Banks have various tools at their disposal to stop scammers from impersonating them. But Which? has discovered that not every bank is making use of these vital protections, meaning their customers could be sitting ducks for the most sophisticated attacks.
Phishing – a term coined in the mid-1990s to describe how scammers dangle bait to ‘fish’ for passwords and other sensitive data – is still the most effective line of attack. Fake emails, text messages (referred to as smishing) and phone calls (vishing) aim to trick you into thinking you’re dealing with a genuine company.
Here, we explain how cybercriminals could also take advantage of needless gaps in email security and what you can do to defend yourself while your bank catches up.
Catching fake emails
Most phishing emails simply use the ‘name’ field to pretend they come from a legitimate company. However, the most dangerous fakes can also replicate the sender email address – so the message appears to come from a trusted source such as a bank or government domain, eg ‘@yourbank.com’. See ‘Anatomy of a scam email’ below.
Banks can safeguard their domains from email spoofing using the email authentication standard DMARC, established in 2012. This stands for ‘domain-based message authentication, reporting and conformance’, and helps your email provider block malicious messages that attempt to imitate legitimate companies.
The National Cyber Security Centre (NCSC) says that companies should have DMARC in place for all domains, regardless of whether they’re used for email, to prevent abuse.
In April 2021, we asked security experts at technology company 6point6 to check the DMARC records of the UK’s largest banks and building societies. They performed a rudimentary check to assess banks’ direct vulnerability to spoofing, which they then repeated for alternative domains (eg Which? owns ‘which.co.uk’ and ‘which.com’).
Ensuring legitimate emails aren’t incorrectly blocked, particularly for organisations with multiple IT systems, can be challenging. This is why many businesses apply DMARC gradually:
- by initially setting records to ‘none’ (a monitoring phase where no action is taken if DMARC checks fail),
- before working towards ‘quarantine’ (which moves emails to junk/spam if they fail the checks),
- and ultimately, a policy of ‘reject’ (which blocks all emails that fail the checks).
Video guide: how to spot a scam email
Watch our video for advice on staying safe from phishing attempts:
Anatomy of a scam email
1. Sender address Addresses that aren’t protected by DMARC can be spoofed. Scammers can also use sneaky tricks like substituting characters, such as ‘o’ (letter O) and ‘0’ (zero).
2. Display name Attackers can easily change this to a legitimate brand name or email address.
3. Content Phishing emails frequently start with impersonal greetings (your bank knows your full name) and ask you to take action.
4. Website links Hover your mouse (without clicking) to preview a link. If it doesn’t match the content promised, or contains mis-spellings, it could be malicious. Identify the unique domain name to check whether to trust it – look between the first single slash (/) and work backwards. In this example, it would be ‘www.which.co.uk’.
Banks missing vital protection
Overall, banks are ahead of the pack compared with other industries.
The Central Intelligence Agency (CIA) rather shockingly doesn’t have any DMARC record and therefore does nothing to prevent emails mimicking its ‘cia.gov’ domain.
The majority of banks have implemented DMARC on their domains. However, Bank of Ireland ‘bankofireland.com’ and Agricultural Mortgage Corporation ‘amconline.co.uk’ – a wholly owned subsidiary of Lloyds Banking Group – are notable exceptions, as they had no DMARC anti-spoofing protection at all.
Lloyds told us it has now applied DMARC to amconline.co.uk: ‘This domain issues a very low number of emails and we’ve found no evidence that the domain was misused in any way.’
Bank of Ireland said it doesn’t send emails from either ‘bankofireland.com’ or ‘bankofirelanduk.com’ and is ‘taking action to introduce further technical anti-spoofing protection’.
- Find out more: is your bank protecting you from number spoofing scams?
Our investigation also found that nationwide.co.uk, tsb.co.uk and virginmoney.com hadn’t set their policies to ‘reject’ all emails that fail DMARC checks. TSB and Virgin Money told us that they’re working towards this. Nationwide said it has security features to protect against spoofing, but will ‘look at ways to improve email security including future enhancements to DMARC security’.
Meanwhile, four banks (The Co-operative Bank, First Direct, Starling and Tesco Bank) were found to have no DMARC records for their alternative domains, so they’re vulnerable to spoofing.
Although The Co-operative Bank has protected its ‘co-operativebank. co.uk’ domain, there are no DMARC records for ‘co-operative.co.uk’ and ‘coop.co.uk’. These two domains are owned by The Co-operative Group – a separate company not associated with the bank.
Following our investigation, Starling and Tesco Bank have now applied DMARC to their alternative domains starlingbank.co.uk and tescobank.co.uk. First Direct and The Co-operative Bank said they’re reviewing the inclusion of their alternative domains (firstdirect.co.uk and co-operativebank.com) within their existing DMARC policies.
Scammers slipping through the net
While blocking impersonation of their domains and phone numbers is crucial, banks can and should be doing more to protect their customers from phishing attempts.
DMARC does nothing to prevent phishing emails where scammers use an email address that doesn’t spoof a legitimate domain, explains Steven Murdoch, a professor in the computer science department at University College London.
Email software often hides the email address from the user and shows only the ‘name’, which can be anything the scammer chooses.
‘Even customers who look at the email address rarely know how to check it properly,’ says Professor Murdoch. ‘I think it’s much more important that banks develop industry-wide practices on how they will communicate over email, including what they expect of customers and show that these expectations are reasonable.’
More consistency needed from banks
We agree that it’s often too hard for customers to tell the difference between phishing and genuine bank communication because industry practices are so inconsistent. We think banks should prove their own identity in a secure way rather than placing the burden on customers.
For example, a bank could ask you to choose a memorable image and show this every time you log in to confirm that you’re visiting the genuine site, not a cloned site set up by scammers.
We also want banks to stop including phone numbers and web links in SMS text messages, because we know that scammers who impersonate banks try to trick people into calling them or visiting a fake login page.
First featured in June’s Which? Money magazine
Magazine subscribers also get access to tailored 1:1 guidance from the Which? Money Helpline.