New research has suggested many UK banks could be leaving their customers vulnerable to scammers because of gaps in their security.
Bank security is obviously a huge issue: barely a day goes by at the moment without new warnings being raised over a banking scam that has left some poor victim severely out of pocket.
Analysis of figures from UK Finance found that more than £700,000 is lost to bank transfer scams every single day, an eye-watering sum, with some victims losing 10s of thousands of pounds.
So it’s particularly galling that it appears many banks and building societies, who have already been accused of adopting a victim-blaming approach on scams, may not be doing enough to protect us from scammers in the first place.
Banks not protecting us against scam emails
A new investigation by the consumer champions at Which? has found that a host of banks are failing to utilise the tools at their disposal to keep the scammers at bay.
And as a result, their customers ‒ that’s you and me ‒ are left potentially exposed to the tricks and schemes that can separate us from our hard-earned cash.
Which? dug into the safety nets established by banks to guard against phishing scams that are sent out through email, text message or phone calls, where the scammers essentially pose as the bank.
Which? argued that banks should be making use of the ‘domain-based message authentication, reporting and conformance (DMARC) scheme, which helps protect the web addresses they own and use from spoofing attacks.
This scheme can be used by banks to ensure that email providers like Gmail and Hotmail know how to handle the unauthorised use of their domains.
Unfortunately, it appears that too few banks are making use of the full gamut of options offered by DMARC.
Which banks are secure?
In its investigation, alongside tech security experts 6point6, banks were quizzed on whether they offer this protection.
Some, like Bank of Ireland, haven’t introduced DMARC at all. Others have only started doing so to a limited degree, like Nationwide, TSB and Virgin Money.
The Which? study found that some banks aren’t making use of the DMARC system for alternative domains, even if they are for their primary websites.
For example, Co-operative Bank has protected its co-operativebank.co.uk email address, but there are no records for variations like co-operative.co.uk and coop.co.uk.
While these are owned by the Co-operative Group, and not actually associated with the bank, this means that the domains could be vulnerable to scammers posing as the Co-operative Bank using alternative email addresses.
This was an issue also flagged up for Tesco Bank, Starling Bank and first direct, with Starling and Tesco now applying DMARC to those alternative domains.
Co-operative Bank and first direct have said they are reviewing their policies.
Fancy joining first direct? See what it offers here
Article continues below
Banks not protecting against phone scams
Which? also argued that banks aren’t doing enough to clamp down on number spoofing, where scammers are able to mimic the phone numbers of legitimate organisations, a move that adds credibility to their spurious claims.
Ofcom, the communications regulator, has started a list of ‘do not originate’ numbers ‒ numbers which are never used for outbound calls ‒ with UK Finance, the banking industry trade body, as a means of tackling this practice.
While many banks and building societies have signed up to the scheme, neither Co-operative Bank nor Nationwide have as yet, though they told Which? they planned to join.
Along similar lines, Which? argued that banks can do more to protect against spoofing by signing up to schemes that make it harder for scammers to use phoney SMS headers ‒ the name or number a text message appears to be from ‒ to pose as those financial firms.
Banks need to improve security
The reality is that fraudsters have raised their game, and adopted more sophisticated techniques in their plots. And those techniques are clearly working, given so many people are falling victim to them.
So we need our financial firms to do the same, to take a more proactive approach to the defences they have in place to ensure that it’s not up to customers to serve as detectives, having to follow the clues to work out if some form of correspondence is legitimate or not.
Saying that you have your own protocols or security systems in place to tackle the scam issue simply isn’t going to cut it.
A consistent, industry-wide approach is needed, with banks taking advantage of every possible measure to give further lines of defence against the scammers.
Ultimately, we pay the price for any holes in their defences.