Some banks could be doing more to protect their customers from spoof communications which try to steal their personal information, according to Which?
The consumer group said not all banks are using the full technology available to them, potentially leaving security system weaknesses that scammers could exploit.
Phishing scams may spoof banks’ genuine email addresses or domains to trick people into divulging sensitive information, such as bank account details, usernames or passwords.
Which? said banks should be implementing a system that protects web addresses they own or use – known as domain-based message authentication, reporting and conformance – or DMARC – to prevent spoofing attacks.
Banks can use DMARC to tell email providers how to handle the unauthorised use of their domains.
The process of introducing DMARC is frequently done gradually – with an initial monitoring phase followed by a quarantine phase which moves emails to spam if they fail checks and then, ultimately, a policy of reject which blocks emails failing the checks.
But Which? said when it asked security experts at technology company 6point6 in April to check whether banks offered this protection, some banks were falling short.
Some had not introduced DMARC at the time of the investigation, although had since taken action to resolve this, and some had not yet set their policies to reject all emails failing DMARC checks.
And some banks had a DMARC system in place for their primary domains, but not for other domains owned by their group, potentially leaving them vulnerable to scammers who could pose as them using alternative email addresses.
Since the investigation, some banks had applied DMARC to alternative domains, or were reviewing their inclusion, Which? said.
The consumer group said that while banks are further ahead than other industries when it comes to implementing DMARC, it is often too hard for customers to tell the difference between a phishing email and genuine communication from banks due to inconsistencies across the industry.
It said this is particularly concerning when banks blame scam victims for falling for cons, despite their heightened sophistication.
Which? said people often face a lottery to get their money reimbursed under the industry’s voluntary bank transfer scams code.
The consumer group wants all banks to implement DMARC and set their policies to reject, meaning email providers should block any emails failing checks.
Which? also believes that if banks did not include weblinks or phone numbers in their texts – which are prone to spoofing – consumers could spot scams more easily.
Jenny Ross, Which? Money editor, said: “It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked – so it is crucial that banks take every measure to protect their customers from these devastating scams.
“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”
Katy Worobec, managing director of economic crime at trade association UK Finance, said: “The banking industry is focused on tackling fraud on all fronts and preventing the devastating impact it can have on victims and society.
“It’s vital that every sector plays its part to protect the public and stop criminals being able to take advantage of technology. We continue to work with the telecoms industry and Ofcom to stamp out the threat.
“Criminals are experts at impersonating a wide range of trusted organisations and websites, not just the financial industry.
“It’s important that customers remain vigilant to these scams and follow the advice of the Take Five to Stop Fraud campaign: always stop and think before parting with your money or information and avoid clicking on links in emails or text messages in case it’s a scam.”