A consumer rights group is calling on all high street banks to improve their anti-phishing capabilities after spotting that a key protocol is sometimes not configured to offer maximum protection.
Domain-based message authentication, reporting and conformance (DMARC) is a tried-and-tested way to help brands block phishing emails to customers.
It helps to verify that the domain of the sender hasn’t been impersonated, although it must be set to “p=reject” in order to prevent suspicious emails from being sent to customer inboxes.
At the time of the study, it found that Bank of Ireland and Lloyds Bank-owned Agricultural Mortgage Corporation had not introduced DMARC at all, although both have since taken action.
It also found that Nationwide, TSB and Virgin Money had not set DMARC to p=reject, although the latter two claimed they were planning to do so.
The Co-operative Bank, First Direct, Starling and Tesco Bank had DMARC in place for their primary domains but not their alternative domains, which phishers could theoretically abuse.
Starling and Tesco Bank have now taken action to close this security loophole, Which? claimed.
“It has never been harder for people to know whether they’re receiving genuine communications from their bank, or being tricked — so it is crucial that banks take every measure to protect their customers from these devastating scams,” said Which? Money editor, Jenny Ross.
“These include implementing email scam protections properly and no longer putting phone numbers and links in messages, to ensure customers feel safe and can bank with confidence.”
On the plus side, most UK banks have signed up to a “do not originate” (DNO) number scheme designed to clamp down on number spoofing, which scammers often use in vishing (phone-based phishing) attacks, Which? said.
Last year, a Proofpoint report found that only 13 out of the 64 accredited financial institutions it studied had implemented the strongest DMARC policy.