/ Money, Technology

Can you tell if an email is genuinely from your bank?

One sign you're not risking banking scams - a padlock by the sites' address bar

To help prevent fraudsters tricking people into giving away their details in banking scams, the British Bankers’ Association has pledged that banks will never send emails linking to pages that ask for login details.

For some time fraudsters have been sending ‘phishing’ emails to online banking customers. They’re designed to look like official messages, often with an urgent request to make contact.

The emails include a link to a genuine-looking page which invites the victim to enter online banking login details or other sensitive information. The fake page sends the information back to the con artist, who can then use it to steal funds or commit identity theft.

Links to log in to online banking

As the fraudsters become savvier, the most sophisticated of these banking emails can be difficult to tell apart from real ones.

To help prevent fraudsters tricking people into giving away their online banking details, the British Bankers’ Association (BBA) recently launched a publicity campaign (featured in a guest post on our site too) to remind us that banks will never send emails linking to pages that ask for login details.

I was glad to see the BBA’s advice, but disappointed to find a number of major banks were muddying the waters. We’ve seen genuine emails from Barclays, HSBC, Metro Bank and NatWest which appear to undermine the BBA’s advice. These invite customers to log in to online banking and include a link to their website.

Even following a link from an email to a bank’s homepage, and then through to online banking, can be risky. Fraudsters can easily send emails that appear genuine, but lead to a banking scams website.

Banking scams: is that email legitimate?

After a previous Conversation on the subject, Em told us of her strategy for making sure emails from her bank are legitimate:

‘If I have any doubt about the authenticity of an email, I right-click and select ‘View source’. If you know what to look for, you can check the real URLs behind the clickable links and other tell-tale signs of a fake.’

If you’re a techie sort, this is an option. But it shouldn’t be this hard to spot banking scams – and some banks aren’t helping.

To ensure you don’t get conned into visiting a phishing site, our advice is to only access online banking by typing the website address directly. Or perhaps by using a bookmark.

When we raised our concerns NatWest said it was ‘actively reviewing’ its approach. Metro Bank has removed links to its website from emails. HSBC and Barclays said they only included links to their homepage or marketing pages. But we don’t think this really addresses the issue.

Longer term, it would be great to see banks and email providers working together on tech fixes to make email more secure. Gmail is testing a feature which displays an icon next to emails that are genuine. But this needs to be widely adopted and understood if it is to make life harder for fraudsters – and easier for us.

What safeguards do you take when banking online? Have you received genuine emails from your bank that have caused you concern?


My current account provider is a mutual building society [the Nationwide] and I think it has a better approach to customer confidence than the retail banks. For some years now it has always included my full postcode in any e-mail as a security precaution together with the advice that they will never ask for any security details on-line; this message is repeated on every e-mail and on appropriate pages within their on-line banking site. I always look for the security features when I open an e-mail and I never follow a link on a financial website.

I have in the past taken issue with certain banks over their casual use of the English language and grammar. It is a vain attempt to seek popular appeal. Unfortunately, it also plays into the hands of fraudsters who, in most cases, commit errors of spelling, punctuation, and syntax. The banks should not pretend to be cool by writing “we’ll” and “they’re” and having catchy headlines like “want a better loan rate?”. High street banks traditionally had stone on the outside and the full mahogany on the inside. I want the on-line equivalent in tone, authority and a sense of responsibility with their communications. And I want to be addressed directly with a unique identifier as the Nationwide does, not with something little better than the ‘valued customer’ moniker used by the scammers.

NW concerned member says:
6 December 2014

Your comment about the Nationwide (NW) approach to security is very worrying. It is precisely why I raised with NW their approach when their security broke down during the last members’ online AGM voting. At the same time and as part of several exchanges when it took a while for them escalate to someone who understood the issue, I asked, sorry, no I instructed them them, to stop assuming that use of a publicly available piece of information such as a postcode, provides the recipient with assurance in an email about the sender’s bona fides. It does not and should not be used. Indeed it should immediately raise concerns for the recipient about who has sent the communication – it does for me.
I did suggest, as you outline in your last sentence, that they use an identifier but one that is set by the account holder and only known by them and NW. They noted my recommendation for consideration for inclusion in a future systems upgrade but they have so far not even ceased that insecure and very misleading practice as an interim measure.
I think safest is to keep any message very simple with no links. Eg. just direct an account holder to a secure online messaging service. Several of my financial service providers do that – Government ones in particular. A bit inconvenient at times but a safer tactic.


I agree with you. It was good at the time but things have moved from bad to worse since Nationwide introduced their use of a postcode identifier and it is time they upgraded their security procedures to address the current level and sophistication of fraudulent activity. I have to say, however, that nothing they have ever sent me by e-mail has been necessary or confidential; the risk is that they normally contain lnks to the Nationwide website from where it is possible to access internet banking. It would be better if they stopped using links and advised customers to go into the website from scratch by typing the website address into their browser. Organisations appear to have a fear that unless they provide direct links they will lose traffic. I think the prevention of fraud and the gain in security should outweigh those concerns.


I have received two emails from Nationwide to tell me my credit card statement is ready. The first is just text and contains my name and postcode. Although these pieces of personal information are publicly available, the chances are it is legit as most phishing emails are general and sent randomly. It also contains no links to any website. The second one, which came the same day, is more worrying as it is full of fancy graphics and contains a link to the Nationwide online banking website. It also contains my name, post code and the last 4 digits of my card number, so I am sure it came from Nationwide. I notice that the second tip in Nationwide’s top 10 security tips is to never log in from an email link so I don’t know why they are now sending out such emails.


This is a very good point. Banks should never send emails with convenience links in them. Customers need educating to log in from the web address.

Wherever possible, banks should only communicate with customers through secure web forms. The only synchronous communication (telephone or SMS text) should be to alert the customer to log in properly and look at the secure communication on the web site.

The chances are that nearly all Internet illiterate customers will live near a branch, at least at the moment. But as more branches close, alternative methods of “in person” communication need to be developed. A local library or post office where the person can be physically recognised (rather than just by pieces of paper) is a possible solution.

Another worrying trend is people who use a mobile telephone as their only method of Internet access. They probably have got one because they think of it as a telephone not a computer, which gets past their computerphobia. However it is more easily lost or stolen.


I’m a consultant who works in a number of investment banks. The banks often send phishing e-mails from outside the bank to their employees’ work e-mail addresses to test how many employees will fall for phishing scams. These are not phishing e-mails for online banking logins but for other types of sensitive data. No employee ever gets into trouble for falling for it and it’s more for statistical analysis.

Perhaps the retail banks should try a similar test on their customers. They could send phishing e-mails, including deliberate tell-tale spelling mistakes etc, asking their customers to log into a dodgy third party web site that is actually operated secretly and safely by the bank. Customers who fall for it can then be warned by the bank that they are at risk from phishing.


I have never seen a phishing email that looked convincing, though some are better than others. It’s quite instructive to study them and look for clues that they are fake, and to check email headers. Even with emails I am convinced are genuine, I look up websites rather than click links.

Rather amusingly, today’s dodgy email was from Satander. 🙂


Just checked my latest newsletter from First Direct entitled “Be wise this Christmas”

Interestingly this is in the headers:
X-KASFlt-Status: {FROM: real name looks suspicious}

I don’t doubt this is a genuine email but even so, I never click on a link in anything that looks financial.

MikeG says:
6 December 2014

Several times I have been rung by Barclaycard Fraud Dept to query a payment. While I am grateful to them for being vigilant, I am concerned about the manner of contact. An automated message asks me to press 1 on the telephone keypad to be put through to a person. But how am I supposed to know this is not a scam? I think asking people to respond to telephone calls like this is irresponsible, and they should change this practice. I will only contact them through a telephone number published in their literature.


What’s even worse is being contacted by a bank with a request to call them urgently, phone them up to find out the reason, and then not be able to answer their security questions (I almost never contact my banks by phone). Nationwide did this to me, and then blocked access to my accounts as a result – remember, they asked me to ring them, they didn’t say why, and I was unprepared for the third degree. What was unforgivable was that the original call was from their marketing department! So not only did I waste my own time calling them so they could try to sell me something I neither asked for nor needed, I ended up considerably inconvenienced. Needless to say, I no longer bank with them.

As for phishing emails, I always check the sender’s email address and the URL, and I never click through on anything financially related or anything I don’t recognise. I agree that it is good practice for senders to include something in their emails that is personal to you. Also, Santander include an image and phrase on their login screens chosen by the customer.

Some phishing emails are laughable, for example, the recent spate purporting to come from courier companies, but I had one the other day that was particularly good. It dressed itself up as the “someone tried to login to your Apple account” warning, but gave itself away with poor spelling (Itunnes!!) and of course the URL it was asking you to follow was completely bizarre and in Hong Kong.

One further thing you can do to avoid the risk of inadvertently triggering any malware in any attachments (besides reading your email on a Linux machine rather than a Windows one) is use “print preview” or its equivalent to look at the contents in a passive way. It won’t show the bogus URLs but you can quickly tell if your next action should be to hit the delete button.

Actually, before deleting fraudulent emails, I routinely report them to the Actions Fraud website. It may not do much to prevent people sending them out in the first place, but it feels better than doing nothing. In fact, I do this so often that it seems like I’ve been single-handedly responsible for a recent report based on Action Fraud’s statistics that highlighted my local area as a hot-spot for email fraud!


I can’t say that I have read anything more appalling than the way this customer was treated by Nationwide. I think the staff responsible should all be sacked without references for bringing the firm into disrepute, but I doubt that it will ever happen.

I agree with a Which? reader who recommended that if anyone phones from a bank to tell them that if they have anything important to say, to communicate through the banks’ secure web site, and then put the phone down.

The Action Fraud’s web site says that you have to use their form to report suspicious emails and it will take half an hour to fill in.
It used to be possible to just forward the suspicious email to them, but as whoever runs it (or probably their legal department) doesn’t care a **** about other people’s time, they now require this rigmarole. Unfortunately most suspicious emails probably don’t get reported as a result of this.

Mary Sabine says:
6 December 2014

I would assume that this was a scam.