2020, cybercrime increased by 72 percent as criminals took advantage of the shift to work from home.
But which? has said that some banks are not using all the tools available to fight scammers, leaving weaknesses in their security systems for scammers to exploit.
Legitimate-looking messages are sent to customers designed to trick people into revealing sensitive information, such as bank account details, usernames, or passwords.
Phishing scams may attempt to impersonate (or ‘fake’) real bank email addresses or domains, sometimes by making minor changes, such as changing
‘.co.uk’ to ‘.com’. Which? looked at the safeguards banks put in place to prevent their customers from receiving fraudulent emails, text messages and phone calls and said they should implement a system that protects web addresses they own or use — known as “domain-based message authentication, reporting.
” and Compliance’ (DMARC) – to prevent spoofing attacks. But at the time of the investigation, the Bank of Ireland and Agricultural Mortgage Corporation – a wholly owned subsidiary of Lloyds Banking Group – had not yet introduced DMARC.
This could have allowed scammers to forge their email address and send messages indistinguishable from genuine ones from their bank. Both have since taken action to resolve this.
The investigation also found that Nationwide, TSB and Virgin Money had not set their policies to “refuse” all emails that failed DMARC checks. TSB and Virgin Money told Which? that they are working on this.
Nationwide said it has security features to protect against spoofing and will “look at ways to improve email security, including future enhancements to DMARC security.”
The investigation also revealed that The Co-operative Bank, First Direct, Starling and Tesco Bank did not have a DMARC system for their alternate domains, but did have a DMARC system for their primary domains.
Which? calls on all banks to implement and properly configure DMARC, and set their policies to ‘decline’, which means that email providers should block all emails that do not pass these checks. Jenny Ross, which one? Money Editor, said:
“It has never been more difficult for people to know if they are receiving genuine messages from their bank or are being misled – so it is critical that banks take all measures to protect their customers from these devastating scams.
“These include properly implementing email scam protection and no longer posting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.” Katy Worobec, director of economic crime at trade association UK Finance, said:
“The banking sector is focused on tackling fraud on all fronts and preventing the devastating impact it can have on victims and society. “It is vital that every sector plays its part to protect the public and prevent criminals from misusing technology.
We continue to work with the telecom industry and Ofcom to eradicate the threat. “Criminals are experts at impersonating a wide variety of trusted organizations and websites, not just the financial sector.
“It is important that customers remain vigilant about these scams and follow the advice of the Take Five to Stop Fraud campaign:
always think before giving up your money or information and avoid clicking links in emails or text messages. messages in case it is a scam. ”