SCOTS banks were identified as among those had not done enough to protect their customers from criminals trying to steal sensitive information.
Edinburgh-based TSB and Tesco Bank were among those who failed to implement a system that prevents spoofing attacks, according to a new investigation.
Tesco Bank has since taken action to deal with the issue, while TSB said they were working towards resolving it.
The concerns arose a matter of days after a separate study revealed that many banks are still not prepared to voluntarily publish data to ensure customers are treated fairly and consistently.
The UK’s major banks and building societies were contacted urging them to commit to publishing their reimbursement rates by Friday 28 May, which marked two years since the introduction of an industry code that many banks have signed up to, which pledges to reimburse losses to victims who are not at fault.
However, almost all banks failed to do so - including the Edinburgh-based Tesco Bank, RBS owners Nat West Group and Bank of Scotland owners Lloyds Banking Group.
It comes as the Covid pandemic saw an increase in scams, with consumer groups expecting that the companies do everything everything they can to protect people.
A new investigation from consumer organisation Which? has found that some banks are failing to use all the tools available to them to combat scammers, leaving weaknesses in their security systems that scammers could exploit.
Researchers looked into what protections banks were putting in place to protect their customers from receiving fraudulent emails, SMS messages and phone calls.
They says the so-called phishing attacks are "worryingly common" with scammers sending legitimate-looking messages that are designed to tempt people into divulging sensitive information, such as bank account details, usernames or passwords.
Which said banks should be implementing a system that protects web addresses they own or use - known as ‘domain-based message authentication, reporting and conformance’ (DMARC) - to prevent spoofing attacks. Banks can use DMARC to tell email providers how to handle the unauthorised use of their domains.
Which are now calling for all banks to implement DMARC and configure it correctly, setting their policies to ‘reject’, meaning email providers should block any emails that fail these checks.
Security experts at technology company 6point6 were asked in April to check whether banks offered the DMARC protection, some banks were falling short.
At the time of the investigation, the Bank of Ireland and Agricultural Mortgage Corporation - a wholly owned subsidiary of Lloyds Banking Group - had not yet introduced DMARC.
Which said that could have allowed scammers to forge their email address and send messages that would appear indistinguishable from genuine ones from their bank. Both have since taken action to resolve this.
The investigation also found that TSB, Nationwide and Virgin Money - tsb.co.uk, nationwide.co.uk, and virginmoney.com, respectively - had not set their policies to ‘reject’ all emails that fail DMARC checks. TSB and Virgin Money said that they are working towards this.
Nationwide said it has security features to protect against spoofing and will ‘look at ways to improve email security, including future enhancements to DMARC security.’ The investigation also uncovered that The Co-operative Bank, First Direct, Starling and Tesco Bank had no DMARC system in place for their alternative domains, but did for their primary domains. Although The Co-operative Bank has protected its ‘co-operativebank.co.uk’ email address, there are no DMARC records for ‘co-operative.co.uk’ and ‘coop.co.uk’ - two domains that are owned by The Co-operative Group, a separate company not associated with the bank - making them vulnerable to scammers who could pose as The Co-operative Bank using alternative email addresses.
Since the investigation, Starling and Tesco Bank have applied DMARC to alternative domains, starlingbank.co.uk and tescobank.co.uk, respectively.
First Direct and The Co-operative Bank said they are reviewing the inclusion of their alternative domains - firstdirect.co.uk and co-operativebank.com - within their existing DMARC policies.
While banks are further ahead than other industries when it comes to implementing DMARC, the consumer organisation said it believes that it is often too hard for customers to tell the difference between a phishing email and genuine communication from banks due to inconsistent practices across the industry.
"This is particularly concerning amid a worrying culture of banks blaming victims for falling for scammers’ tricks, despite their heightened sophistication. This means people often face a lottery to get their money reimbursed under the industry’s voluntary bank transfer scams code," they said.
It said banks should also be clamping down on number spoofing, which involves scammers manipulating caller IDs to mimic the phone numbers of legitimate organisations. To tackle this, Ofcom worked with the banking industry body UK Finance to identify a list of ‘do not originate’ (DNO) numbers - numbers that are never used for outbound calls.
Jenny Ross, Which money editor, said: “It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked - so it is crucial that banks take every measure to protect their customers from these devastating scams.
“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”
TSB said: "TSB is currently in the midst of a programme to enhance email security. The programme includes implementation of both DMARC and DKIM (Domain Keys Identified Mail).
"We expect the introduction of DMARC to be completed shortly."
Tesco Bank said: “We understand the importance of protecting our customers from potential scams and spoofing activity. That is why we have applied DMARC to all of Tesco Bank’s active domains. Whilst Tescobank.co.uk is not used by Tesco Bank, we have defensively registered it and DMARC has now been applied to this domain.”
Nationwide said: "Nationwide takes the security of its members' data and money very seriously. Many of our members have opted to receive their communications by email and we have a range of security features such as dedicated email domains, which have SPF & DKIM protocols to protect against spoofing and spammers. However, we are not complacent and we continue to look at ways to improve our email security including future enhancements to DMARC security."
Virgin Money added: “We are aware of our current DMARC record configuration, and are working towards setting the policy to ‘Reject’.”
Agricultural Mortgage Corporation (Lloyds Banking Group) said: “Helping to keep our customers’ money safe is our priority. We have a range of controls in place to protect our customers from fraudsters and take an active role in helping to prevent people from becoming victims. For example, In the last 12 months alone, we have removed over 33,000 phishing sites which could have resulted in people losing money to scams.”
Bank of Ireland added: "We can confirm that we do not send emails from either bankofireland.com or bankofirelanduk.com. We have comprehensive processes in place to detect, report and block malicious domains targeting our customers and are currently taking action to introduce further technical anti-spoofing protection."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel