Some banks could do more to protect customers from phishing scams, says Which?
Some banks could do more to protect their customers from fraudulent communications that attempt to steal their personal information, according to Which?
The consumer group said not all banks use all the technology at their disposal, potentially leaving weaknesses in the security system that crooks could exploit.
Phishing scams can spoof real email addresses or domains of banks to trick people into disclosing sensitive information, such as bank details, usernames, or passwords.
Which? such banks should implement a system that protects the web addresses they own or use – known as domain-based message authentication, reporting and compliance – or DMARC – to prevent spoofing attacks identity.
Banks can use DMARC to instruct email providers on how to handle unauthorized use of their domains.
The process of introducing DMARC is often incremental – with an initial monitoring phase followed by a quarantine phase that shifts emails to spam if they fail checks, and then, ultimately, a reject policy that blocks emails that fail checks.
But which one? said when he asked security experts at tech company 6point6 in April to check whether banks offer this protection, some banks were falling short.
Some had not introduced DMARC at the time of the investigation, although they had since taken steps to address this issue, and some had not yet set their policies to reject all emails failing DMARC checks.
And some banks had a DMARC system in place for their primary domains, but not for other domains belonging to their group, making them potentially vulnerable to crooks who might impersonate them using alternate email addresses.
Since the investigation, some banks had applied DMARC to alternative domains, or were in the process of reviewing their inclusion, Which one? mentionned.
The consumer group said that although banks are more advanced than other industries when it comes to implementing DMARC, it is often too difficult for customers to tell the difference between a phishing email and a phishing email. genuine communication from banks due to inconsistencies in the industry.
He said this is of particular concern when banks accuse scam victims of falling for the trap, despite their increased sophistication.
Which? said people are often faced with a lottery to get their money back under the industry’s code of voluntary bank transfer scams.
The consumer group wants all banks to implement DMARC and set their reject policies, which means email providers should block all emails that fail checks.
Which? Also believes that if banks didn’t include web links or phone numbers in their texts – which are prone to identity theft – consumers could spot scams more easily.
Jenny Ross, which one? Money Editor, said, “It has never been more difficult for people to know if they are receiving genuine communications from their bank or if they are being cheated. It is therefore crucial that banks take all measures to protect their customers from these devastating scams.
“This includes properly implementing protections against email scams and no longer putting phone numbers and links in messages, to ensure that customers feel safe and can check in. banking with confidence. “
Katy Worobec, Managing Director for Economic Crime at UK Finance Trade Association, said: “The banking industry is focused on tackling fraud on all fronts and preventing the devastating impact it can have. on victims and society.
“It is vital that each sector plays its part to protect the public and prevent criminals from taking advantage of technology. We continue to work with the telecommunications industry and Ofcom to eradicate the threat.
“Criminals are experts at identity theft for a wide variety of trusted organizations and websites, not just the financial industry.
“It is important that customers remain vigilant against these scams and follow the advice of the Take Five to Stop Fraud campaign: always stop and think before parting with your money or information and avoid clicking on links. in emails or texts in case it is a scam. “