We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

3 Sep 2019

Scam alert: fraudsters exploit new online security checks with phishing attacks

Watch out for fake emails taking advantage of strong customer authentication

Scammers are mimicking new security measures designed to keep you safe online, by sending fake emails that attempt to steal your banking credentials and personal data.

Banks, card providers and retailers across the EU are asking customers to provide up-to-date contact information, as part of new checks for online card payments known as strong customer authentication (SCA).

Fraudsters are imitating these messages, aiming to get hold of your details at a time when you may be expecting these requests and so let your guard down.

Be more money savvy

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

What is SCA and why do banks need my details?

Tough new rules mean that additional security checks - under the Payment Services Regulations 2017 or PSD2 - will become more common for online shopping and banking within the UK and EU.

You may have already been asked for extra details when shopping on a new website, or with a new card, but over the next few months these checks will become routine for payments over u20ac30 (or the equivalent in pounds).

When you pay with your card online, your bank or card issuer will check your identity using two of three possible methods:

  • Something you own (Possession) such as texting your mobile phone with a one-time passcode.
  • Something you know (Knowledge) such as a password or passphrase.
  • Something you are (Inherence) such as a fingerprint, voice pattern or facial recognition.

These are all in addition to your card number, name, expiry date and CVV code.

It's up to each bank and card issuer which methods they use and they will inform you of the details or devices you might need.

How phishing emails are exploiting SCA

Which? has already warned that these checks risk excluding customers without mobile phones or decent signal - see our June news story for more details.

But scams are another concern, and we've seen several early examples of phishing emails that imitate genuine messages from banks.

Below are messages from scammers posing as Santander, Royal Bank of Scotland (RBS) and HSBC.

Each of these scam emails included links to sites that have since been taken down but were set up to capture personal details used to hack into the victim's bank account.

We expect more of these to surface over the next 18 months during the phased implementation of SCA.

Are banks and retailers doing enough to protect you?

Banks and other firms are heavily invested in the fight against fraud, but they could be unwittingly helping fraudsters when they ask customers to click links or confirm sensitive information.

Eight in 10 (78%) Which? members we surveyed think banks and other financial firms should never include links in emails, to make fakes more immediately obvious.

Yet we've seen genuine emails from RBS inviting a customer to download its new open banking app; and from Lloyds telling a user that they'd need to visit the website to register again because their access to online banking had been removed.

This is exactly what phishing emails will do, to trick you into handing over login details or infect your computer.

Companies that use several web addresses are adding to customers' confusion. For example, PayPal users have reported receiving emails with links to both epl.paypal-communication.com and paypal-prepaid.com.

These legitimate addresses can look similar to fake ones, such as digim-partners.com/paypal.

When companies don't make it crystal clear what a valid link should look like, they make it that much harder for customers to stay safe.

Tips on spotting a phishing email

Look for the real sender address

One fairly standard technique used by scammers is to put the legitimate brand name or email address as the 'name' that appears beside the email address, as you can see below.

The real sender is shown in brackets here, and has nothing to do with Tesco Bank.

A fake email purporting to be from Tesco Bank.

Check links without clicking on them

To find the real destination of a link, hover your mouse (without clicking) to preview the website it's pointing to. If an email seems important but you're concerned it could be fake, contact the company in question yourself using a trusted method.

You can check links by hovering your mouse cursor

Don't assume padlocks prove a site is safe

Never enter sensitive data online without checking for a padlock and https in the address bar - as this tells you that the connection is encrypted - but be warned that fraudulent websites can also use padlocks, such as in the example below.

A green padlock doesn't tell you if a website's ru