We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Banks missing vital protection against email scams, warns Which?

Is your bank making it too easy for scammers to forge its email address?

Banks missing vital protection against email scams, warns Which?

Banks have various tools at their disposal to stop scammers from impersonating them. But Which? has discovered that not every bank is making use of these vital protections, meaning their customers could be sitting ducks for the most sophisticated attacks.

Phishing – a term coined in the mid-1990s to describe how scammers dangle bait to ‘fish’ for passwords and other sensitive data – is still the most effective line of attack. Fake emails, text messages (referred to as smishing) and phone calls (vishing) aim to trick you into thinking you’re dealing with a genuine company.

Here, we explain how cybercriminals could also take advantage of needless gaps in email security and what you can do to defend yourself while your bank catches up.


Catching fake emails

Most phishing emails simply use the ‘name’ field to pretend they come from a legitimate company. However, the most dangerous fakes can also replicate the sender email address – so the message appears to come from a trusted source such as a bank or government domain, eg ‘@yourbank.com’. See ‘Anatomy of a scam email’ below.

Banks can safeguard their domains from email spoofing using the email authentication standard DMARC, established in 2012. This stands for ‘domain-based message authentication, reporting and conformance’, and helps your email provider block malicious messages that attempt to imitate legitimate companies.

The National Cyber Security Centre (NCSC) says that companies should have DMARC in place for all domains, regardless of whether they’re used for email, to prevent abuse.

In April 2021, we asked security experts at technology company 6point6 to check the DMARC records of the UK’s largest banks and building societies. They performed a rudimentary check to assess banks’ direct vulnerability to spoofing, which they then repeated for alternative domains (eg Which? owns ‘which.co.uk’ and ‘which.com’).

Ensuring legitimate emails aren’t incorrectly blocked, particularly for organisations with multiple IT systems, can be challenging. This is why many businesses apply DMARC gradually:

  • by initially setting records to ‘none’ (a monitoring phase where no action is taken if DMARC checks fail),
  • before working towards ‘quarantine’ (which moves emails to junk/spam if they fail the checks),
  • and ultimately, a policy of ‘reject’ (which blocks all emails that fail the checks).

Video guide: how to spot a scam email

Watch our video for advice on staying safe from phishing attempts:

Anatomy of a scam email

1. Sender address Addresses that aren’t protected by DMARC can be spoofed. Scammers can also use sneaky tricks like substituting characters, such as ‘o’ (letter O) and ‘0’ (zero).

2. Display name Attackers can easily change this to a legitimate brand name or email address.

3. Content Phishing emails frequently start with impersonal greetings (your bank knows your full name) and ask you to take action.

4. Website links Hover your mouse (without clicking) to preview a link. If it doesn’t match the content promised, or contains mis-spellings, it could be malicious. Identify the unique domain name to check whether to trust it – look between the first single slash (/) and work backwards. In this example, it would be ‘www.which.co.uk’.

Banks missing vital protection

Overall, banks are ahead of the pack compared with other industries.

The Central Intelligence Agency (CIA) rather shockingly doesn’t have any DMARC record and therefore does nothing to prevent emails mimicking its ‘cia.gov’ domain.

The majority of banks have implemented DMARC on their domains. However, Bank of Ireland ‘bankofireland.com’ and Agricultural Mortgage Corporation ‘amconline.co.uk’ – a wholly owned subsidiary of Lloyds Banking Group – are notable exceptions, as they had no DMARC anti-spoofing protection at all.

Lloyds told us it has now applied DMARC to amconline.co.uk: ‘This domain issues a very low number of emails and we’ve found no evidence that the domain was misused in any way.’

Bank of Ireland said it doesn’t send emails from either ‘bankofireland.com’ or ‘bankofirelanduk.com’ and is ‘taking action to introduce further technical anti-spoofing protection’.

Vulnerabilities uncovered

Our investigation also found that nationwide.co.uk, tsb.co.uk and virginmoney.com hadn’t set their policies to ‘reject’ all emails that fail DMARC checks. TSB and Virgin Money told us that they’re working towards this. Nationwide said it has security features to protect against spoofing, but will ‘look at ways to improve email security including future enhancements to DMARC security’.

Meanwhile, four banks (The Co-operative Bank, First Direct, Starling and Tesco Bank) were found to have no DMARC records for their alternative domains, so they’re vulnerable to spoofing.

Although The Co-operative Bank has protected its ‘co-operativebank. co.uk’ domain, there are no DMARC records for ‘co-operative.co.uk’ and ‘coop.co.uk’. These two domains are owned by The Co-operative Group – a separate company not associated with the bank.

Following our investigation, Starling and Tesco Bank have now applied DMARC to their alternative domains starlingbank.co.uk and tescobank.co.uk. First Direct and The Co-operative Bank said they’re reviewing the inclusion of their alternative domains (firstdirect.co.uk and co-operativebank.com) within their existing DMARC policies.

How to spot and stop fake emails

Check the wording carefully Does the email address you impersonally or create a sense of panic? Both are common phishing tactics.

Pay attention to the URL Is there a spelling error or an unexpected domain? If it’s a shortened URL such as a bit.ly link don’t click on it. Use checkshorturl.com to safely see what a short URL points to.

Mark unwanted emails as junk or phishing You can train email filters to recognise spam by marking them as ‘junk’ or ‘phishing’ before deleting them.

Don’t click on links or download attachments Type web addresses into the address bar of your browser manually and don’t download attachments until you’ve checked the message is genuine.

Keep your browser and security software up to date Run regular virus scans to keep your devices secure. When using a browser, Google Safe Browsing and Microsoft Smartscreen should be on by default to flag potentially unsafe sites.

Use 2FA Use apps such as Authy, Google Authenticator and LastPass, or devices such as Yubikey, to secure your email and accounts using two-factor authentication.

Don’t use the same password Using the same passwords for multiple accounts is risky. Create unique passwords for each account. The NCSC recommends three random words such as ‘coffeetrainfish’ or ‘walltinshirt’.

 

Scammers slipping through the net

While blocking impersonation of their domains and phone numbers is crucial, banks can and should be doing more to protect their customers from phishing attempts.

DMARC does nothing to prevent phishing emails where scammers use an email address that doesn’t spoof a legitimate domain, explains Steven Murdoch, a professor in the computer science department at University College London.

Email software often hides the email address from the user and shows only the ‘name’, which can be anything the scammer chooses.

‘Even customers who look at the email address rarely know how to check it properly,’ says Professor Murdoch. ‘I think it’s much more important that banks develop industry-wide practices on how they will communicate over email, including what they expect of customers and show that these expectations are reasonable.’

More consistency needed from banks

We agree that it’s often too hard for customers to tell the difference between phishing and genuine bank communication because industry practices are so inconsistent. We think banks should prove their own identity in a secure way rather than placing the burden on customers.

For example, a bank could ask you to choose a memorable image and show this every time you log in to confirm that you’re visiting the genuine site, not a cloned site set up by scammers.

We also want banks to stop including phone numbers and web links in SMS text messages, because we know that scammers who impersonate banks try to trick people into calling them or visiting a fake login page.

First featured in June’s Which? Money magazine

Each month we publish investigations, news and advice features covering all areas of money.

Magazine subscribers also get access to tailored 1:1 guidance from the Which? Money Helpline.

Join Which? Money today and take control of your finances.

Back to top
Back to top