Some UK banks are failing to use all the tools available to combat scammers, says the consumer campaign group Which?, leaving weaknesses in their security systems that scammers could exploit. It looked into what protections banks were putting in place to protect their customers from receiving fraudulent emails, SMS messages and phone calls.
In so-called phishing attacks scammers send legitimate-looking messages that are designed to tempt people into divulging sensitive information, such as bank account details, usernames or passwords. Phishing scams may try to imitate (or ‘spoof’) banks’ genuine email addresses or domains, sometimes by making slight changes – for instance, by changing ‘.co.uk’ to ‘.com’.
Banks should be implementing a system that protects web addresses they own or use – known as ‘domain-based message authentication, reporting and conformance’ (DMARC) – to prevent spoofing attacks. Banks can use DMARC to tell email providers how to handle the unauthorised use of their domains.
Jenny Ross, Which? Money Editor, said: “It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked – so it is crucial that banks take every measure to protect their customers from these devastating scams.
“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”
Which? is calling for all banks to implement DMARC and configure it correctly, setting their policies to ‘reject’, meaning email providers should block any emails that fail these checks.
Banks should also be clamping down on number spoofing, which involves scammers manipulating caller IDs to mimic the phone numbers of legitimate organisations. To tackle this, the telecoms regulator Ofcom worked with the banking trade body UK Finance to identify a list of ‘do not originate’ (DNO) numbers – numbers that are never used for outbound calls.
Separately, Which? complains that banks are not prepared to voluntarily publish data about how much money victims of bank transfer scams are being reimbursed.
Comment
Mimecast’s Head of E-crime, Carl Wearn says: “Cybercriminals continue to exploit the public’s fear and uncertainty during this time. Cybercriminals will often try to imitate banks’ with genuine email addresses or domains sometimes by making slight changes – for instance, by changing ‘.co.uk’ to ‘.com’. Unfortunately, these scams work, and recent Mimecast research found that 40% of the UK public don’t hesitate to click on links in emails from their favourite brands/companies.
These scams are also becoming more frequent, with recent Mimecast’s recent State of Brand Reputation report finding that the number of brand impersonation emails rose 44pc in 2020 over 2019, to an average of nearly 27 million a month. To combat this, services that provide monitoring to identify brand impersonation, including the Domain-based Message Authentication, Reporting and Conformance (DMARC) email protocol, as well as technologies that enabled companies to scan, spot and remove fake websites impersonating their brand are a must for online safety and to preserve customer trust and reputation.
It is important that customers are having a thorough read through emails from their banks and favourite brands to ensure authenticity. If they’re concerned about whether an email such as this is legitimate, check with the bank directly or look on the official website.”
