You are here: Home - Saving & Banking - News -

Banks accused of leaving customers exposed to scammers

Written by: Emma Lunn
Some banks are not doing enough to protect their customers from criminals trying to steal sensitive information, according to Which?

The past year has seen an increase in scams but a Which? investigation found that some banks are failing to use all the tools available to them to combat scammers, leaving weaknesses in their security systems that scammers could exploit.

The consumer champion looked into the protections banks have put in place to protect their customers from receiving fraudulent emails, SMS messages and phone calls.

Scammers use these forms of communication to carry out ‘phishing attacks’ whereby scammers send legitimate-looking messages that are designed to tempt people into divulging sensitive information, such as bank account details, usernames or passwords.

Phishing scams may try to imitate (or ‘spoof’) banks’ genuine email addresses or domains, sometimes by making slight changes – for instance, by changing ‘’ to ‘.com’.

What is domain-based message authentication, reporting and conformance?

Which? says banks should be implementing a system that protects web addresses they own or use – known as ‘domain-based message authentication, reporting and conformance’ (DMARC) – to prevent spoofing attacks. Banks can use DMARC to tell email providers how to handle the unauthorised use of their domains.

The process of introducing DMARC is frequently done gradually: by initially setting records to ‘none’ (a monitoring phase where no action is taken if DMARC checks fail) before working towards ‘quarantine’ (which moves emails to junk/spam if they fail the checks) and ultimately, a policy of ‘reject’ (which blocks all emails that fail the checks).

How are banks protecting their customers?

When Which? asked security experts at technology company 6point6 in April to check whether banks offered this protection, some banks were falling short.

At the time of the investigation, the Bank of Ireland and Agricultural Mortgage Corporation – a wholly owned subsidiary of Lloyds Banking Group – had not yet introduced DMARC. This could have allowed scammers to forge their email address and send messages that would appear indistinguishable from genuine ones from their bank. Both have since taken action to resolve this.

The investigation also found that Nationwide, TSB, and Virgin Money had not set their policies to ‘reject’ all emails that fail DMARC checks. TSB and Virgin Money told the consumer champion that they are working towards this.

Nationwide said it has security features to protect against spoofing and will ‘look at ways to improve email security, including future enhancements to DMARC security.’

The investigation also found that The Co-operative Bank, First Direct, Starling and Tesco Bank had no DMARC system in place for their alternative domains, but did for their primary domains.

Since the investigation, Starling and Tesco Bank have now applied DMARC to alternative domains, and, respectively. First Direct and The Co-operative Bank told Which? they are reviewing the inclusion of their alternative domains – and – within their existing DMARC policies.

Which? is calling for all banks to implement DMARC and configure it correctly, setting their policies to ‘reject’, meaning email providers should block any emails that fail these checks.

Number spoofing

It says banks should also be clamping down on number spoofing, which involves scammers manipulating caller IDs to mimic the phone numbers of legitimate organisations. To tackle this, Ofcom worked with the banking industry body UK Finance to identify a list of ‘do not originate’ (DNO) numbers – numbers that are never used for outbound calls.

Most banks had signed up to the scheme at the time of the investigation, apart from The Co-operative Bank and Nationwide – although both have since told Which? they plan to join.

Banks can also protect their SMS headers – the name or number a text message appears to come from – against spoofing by registering with the SMS SenderID Protection Registry run by the Mobile Ecosystem Forum.

Jenny Ross, Which? Money editor, said: “It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked – so it is crucial that banks take every measure to protect their customers from these devastating scams.

“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”

There are 0 Comment(s)

If you wish to comment without signing in, click your cursor in the top box and tick the 'Sign in as a guest' box at the bottom.

The savings accounts paying the most interest

It’s time to get your finances in shape, and moving your cash savings to a higher paying deal is a good plac...

Everything you need to know about being furloughed

Few people had heard of ‘furlough’ before March 2020, but the coronavirus pandemic thrust the idea of bein...

The experts’ guide to sorting out your personal finances in 2021

From opting to ‘low spend’ months to imposing your own ‘cooling-off period’, industry experts reveal t...

What will happen if rates change

How your finances will be impacted by a rise in interest rates.

Regular Savings Calculator

Small regular contributions can build up nicely over time.

Online Savings Calculator

Work out how your online savings can build over time.

Having a baby and your finances: seven top tips

We’re guessing the Duchess of Cambridge won’t be fretting about maternity pay or whether she’ll still be...

Protecting family wealth: 10 tips for cutting inheritance tax

Inheritance tax - sometimes known as 'death tax' - can cause even more heartache for bereaved families. But th...

Travel insurance: Five tips to ensure a successful claim

Ahead of your summer holiday, it’s important to make sure you have the right level of travel cover or you co...

Money Tips of the Week